modules/auxiliary/scanner/rsync/modules_list.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  RSYNC_HEADER = '@RSYNCD:'
  HANDLED_EXCEPTIONS = [
    Rex::AddressInUse, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused,
    ::Errno::ETIMEDOUT, ::Timeout::Error, ::EOFError
  ]

  def initialize
    super(
      'Name'        => 'List Rsync Modules',
      'Description' => %q(
        An rsync module is essentially a directory share.  These modules can
        optionally be protected by a password.  This module connects to and
        negotiates with an rsync server, lists the available modules and,
        optionally, determines if the module requires a password to access.
      ),
      'Author'      => [
        'ikkini', # original metasploit module
        'Jon Hart <jon_hart[at]rapid7.com>', # improved metasploit module
        'Nixawk' # improved metasploit module
      ],
      'References'  =>
        [
          ['URL', 'http://rsync.samba.org/ftp/rsync/rsync.html']
        ],
      'License'     => MSF_LICENSE
    )

    register_options(
      [
        OptBool.new('TEST_AUTHENTICATION',
                    [ true, 'Test if the rsync module requires authentication', true ]),
        Opt::RPORT(873)
      ]
    )

    register_advanced_options(
      [
        OptBool.new('SHOW_MOTD',
                    [ true, 'Show the rsync motd, if found', false ]),
        OptBool.new('SHOW_VERSION',
                    [ true, 'Show the rsync version', false ]),
        OptInt.new('READ_TIMEOUT', [ true, 'Seconds to wait while reading rsync responses', 2 ])
      ]
    )
  end

  def read_timeout
    datastore['READ_TIMEOUT']
  end

  def get_rsync_auth_status(rmodule)
    sock.puts("#{rmodule}\n")
    res = sock.get_once(-1, read_timeout)
    if res
      res.strip!
      if res =~ /^#{RSYNC_HEADER} AUTHREQD \S+$/
        'required'
      elsif res =~ /^#{RSYNC_HEADER} OK$/
        'not required'
      else
        vprint_error("unexpected response when connecting to #{rmodule}: #{res}")
        "unexpected response '#{res}'"
      end
    else
      vprint_error("no response when connecting to #{rmodule}")
      'no response'
    end
  end

  def rsync_list
    sock.puts("#list\n")

    modules_metadata = []
    # the module listing is the module name and comment separated by a tab, each module
    # on its own line, lines separated with a newline
    sock.get(read_timeout).split(/\n/).map(&:strip).map do |module_line|
      break if module_line =~ /^#{RSYNC_HEADER} EXIT$/
      name, comment = module_line.split(/\t/).map(&:strip)
      next unless name
      modules_metadata << { name: name, comment: comment }
    end

    modules_metadata
  end

  # Attempts to negotiate the rsync protocol with the endpoint.
  def rsync_negotiate
    # rsync is promiscuous and will send the negotitation and motd
    # upon connecting.  abort if we get nothing
    return unless (greeting = sock.get_once(-1, read_timeout))

    # parse the greeting control and data lines.  With some systems, the data
    # lines at this point will be the motd.
    greeting_control_lines, greeting_data_lines = rsync_parse_lines(greeting)

    # locate the rsync negotiation and complete it by just echo'ing
    # back the same rsync version that it sent us
    version = nil
    greeting_control_lines.map do |greeting_control_line|
      if /^#{RSYNC_HEADER} (?<version>\d+(\.\d+)?)$/ =~ greeting_control_line
        version = Regexp.last_match('version')
        sock.puts("#{RSYNC_HEADER} #{version}\n")
      end
    end

    unless version
      vprint_error("no rsync negotiation found")
      return
    end

    _, post_neg_data_lines = rsync_parse_lines(sock.get_once(-1, read_timeout))
    motd_lines = greeting_data_lines + post_neg_data_lines
    [ version, motd_lines.empty? ? nil : motd_lines.join("\n") ]
  end

  # parses the control and data lines from the provided response data
  def rsync_parse_lines(response_data)
    control_lines = []
    data_lines = []

    if response_data
      response_data.strip!
      response_data.split(/\n/).map do |line|
        if line =~ /^#{RSYNC_HEADER}/
          control_lines << line
        else
          data_lines << line
        end
      end
    end

    [ control_lines, data_lines ]
  end

  def run_host(ip)
    begin
      connect
      version, motd = rsync_negotiate
      unless version
        vprint_error("does not appear to be rsync")
        disconnect
        return
      end
    rescue *HANDLED_EXCEPTIONS => e
      vprint_error("error while connecting and negotiating: #{e}")
      disconnect
      return
    end

    info = "rsync protocol version #{version}"
    info += ", MOTD '#{motd}'" if motd
    report_service(
      host: ip,
      port: rport,
      proto: 'tcp',
      name: 'rsync',
      info: info
    )
    print_status("rsync version: #{version}") if datastore['SHOW_VERSION']
    print_status("rsync MOTD: #{motd}") if motd && datastore['SHOW_MOTD']

    modules_metadata = {}
    begin
      modules_metadata = rsync_list
    rescue *HANDLED_EXCEPTIONS => e
      vprint_error("Error while listing modules: #{e}")
      return
    ensure
      disconnect
    end

    if modules_metadata.empty?
      print_status("no rsync modules found")
    else
      modules = modules_metadata.map { |m| m[:name] }
      print_good("#{modules.size} rsync modules found: #{modules.join(', ')}")

      table_columns = %w(Name Comment)
      if datastore['TEST_AUTHENTICATION']
        table_columns << 'Authentication'
        modules_metadata.each do |module_metadata|
          begin
            connect
            rsync_negotiate
            module_metadata[:authentication] = get_rsync_auth_status(module_metadata[:name])
          rescue *HANDLED_EXCEPTIONS => e
            vprint_error("error while testing authentication on #{module_metadata[:name]}: #{e}")
            break
          ensure
            disconnect
          end
        end
      end

      # build a table to store the module listing in
      listing_table = Msf::Ui::Console::Table.new(
        Msf::Ui::Console::Table::Style::Default,
        'Header' => "rsync modules for #{peer}",
        'Columns' => table_columns,
        'Rows' => modules_metadata.map(&:values)
      )
      vprint_line(listing_table.to_s)

      report_note(
        host: ip,
        proto: 'tcp',
        port: rport,
        type: 'rsync_modules',
        data: { modules: modules_metadata }
      )
    end
  end

  def setup
    fail_with(Failure::BadConfig, 'READ_TIMEOUT must be > 0') if read_timeout <= 0
  end
end
List all (listable) modules from a rsync daemon 2014-07-24 22:04:00 +02:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
List all (listable) modules from a rsync daemon 2014-07-24 22:04:00 +02:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Auxiliary`
List all (listable) modules from a rsync daemon 2014-07-24 22:04:00 +02:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Auxiliary::Scanner`
			`include Msf::Auxiliary::Report`

Detect if an rsync module requires authentication 2015-10-12 13:37:59 -07:00			`RSYNC_HEADER = '@RSYNCD:'`
More correct exception handling 2015-11-06 12:25:27 -08:00			`HANDLED_EXCEPTIONS = [`
			`Rex::AddressInUse, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused,`
			`::Errno::ETIMEDOUT, ::Timeout::Error, ::EOFError`
			`]`
Detect if an rsync module requires authentication 2015-10-12 13:37:59 -07:00
List all (listable) modules from a rsync daemon 2014-07-24 22:04:00 +02:00			`def initialize`
			`super(`
Improve name and description; update authors 2015-11-04 08:42:29 -08:00			`'Name' => 'List Rsync Modules',`
			`'Description' => %q(`
			`An rsync module is essentially a directory share. These modules can`
			`optionally be protected by a password. This module connects to and`
			`negotiates with an rsync server, lists the available modules and,`
			`optionally, determines if the module requires a password to access.`
			`),`
			`'Author' => [`
			`'ikkini', # original metasploit module`
Credit Nixawk/all3g for some of the module review/improvements/ideas 2015-11-05 09:22:30 -08:00			`'Jon Hart <jon_hart[at]rapid7.com>', # improved metasploit module`
			`'Nixawk' # improved metasploit module`
Improve name and description; update authors 2015-11-04 08:42:29 -08:00			`],`
Add URL reference 2014-08-28 18:47:56 -05:00			`'References' =>`
			`[`
			`['URL', 'http://rsync.samba.org/ftp/rsync/rsync.html']`
			`],`
List all (listable) modules from a rsync daemon 2014-07-24 22:04:00 +02:00			`'License' => MSF_LICENSE`
			`)`
Make read timeout configurable and shorter by default 2015-11-04 10:01:38 -08:00
List all (listable) modules from a rsync daemon 2014-07-24 22:04:00 +02:00			`register_options(`
			`[`
Make testing the rsync module for authentication optional, 2015-11-04 08:25:38 -08:00			`OptBool.new('TEST_AUTHENTICATION',`
			`[ true, 'Test if the rsync module requires authentication', true ]),`
Clean rsync_modules_list 2014-08-28 18:40:55 -05:00			`Opt::RPORT(873)`
Make read timeout configurable and shorter by default 2015-11-04 10:01:38 -08:00			`]`
			`)`

			`register_advanced_options(`
			`[`
Make motd printing optional, off by default 2015-11-04 10:11:00 -08:00			`OptBool.new('SHOW_MOTD',`
			`[ true, 'Show the rsync motd, if found', false ]),`
More consistent printing 2015-11-06 10:03:06 -08:00			`OptBool.new('SHOW_VERSION',`
			`[ true, 'Show the rsync version', false ]),`
Make read timeout configurable and shorter by default 2015-11-04 10:01:38 -08:00			`OptInt.new('READ_TIMEOUT', [ true, 'Seconds to wait while reading rsync responses', 2 ])`
			`]`
			`)`
List all (listable) modules from a rsync daemon 2014-07-24 22:04:00 +02:00			`end`

Handle rsync motd 2015-10-12 13:03:55 -07:00			`def read_timeout`
Make read timeout configurable and shorter by default 2015-11-04 10:01:38 -08:00			`datastore['READ_TIMEOUT']`
Handle rsync motd 2015-10-12 13:03:55 -07:00			`end`

Improve auth handling 2015-11-06 09:50:39 -08:00			`def get_rsync_auth_status(rmodule)`
Detect if an rsync module requires authentication 2015-10-12 13:37:59 -07:00			`sock.puts("#{rmodule}\n")`
Make read timeout configurable and shorter by default 2015-11-04 10:01:38 -08:00			`res = sock.get_once(-1, read_timeout)`
Only mark rsync as req'ing auth true/false if we are sure, otherwise vprint and unknown 2015-11-05 09:20:02 -08:00			`if res`
Improve auth handling 2015-11-06 09:50:39 -08:00			`res.strip!`
			`if res =~ /^#{RSYNC_HEADER} AUTHREQD \S+$/`
Style cleanup of auth checking 2015-11-06 08:34:17 -08:00			`'required'`
Improve auth handling 2015-11-06 09:50:39 -08:00			`elsif res =~ /^#{RSYNC_HEADER} OK$/`
Style cleanup of auth checking 2015-11-06 08:34:17 -08:00			`'not required'`
Only mark rsync as req'ing auth true/false if we are sure, otherwise vprint and unknown 2015-11-05 09:20:02 -08:00			`else`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`vprint_error("unexpected response when connecting to #{rmodule}: #{res}")`
Improve auth handling 2015-11-06 09:50:39 -08:00			`"unexpected response '#{res}'"`
Only mark rsync as req'ing auth true/false if we are sure, otherwise vprint and unknown 2015-11-05 09:20:02 -08:00			`end`
Detect if an rsync module requires authentication 2015-10-12 13:37:59 -07:00			`else`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`vprint_error("no response when connecting to #{rmodule}")`
Style cleanup of auth checking 2015-11-06 08:34:17 -08:00			`'no response'`
Detect if an rsync module requires authentication 2015-10-12 13:37:59 -07:00			`end`
			`end`

Split out negotiation and listing 2015-10-12 11:19:31 -07:00			`def rsync_list`
			`sock.puts("#list\n")`

style 2015-11-04 09:11:07 -08:00			`modules_metadata = []`
Split out negotiation and listing 2015-10-12 11:19:31 -07:00			`# the module listing is the module name and comment separated by a tab, each module`
			`# on its own line, lines separated with a newline`
Handle rsync motd 2015-10-12 13:03:55 -07:00			`sock.get(read_timeout).split(/\n/).map(&:strip).map do \|module_line\|`
break if we get the rsync exit 2015-11-04 09:12:02 -08:00			`break if module_line =~ /^#{RSYNC_HEADER} EXIT$/`
Not all modules have comments 2015-11-02 09:14:41 -08:00			`name, comment = module_line.split(/\t/).map(&:strip)`
More usable format for module metadata in notes 2015-11-04 08:47:37 -08:00			`next unless name`
style 2015-11-04 09:11:07 -08:00			`modules_metadata << { name: name, comment: comment }`
Split out negotiation and listing 2015-10-12 11:19:31 -07:00			`end`
Handle rsync motd 2015-10-12 13:03:55 -07:00
style 2015-11-04 09:11:07 -08:00			`modules_metadata`
Split out negotiation and listing 2015-10-12 11:19:31 -07:00			`end`

Don't wait for motd when testing for auth 2015-11-02 10:49:48 -08:00			`# Attempts to negotiate the rsync protocol with the endpoint.`
Remove optional motd handling; this is always necessary 2015-11-04 09:43:10 -08:00			`def rsync_negotiate`
More doc, error handling 2015-10-30 13:13:44 -07:00			`# rsync is promiscuous and will send the negotitation and motd`
			`# upon connecting. abort if we get nothing`
Make read timeout configurable and shorter by default 2015-11-04 10:01:38 -08:00			`return unless (greeting = sock.get_once(-1, read_timeout))`
Clean rsync_modules_list 2014-08-28 18:40:55 -05:00
Handle case where motd comes after negotiation 2015-11-02 09:12:57 -08:00			`# parse the greeting control and data lines. With some systems, the data`
			`# lines at this point will be the motd.`
			`greeting_control_lines, greeting_data_lines = rsync_parse_lines(greeting)`
Handle rsync motd 2015-10-12 13:03:55 -07:00
More doc, error handling 2015-10-30 13:13:44 -07:00			`# locate the rsync negotiation and complete it by just echo'ing`
			`# back the same rsync version that it sent us`
			`version = nil`
Handle case where motd comes after negotiation 2015-11-02 09:12:57 -08:00			`greeting_control_lines.map do \|greeting_control_line\|`
			`if /^#{RSYNC_HEADER} (?<version>\d+(\.\d+)?)$/ =~ greeting_control_line`
Detect if an rsync module requires authentication 2015-10-12 13:37:59 -07:00			`version = Regexp.last_match('version')`
			`sock.puts("#{RSYNC_HEADER} #{version}\n")`
Handle rsync motd 2015-10-12 13:03:55 -07:00			`end`
			`end`

More doc, error handling 2015-10-30 13:13:44 -07:00			`unless version`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`vprint_error("no rsync negotiation found")`
More doc, error handling 2015-10-30 13:13:44 -07:00			`return`
			`end`

Make read timeout configurable and shorter by default 2015-11-04 10:01:38 -08:00			`_, post_neg_data_lines = rsync_parse_lines(sock.get_once(-1, read_timeout))`
Remove optional motd handling; this is always necessary 2015-11-04 09:43:10 -08:00			`motd_lines = greeting_data_lines + post_neg_data_lines`
Return nil when no motd lines 2015-11-02 09:18:10 -08:00			`[ version, motd_lines.empty? ? nil : motd_lines.join("\n") ]`
Handle case where motd comes after negotiation 2015-11-02 09:12:57 -08:00			`end`

			`# parses the control and data lines from the provided response data`
			`def rsync_parse_lines(response_data)`
			`control_lines = []`
			`data_lines = []`

			`if response_data`
			`response_data.strip!`
			`response_data.split(/\n/).map do \|line\|`
			`if line =~ /^#{RSYNC_HEADER}/`
			`control_lines << line`
			`else`
			`data_lines << line`
			`end`
			`end`
			`end`

			`[ control_lines, data_lines ]`
Split out negotiation and listing 2015-10-12 11:19:31 -07:00			`end`

			`def run_host(ip)`
Handle errors more carefully 2015-11-06 09:44:05 -08:00			`begin`
			`connect`
			`version, motd = rsync_negotiate`
			`unless version`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`vprint_error("does not appear to be rsync")`
Handle errors more carefully 2015-11-06 09:44:05 -08:00			`disconnect`
			`return`
			`end`
More correct exception handling 2015-11-06 12:25:27 -08:00			`rescue *HANDLED_EXCEPTIONS => e`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`vprint_error("error while connecting and negotiating: #{e}")`
Split out negotiation and listing 2015-10-12 11:19:31 -07:00			`disconnect`
			`return`
			`end`
return if no version response received 2014-10-19 00:29:36 +02:00
Handle rsync motd 2015-10-12 13:03:55 -07:00			`info = "rsync protocol version #{version}"`
			`info += ", MOTD '#{motd}'" if motd`
Better reporting 2015-10-12 10:56:21 -07:00			`report_service(`
Style cleanup for rsync modules_list 2015-10-12 09:05:01 -07:00			`host: ip,`
			`port: rport,`
Better reporting 2015-10-12 10:56:21 -07:00			`proto: 'tcp',`
			`name: 'rsync',`
Handle rsync motd 2015-10-12 13:03:55 -07:00			`info: info`
Clean rsync_modules_list 2014-08-28 18:40:55 -05:00			`)`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("rsync version: #{version}") if datastore['SHOW_VERSION']`
			`print_status("rsync MOTD: #{motd}") if motd && datastore['SHOW_MOTD']`
Clean rsync_modules_list 2014-08-28 18:40:55 -05:00
Handle errors more carefully 2015-11-06 09:44:05 -08:00			`modules_metadata = {}`
			`begin`
			`modules_metadata = rsync_list`
More correct exception handling 2015-11-06 12:25:27 -08:00			`rescue *HANDLED_EXCEPTIONS => e`
Get some stragglers that had a different format 2016-02-01 16:21:10 -06:00			`vprint_error("Error while listing modules: #{e}")`
Handle errors more carefully 2015-11-06 09:44:05 -08:00			`return`
			`ensure`
			`disconnect`
			`end`

style 2015-11-04 09:11:07 -08:00			`if modules_metadata.empty?`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_status("no rsync modules found")`
Usability improvements for rsync modules_list 2015-10-12 09:51:00 -07:00			`else`
style 2015-11-04 09:11:07 -08:00			`modules = modules_metadata.map { \|m\| m[:name] }`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`print_good("#{modules.size} rsync modules found: #{modules.join(', ')}")`
Make testing the rsync module for authentication optional, 2015-11-04 08:25:38 -08:00
			`table_columns = %w(Name Comment)`
			`if datastore['TEST_AUTHENTICATION']`
Improve auth handling 2015-11-06 09:50:39 -08:00			`table_columns << 'Authentication'`
style 2015-11-04 09:11:07 -08:00			`modules_metadata.each do \|module_metadata\|`
Handle errors more carefully 2015-11-06 09:44:05 -08:00			`begin`
			`connect`
			`rsync_negotiate`
Improve auth handling 2015-11-06 09:50:39 -08:00			`module_metadata[:authentication] = get_rsync_auth_status(module_metadata[:name])`
More correct exception handling 2015-11-06 12:25:27 -08:00			`rescue *HANDLED_EXCEPTIONS => e`
Do the same for aux modules 2016-02-01 16:06:34 -06:00			`vprint_error("error while testing authentication on #{module_metadata[:name]}: #{e}")`
More correct exception handling 2015-11-06 12:25:27 -08:00			`break`
Handle errors more carefully 2015-11-06 09:44:05 -08:00			`ensure`
			`disconnect`
			`end`
Make testing the rsync module for authentication optional, 2015-11-04 08:25:38 -08:00			`end`
Detect if an rsync module requires authentication 2015-10-12 13:37:59 -07:00			`end`
Handle case where motd comes after negotiation 2015-11-02 09:12:57 -08:00
Usability improvements for rsync modules_list 2015-10-12 09:51:00 -07:00			`# build a table to store the module listing in`
			`listing_table = Msf::Ui::Console::Table.new(`
			`Msf::Ui::Console::Table::Style::Default,`
sprinkle in peer 2015-11-04 09:05:33 -08:00			`'Header' => "rsync modules for #{peer}",`
Make testing the rsync module for authentication optional, 2015-11-04 08:25:38 -08:00			`'Columns' => table_columns,`
style 2015-11-04 09:11:07 -08:00			`'Rows' => modules_metadata.map(&:values)`
Split out negotiation and listing 2015-10-12 11:19:31 -07:00			`)`
Usability improvements for rsync modules_list 2015-10-12 09:51:00 -07:00			`vprint_line(listing_table.to_s)`

			`report_note(`
			`host: ip,`
			`proto: 'tcp',`
			`port: rport,`
Better reporting 2015-10-12 10:56:21 -07:00			`type: 'rsync_modules',`
style 2015-11-04 09:11:07 -08:00			`data: { modules: modules_metadata }`
Usability improvements for rsync modules_list 2015-10-12 09:51:00 -07:00			`)`
			`end`
List all (listable) modules from a rsync daemon 2014-07-24 22:04:00 +02:00			`end`
Make read timeout configurable and shorter by default 2015-11-04 10:01:38 -08:00
			`def setup`
			`fail_with(Failure::BadConfig, 'READ_TIMEOUT must be > 0') if read_timeout <= 0`
			`end`
List all (listable) modules from a rsync daemon 2014-07-24 22:04:00 +02:00			`end`