HD Moore
908de4521d
git-svn-id: file:///home/svn/incoming/trunk@3580 4d416f70-5f16-0410-b530-b9f4589650da
87 lines
1.5 KiB
Ruby
87 lines
1.5 KiB
Ruby
module Msf
|
|
|
|
###
|
|
#
|
|
# This class hooks all sockets created by a running exploit
|
|
# and prevents data from being sent that matches a known IPS
|
|
# signature.
|
|
#
|
|
###
|
|
|
|
class Plugin::IPSFilter < Msf::Plugin
|
|
|
|
###
|
|
#
|
|
# This class implements a socket communication logger
|
|
#
|
|
###
|
|
class IPSSocketEventHandler
|
|
include Rex::Socket::Comm::Events
|
|
|
|
def on_before_socket_create(comm, param)
|
|
end
|
|
|
|
def on_socket_created(comm, sock, param)
|
|
# Sockets created by the exploit have MsfExploit set and MsfPayload not set
|
|
if (param.context['MsfExploit'] and (! param.context['MsfPayload'] ))
|
|
sock.extend(IPSFilter::SocketTracer)
|
|
sock.context = param.context
|
|
sock._init_hook_
|
|
end
|
|
end
|
|
end
|
|
|
|
|
|
def initialize(framework, opts)
|
|
super
|
|
@ips_eh = IPSSocketEventHandler.new
|
|
Rex::Socket::Comm::Local.register_event_handler(@bps_eh)
|
|
end
|
|
|
|
def cleanup
|
|
Rex::Socket::Comm::Local.deregister_event_handler(@bps_eh)
|
|
end
|
|
|
|
def name
|
|
"ips_filter"
|
|
end
|
|
|
|
def desc
|
|
"Scans all outgoing data to see if it matches a known IPS signature"
|
|
end
|
|
|
|
protected
|
|
end
|
|
|
|
end
|
|
|
|
# This module extends the captured socket instance
|
|
module IPSFilter
|
|
module SocketTracer
|
|
|
|
attr_accessor :context
|
|
|
|
# Hook the write method
|
|
def write(buf, opts = {})
|
|
# Add hooks to filter all outgoing packets here
|
|
super(buf)
|
|
end
|
|
|
|
# Hook the read method
|
|
def read(length = nil, opts = {})
|
|
r = super(length, opts)
|
|
return r
|
|
end
|
|
|
|
# Called by the event handler on setup
|
|
def _init_hook_
|
|
# Load up the signature set here
|
|
end
|
|
|
|
def close(*args)
|
|
super(*args)
|
|
end
|
|
|
|
end
|
|
end
|