metasploit-framework/lib/msf/core/exploit/capture.rb

module Msf

###
#
# This module provides methods for sending and receiving 
# raw packets. It should be preferred over the soon-to-be
# deprecated Rex::Socket::Ip mixin.
#
# Please see the pcaprub documentation for more information.
#
###

module Exploit::Capture

	#
	# Initializes an instance of an exploit module that captures traffic
	#

	def initialize(info = {})
		super

		register_options(
			[
				OptPath.new('PCAPFILE', [false, 'The name of the PCAP capture file to process']),
				OptString.new('INTERFACE', [false, 'The name of the interface']),
				OptString.new('FILTER', [false, 'The filter string for capturing traffic']),
				OptInt.new('SNAPLEN', [true, 'The number of bytes to capture', 65535]),
				OptInt.new('TIMEOUT', [true, 'The number of seconds to wait for new data', 500]),
				# This needs some explaining, really.
				OptAddress.new('GWHOST', [false, 'The gateway IP address']),
				OptAddress.new('LHOST', [false, 'The local IP address'])

			], Msf::Exploit::Capture
		)

		require 'racket'

		begin
			require 'pcaprub'
			@pcaprub_loaded = true
		rescue ::Exception => e
			@pcaprub_loaded = false
			@pcaprub_error  = e
		end

		datastore['ARP_CACHE'] = {}

	end

	def stats_recv
		return(0) if not self.capture
		self.capture.stats['recv']
	end

	def stats_drop
		return(0) if not self.capture
		self.capture.stats['drop']
	end

	def stats_ifdrop
		return(0) if not self.capture
		self.capture.stats['ifdrop']
	end

	#
	# Opens a handle to the specified device
	#
	def open_pcap(opts={})

		if (not @pcaprub_loaded)
			print_status("The Pcaprub module is not available: #{@pcaprub_error}")
			raise RuntimeError, "Pcaprub not available"
		end

		# Capture device
		dev = nil
		len = (opts['SNAPLEN'] || datastore['SNAPLEN']  || 65535).to_i
		tim = (opts['TIMEOUT'] || datastore['TIMEOUT']  || 0).to_i
		fil = opts['FILTER'] || datastore['FILTER']

		# Look for a PCAP file
		cap = datastore['PCAPFILE'] || ''

		if(not cap.empty?)
			if(not File.exists?(cap))
				raise RuntimeError, "The PCAP file #{cap} could not be found"
			end
			self.capture = ::Pcap.open_offline(cap)
		else
			dev = datastore['INTERFACE'] || ::Pcap.lookupdev
			system("ifconfig", dev, "up")
			self.capture = ::Pcap.open_live(dev, len, true, tim)
		end

		if (not self.capture)
			raise RuntimeError, "Could not start the capture process"
		end

		self.capture.setfilter(fil) if fil
	end

	def close_pcap
		return if not self.capture
		self.capture = nil
		GC.start()
	end

	def capture_extract_ies(raw)
		set = {}
		ret = 0
		idx = 0
		len = 0

		while (idx < raw.length)
			len = raw[idx+1]
			return set if not len
			set[ raw[idx] ] ||= []
			set[ raw[idx] ].push(raw[idx + 2, len])
			idx += len + 2
		end

		return set
	end

	#
	# This monstrosity works around a series of bugs in the interrupt
	# signal handling of Ruby 1.9
	#
	def each_packet
		return if not capture
		begin
			@capture_count = 0
			reader = Thread.new do
				capture.each do |pkt|
					yield(pkt)
					@capture_count += 1
				end
			end
			reader.join
		rescue ::Exception
			raise $!
		ensure
			reader.kill if reader.alive?
		end

		@capture_count
	end

	# Injects a packet on the wire. For all injection-related functions, it's
	# on the module to open up a capture device first (this way, we don't
	# needlessly spawn new capture devices).
	def inject(pkt)
		if not self.capture
			raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
		else
			self.capture.inject(pkt)
		end
	end

	# Injects an Ethernet packet with an optional payload.
	def inject_eth(args={})
		eth_daddr = args[:eth_daddr] || "ff:ff:ff:ff:ff:ff"
		eth_saddr = args[:eth_saddr] || "00:00:00:00:00:00"
		eth_type  = args[:eth_type]  || 0x0800 # IP default
		payload   = args[:payload]
		n = Racket::Racket.new
		n.l2 = Racket::L2::Ethernet.new
		n.l2.dst_mac = eth_daddr
		n.l2.src_mac = eth_saddr
		n.l2.ethertype = eth_type
		pkt = n.pack
		pkt += payload if payload
		inject pkt
	end

	# Depending on what kind of packet you get, the resultant hash returned will
	# contain one or several Racket objects.
	def readreply(proto=:udp)
		reply = nil
		to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
		if not self.capture
			raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
		else
			begin
				Timeout.timeout(to) do
					self.capture.each do |r|
						eth = Racket::L2::Ethernet.new(r)
						case proto
						when :arp
							next if not eth.ethertype == 0x0806
							arp = Racket::L3::ARP.new(eth.payload)
							reply = {:raw => r, :eth => eth, :arp => arp}
							break
						when :ip
							next if not eth.ethertype == 0x0800
							ip = Racket::L3::IPv4.new(eth.payload)
							reply = {:raw => r, :eth => eth, :ip => ip}
							break
						when :udp
							ip = Racket::L3::IPv4.new(eth.payload)
							next if not ip.protocol == 17
							udp = Racket::L4::UDP.new(ip.payload)
							reply = {:raw => r, :eth => eth, :ip => ip, :udp => udp, :payload => udp.payload}
							break
						when :tcp
							ip = Racket::L3::IPv4.new(eth.payload)
							next if not ip.protocol == 6
							tcp = Racket::L4::TCP.new(ip.payload)
							reply = {:raw => r, :eth => eth, :ip => ip, :tcp => tcp, :payload => tcp.payload}
							break
						end
					end
				end
			rescue Timeout::Error
			end
		end
		return reply
	end

	# This ascertains the correct Ethernet addresses one should use to 
	# ensure injected IP packets actually get where they are going. It
	# also manages the 'ARP_CACHE' data store.
	#
	# This is done by first generating two packets: First, we try to ARP
	# the target IP address. If it's on the local network, this will usually
	# elicit a response of [dst_mac, dst_ip] -- see arp, below.
	#
	# We still need to know our own src_mac, though, since we assume we want
	# a response. To do this, we send a UDP trigger packet with a normal 
	# UDPSocket connect, to either the gateway host (GWHOST), if known, or to 
	# a random(ish) IP known to be beyond the default gateway. We then listen 
	# for our own UDP packet (via readreply) -- it need not get a response 
	# from GWHost or the random fake IP.
	#
	# Note, if IANA assigns 177/8 in the future, then the default fake-remote
	# IP address will have to be changed (unless you don't mind sending them
	# probe packets).
	#
	# Finally, if all of this fails to get an adequate response, a default
	# ethernet address pair of ["ff:ff:ff:ff:ff:ff","00:00:00:00:00:00"] will
	# be used by the inject_eth function (above), unless the calling module
	# decides against it. In switched networks, you should always get a correct
	# pair for a remote address, the same pair for an unroutable address 
	# (eg, 127.0.0.1), or a correct pair for a local address (if the target 
	# responds to ARPs at all).
	#
	# TODO: Fix PcapRub to return a subnet mask so I can determine ahead of
	# time if it's in the local network.
	# 
	# TODO: Reorganize this. 
	#
	def lookup_eth(addr=nil)
		eth_pair = [nil,nil] # [dst_mac, src_mac] will go here.
		raise RuntimeError, "Could not access the capture process." if not self.capture
		to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
		# Try to ARP the real IP first.
		eth_pair[0] = datastore['ARP_CACHE'][addr] || arp(addr) || datastore['ARP_CACHE'][:gateway]
		eth_pair[1] = datastore['ARP_CACHE'][Rex::Socket.source_address(addr)]
		if (eth_pair[0].nil? || eth_pair[1].nil?)
			dst_host = (datastore['GWHOST'] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s)
			dst_port = rand(30000)+1024
			secret = "#{Rex::Text.rand_text(rand(0xff)+1)}"
			UDPSocket.open.send(secret,0,dst_host,dst_port)
			begin
				Timeout.timeout(to) do
					while(my_packet = readreply(:udp))
						if my_packet[:payload] = secret
							eth_pair[0] ||= my_packet[:eth].dst_mac
							eth_pair[1] = my_packet[:eth].src_mac
							datastore['ARP_CACHE'][:gateway] = my_packet[:eth].dst_mac
							datastore['ARP_CACHE'][Rex::Socket.source_address(addr)] = my_packet[:eth].src_mac
							return eth_pair
						else
							next
						end
					end
				end
				rescue Timeout::Error
			end
		else
			return eth_pair
		end
	end

	# A pure-Ruby ARP exchange.
	def arp(target_ip=nil)
		return datastore['ARP_CACHE'][target_ip] if datastore['ARP_CACHE'][target_ip]
		to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
		raise RuntimeError, "Could not access the capture process." if not self.capture
		n = Racket::Racket.new
		n.l3 = Racket::L3::ARP.new
		n.l3.opcode = 1
		n.l3.tpa = target_ip || datastore['RHOST']
		inject_eth(:eth_type => 0x0806,
							 :payload => n.pack)
		begin
			Timeout.timeout(to) do
				while (my_packet = readreply(:arp))
					if my_packet[:arp].spa == target_ip
						datastore['ARP_CACHE'][target_ip] = my_packet[:arp].sha
						return datastore['ARP_CACHE'][target_ip] 
					else
						next
					end
				end
			end
		rescue Timeout::Error
		end
	end

	# Allow modules to reset their arp caches arbitrarily.
	def expire_arpcache
		datastore['ARP_CACHE'] = {}
	end
		
	attr_accessor :capture, :arp_cache

end

end