2011-11-03 03:00:51 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-11-03 03:00:51 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
require 'rex'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Post
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info,
|
2012-02-20 18:38:43 +00:00
|
|
|
'Name' => 'Windows Recon Resolve Hostname',
|
2011-11-17 13:47:26 +00:00
|
|
|
'Description' => %q{ This module resolves a hostname to IP address via the victim, similiar to the Unix dig command},
|
2011-11-03 03:00:51 +00:00
|
|
|
'License' => MSF_LICENSE,
|
2011-11-06 22:02:26 +00:00
|
|
|
'Author' => [ 'Rob Fuller <mubix[at]hak5.org>'],
|
2011-11-03 03:00:51 +00:00
|
|
|
'Platform' => [ 'windows' ],
|
|
|
|
'SessionTypes' => [ 'meterpreter' ]
|
|
|
|
))
|
2011-11-06 22:02:26 +00:00
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('HOSTNAME', [true, 'Hostname to lookup', nil])
|
|
|
|
], self.class)
|
2011-11-03 03:00:51 +00:00
|
|
|
end
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-11-03 03:00:51 +00:00
|
|
|
def run
|
|
|
|
### MAIN ###
|
2011-11-11 00:00:50 +00:00
|
|
|
|
2011-11-03 03:00:51 +00:00
|
|
|
if client.platform =~ /^x64/
|
|
|
|
size = 64
|
|
|
|
addrinfoinmem = 32
|
|
|
|
else
|
|
|
|
size = 32
|
|
|
|
addrinfoinmem = 24
|
|
|
|
end
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-11-03 03:00:51 +00:00
|
|
|
hostname = datastore['HOSTNAME']
|
2011-11-06 22:02:26 +00:00
|
|
|
|
2011-11-03 03:00:51 +00:00
|
|
|
## get IP for host
|
|
|
|
begin
|
|
|
|
vprint_status("Looking up IP for #{hostname}")
|
|
|
|
result = client.railgun.ws2_32.getaddrinfo(hostname, nil, nil, 4 )
|
|
|
|
if result['GetLastError'] == 11001
|
2011-11-03 18:34:30 +00:00
|
|
|
print_error("Failed to resolve the host")
|
|
|
|
return
|
2011-11-03 03:00:51 +00:00
|
|
|
end
|
|
|
|
addrinfo = client.railgun.memread( result['ppResult'], size )
|
|
|
|
ai_addr_pointer = addrinfo[addrinfoinmem,4].unpack('L').first
|
|
|
|
sockaddr = client.railgun.memread( ai_addr_pointer, size/2 )
|
|
|
|
ip = sockaddr[4,4].unpack('N').first
|
|
|
|
hostip = Rex::Socket.addr_itoa(ip)
|
|
|
|
print_status("#{hostname} resolves to #{hostip}")
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_error(e)
|
|
|
|
print_status('Windows 2000 and prior does not support getaddrinfo')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|