metasploit-framework/modules/auxiliary/admin/natpmp/natpmp_map.rb

114 lines
3.6 KiB
Ruby
Raw Normal View History

2013-03-07 00:16:26 +00:00
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
2013-03-07 00:16:26 +00:00
##
require 'msf/core'
require 'rex/proto/natpmp'
class Metasploit3 < Msf::Auxiliary
2013-08-30 21:28:54 +00:00
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
2013-08-30 21:28:54 +00:00
def initialize
super(
'Name' => 'NAT-PMP Port Mapper',
'Description' => 'Map (forward) TCP and UDP ports on NAT devices using NAT-PMP',
'Author' => 'Jon Hart <jhart[at]spoofed.org>',
'License' => MSF_LICENSE
)
2013-08-30 21:28:54 +00:00
register_options(
[
Opt::LPORT,
Opt::RPORT,
OptInt.new('NATPMPPORT', [true, "NAT-PMP port to use", Rex::Proto::NATPMP::DefaultPort]),
OptInt.new('LIFETIME', [true, "Time in ms to keep this port forwarded", 3600000]),
OptEnum.new('PROTOCOL', [true, "Protocol to forward", 'TCP', %w(TCP UDP)]),
Opt::CHOST
],
self.class
)
end
2013-08-30 21:28:54 +00:00
def run_host(host)
begin
2013-08-30 21:28:54 +00:00
udp_sock = Rex::Socket::Udp.create({
'LocalHost' => datastore['CHOST'] || nil,
'Context' => {'Msf' => framework, 'MsfExploit' => self}
})
add_socket(udp_sock)
2013-08-30 21:28:54 +00:00
# get the external address first
vprint_status "#{host} - NATPMP - Probing for external address"
req = Rex::Proto::NATPMP.external_address_request
udp_sock.sendto(req, host, datastore['NATPMPPORT'], 0)
external_address = nil
while (r = udp_sock.recvfrom(12, 1) and r[1])
(ver, op, result, epoch, external_address) = Rex::Proto::NATPMP.parse_external_address_response(r[0])
end
2013-08-30 21:28:54 +00:00
vprint_status "#{host} - NATPMP - Sending mapping request"
# build the mapping request
req = Rex::Proto::NATPMP.map_port_request(
datastore['LPORT'].to_i, datastore['RPORT'].to_i,
Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), datastore['LIFETIME']
)
# send it
udp_sock.sendto(req, host, datastore['NATPMPPORT'], 0)
# handle the reply
while (r = udp_sock.recvfrom(16, 1) and r[1])
handle_reply(Rex::Socket.source_address(host), host, external_address, r)
end
rescue ::Interrupt
raise $!
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
nil
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e.backtrace}")
end
end
2013-08-30 21:28:54 +00:00
def handle_reply(map_target, host, external_address, pkt)
return if not pkt[1]
2013-08-30 21:28:54 +00:00
if(pkt[1] =~ /^::ffff:/)
pkt[1] = pkt[1].sub(/^::ffff:/, '')
end
2013-08-30 21:28:54 +00:00
(ver, op, result, epoch, internal_port, external_port, lifetime) = Rex::Proto::NATPMP.parse_map_port_response(pkt[0])
2013-08-30 21:28:54 +00:00
if (result == 0)
if (datastore['RPORT'].to_i != external_port)
print_status( "#{external_address} " +
"#{datastore['RPORT']}/#{datastore['PROTOCOL']} -> #{map_target} " +
"#{internal_port}/#{datastore['PROTOCOL']} couldn't be forwarded")
end
print_status( "#{external_address} " +
"#{external_port}/#{datastore['PROTOCOL']} -> #{map_target} " +
"#{internal_port}/#{datastore['PROTOCOL']} forwarded")
end
2013-08-30 21:28:54 +00:00
# report NAT-PMP as being open
report_service(
:host => host,
:port => pkt[2],
:proto => 'udp',
:name => 'natpmp',
:state => Msf::ServiceState::Open
)
2013-08-30 21:28:54 +00:00
# report the external port as being open
if inside_workspace_boundary?(external_address)
2013-08-30 21:28:54 +00:00
report_service(
:host => external_address,
:port => external_port,
:proto => datastore['PROTOCOL'].to_s.downcase,
:state => Msf::ServiceState::Open
)
end
end
end