metasploit-framework/lib/msf/core/exploit/capture.rb

module Msf

###
#
# This module provides methods for sending and receiving 
# raw packets. It should be preferred over the soon-to-be
# deprecated Rex::Socket::Ip mixin.
#
# Please see the pcaprub documentation for more information.
#
###

module Exploit::Capture

	#
	# Initializes an instance of an exploit module that captures traffic
	#

	def initialize(info = {})
		super

		register_options(
			[
				OptPath.new('PCAPFILE', [false, 'The name of the PCAP capture file to process']),
				OptString.new('INTERFACE', [false, 'The name of the interface']),
				OptString.new('FILTER', [false, 'The filter string for capturing traffic']),
				OptInt.new('SNAPLEN', [true, 'The number of bytes to capture', 65535]),
				OptInt.new('TIMEOUT', [true, 'The number of seconds to wait for new data', 1]),
				# This needs some explaining, really.
				OptAddress.new('GWHOST', [false, 'The gateway IP address'])

			], Msf::Exploit::Capture
		)

		require 'racket'

		begin
			require 'pcaprub'
			@pcaprub_loaded = true
		rescue ::Exception => e
			@pcaprub_loaded = false
			@pcaprub_error  = e
		end

	end

	def stats_recv
		return(0) if not self.capture
		self.capture.stats['recv']
	end

	def stats_drop
		return(0) if not self.capture
		self.capture.stats['drop']
	end

	def stats_ifdrop
		return(0) if not self.capture
		self.capture.stats['ifdrop']
	end

	#
	# Opens a handle to the specified device
	#
	def open_pcap(opts={})

		if (not @pcaprub_loaded)
			print_status("The Pcaprub module is not available: #{@pcaprub_error}")
			raise RuntimeError, "Pcaprub not available"
		end

		# Capture device
		dev = nil
		len = (opts['SNAPLEN'] || datastore['SNAPLEN']  || 65535).to_i
		tim = (opts['TIMEOUT'] || datastore['TIMEOUT']  || 0).to_i
		fil = opts['FILTER'] || datastore['FILTER']

		# Look for a PCAP file
		cap = datastore['PCAPFILE'] || ''

		if(not cap.empty?)
			if(not File.exists?(cap))
				raise RuntimeError, "The PCAP file #{cap} could not be found"
			end
			self.capture = ::Pcap.open_offline(cap)
		else
			dev = datastore['INTERFACE'] || ::Pcap.lookupdev
			system("ifconfig", dev, "up")
			self.capture = ::Pcap.open_live(dev, len, true, tim)
		end

		if (not self.capture)
			raise RuntimeError, "Could not start the capture process"
		end

		self.capture.setfilter(fil) if fil
	end

	def close_pcap
		return if not self.capture
		self.capture = nil
		GC.start()
	end

	def capture_extract_ies(raw)
		set = {}
		ret = 0
		idx = 0
		len = 0

		while (idx < raw.length)
			len = raw[idx+1]
			return set if not len
			set[ raw[idx] ] ||= []
			set[ raw[idx] ].push(raw[idx + 2, len])
			idx += len + 2
		end

		return set
	end

	#
	# This monstrosity works around a series of bugs in the interrupt
	# signal handling of Ruby 1.9
	#
	def each_packet
		return if not capture
		begin
			@capture_count = 0
			reader = Thread.new do
				capture.each do |pkt|
					yield(pkt)
					@capture_count += 1
				end
			end
			reader.join
		rescue ::Exception
			raise $!
		ensure
			reader.kill if reader.alive?
		end

		@capture_count
	end

	def inject(pkt)
		if not self.capture
			raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
		else
			self.capture.inject(pkt)
		end
	end

	def inject_eth(args={})
		eth_daddr = args[:eth_daddr] || "ff:ff:ff:ff:ff:ff"
		eth_saddr = args[:eth_saddr] || "00:00:00:00:00:00"
		eth_type  = args[:eth_type]  || 0x8000 # IP default
		payload   = args[:payload]
		n = Racket::Racket.new
		n.l2 = Racket::L2::Ethernet.new
		n.l2.dst_mac = eth_daddr
		n.l2.src_mac = eth_saddr
		pkt = n.pack
		pkt += payload if payload
		inject pkt
	end

	def readreply(proto=:udp)
		reply = nil
		to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
		if not self.capture
			raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
		else
			begin
				Timeout.timeout(to) do
					self.capture.each do |r|
						eth = Racket::L2::Ethernet.new(r)
						next if not eth.ethertype == 0x0800
						ip = Racket::L3::IPv4.new(eth.payload)
						case proto
						when :udp
							next if not ip.protocol == 17
							udp = Racket::L4::UDP.new(ip.payload)
							reply = {:raw => r, :eth => eth, :ip => ip, :udp => udp, :payload => udp.payload}
							break
						when :tcp
							next if not ip.protocol == 6
							tcp = Racket::L4::TCP.new(ip.payload)
							reply = {:raw => r, :eth => eth, :ip => ip, :tcp => tcp, :payload => tcp.payload}
							break
						else # Otherwise just look for IP packets.
							break
						end
					end
				end
			rescue Timeout::Error
			end
		end
		return reply
	end

	# This ascertains the correct Ethernet addresses one should use to ensure injected
	# IP packets actually get where they are going, and get a response back if desired,
	# by sending a UDPSocket probe to the named address using the regular socket call.
	# 
	# It depends wholly on the routing of the default interfaces, and it's up to the 
	# user to pick an address that corresponds with the routing table of the desired
	# interface. Note that while readreply() is used, it's actually reading the sent
	# packet, and does not require a reply from the target IP address.
	#
	# If no IP address is given, a random address in the 177/8 network is used. For most
	# machines, this will hit the default gateway, and thus, return the default gateway's
	# IP address.
	def lookup_eth(addr=nil)
		to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
		raise RuntimeError, "Could not access the capture process." if not self.capture
		dst_host = (addr || datastore['GWHOST'] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s)
		dst_port = rand(30000)+1024
		secret = "#{Rex::Text.rand_text(rand(0xff)+1)}"
		UDPSocket.open.send(secret,0,dst_host,dst_port)
		begin
			Timeout.timeout(to) do
				while(my_packet = readreply(:udp))
					if my_packet[:payload] = secret
						return [my_packet[:eth].dst_mac,my_packet[:eth].src_mac]
					else
						next
					end
				end
			end
			rescue Timeout::Error
		end
	end
		
	attr_accessor :capture

end

end