Fix UDP scanner mixin with multicast addresses

This fixes #8828 by only binding UDP sockets when we have unicast targets. If we have multicast, prefer unbound sockets. This also brings in the 'ipaddress' gem for identifying multicast addresses. It looks like it could replace a lot of custom-built functionality in rex-socket, including RangeWalker. Will need to see how efficient it is.
2017-08-22 06:44:43 -05:00 · 2017-08-22 06:44:43 -05:00 · 17aef43bb8
parent 031f48725f
commit 17aef43bb8
3 changed files with 27 additions and 15 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -11,6 +11,7 @@ PATH
      bit-struct
      dnsruby
      filesize
+      ipaddress
      jsobfu
      json
      metasm
@ -128,6 +129,7 @@ GEM
    fivemat (1.3.5)
    hashery (2.1.2)
    i18n (0.8.6)
+    ipaddress (0.8.3)
    jsobfu (0.4.2)
      rkelly-remix
    json (2.1.0)
--- a/lib/msf/core/auxiliary/udp_scanner.rb
+++ b/lib/msf/core/auxiliary/udp_scanner.rb
@ -1,5 +1,7 @@
 # -*- coding: binary -*-

+require 'ipaddress'
+
 module Msf

 ###
@ -43,18 +45,20 @@ module Auxiliary::UDPScanner
    datastore['BATCHSIZE'].to_i
  end

-  def udp_socket(ip, port)
+  def udp_socket(ip, port, bind_peer: true)
+    key = "#{ip}:#{port}:#{bind_peer ? 'bound' : 'unbound'}"
    @udp_sockets_mutex.synchronize do
-      key = "#{ip}:#{port}"
      unless @udp_sockets.key?(key)
-        @udp_sockets[key] =
-          Rex::Socket::Udp.create({
-            'LocalHost' => datastore['CHOST'] || nil,
-            'LocalPort' => datastore['CPORT'] || 0,
-            'PeerHost'  => ip,
-            'PeerPort'  => port,
-            'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
-          })
+        sock_info = {
+          'LocalHost' => datastore['CHOST'] || nil,
+          'LocalPort' => datastore['CPORT'] || 0,
+          'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
+        }
+        if bind_peer
+          sock_info['PeerHost'] = ip
+          sock_info['PeerPort'] = port
+        end
+        @udp_sockets[key] = Rex::Socket::Udp.create(sock_info)
        add_socket(@udp_sockets[key])
      end
      return @udp_sockets[key]
@ -123,10 +127,15 @@ module Auxiliary::UDPScanner
    data = data.to_binary_s if data.respond_to?('to_binary_s')

    resend_count = 0
-    sock = nil
+
    begin
-      sock = udp_socket(ip, port)
-      sock.send(data, 0)
+      unless IPAddress(ip).multicast?
+        sock = udp_socket(ip, port, bind_peer: true)
+        sock.send(data, 0)
+      else
+        sock = udp_socket(ip, port, bind_peer: false)
+        sock.sendto(data, ip, port, 0)
+      end

    rescue ::Errno::ENOBUFS
      resend_count += 1
@ -136,8 +145,7 @@ module Auxiliary::UDPScanner
      end

      scanner_recv(0.1)
-
-      ::IO.select(nil, nil, nil, 0.25)
+      sleep(0.25)

      retry

--- a/metasploit-framework.gemspec
+++ b/metasploit-framework.gemspec
@ -54,6 +54,8 @@ Gem::Specification.new do |spec|
  spec.add_runtime_dependency 'backports'
  # Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
  spec.add_runtime_dependency 'bcrypt'
+  # Address manipulation (TODO: evaluate to replace rex-socket address handling)
+  spec.add_runtime_dependency 'ipaddress'
  # Needed for Javascript obfuscation
  spec.add_runtime_dependency 'jsobfu'
  # Needed for some admin modules (scrutinizer_add_user.rb)