From 5adb1aef7e59e9c95affc523222dfe78db3089f6 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Wed, 27 Jan 2010 15:11:18 +0000 Subject: [PATCH] See #782. Fixing GWHOST/GATEWAY, implementing a new capture option for ARP requests. git-svn-id: file:///home/svn/framework3/trunk@8257 4d416f70-5f16-0410-b530-b9f4589650da --- lib/msf/core/exploit/capture.rb | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/lib/msf/core/exploit/capture.rb b/lib/msf/core/exploit/capture.rb index 9dbefc462a..13c1ea6a65 100644 --- a/lib/msf/core/exploit/capture.rb +++ b/lib/msf/core/exploit/capture.rb @@ -26,8 +26,7 @@ module Exploit::Capture OptString.new('FILTER', [false, 'The filter string for capturing traffic']), OptInt.new('SNAPLEN', [true, 'The number of bytes to capture', 65535]), OptInt.new('TIMEOUT', [true, 'The number of seconds to wait for new data', 500]), - # This needs some explaining, really. - OptAddress.new('GWHOST', [false, 'The gateway IP address']), + OptAddress.new('GATEWAY', [false, 'The gateway IP address']), OptAddress.new('LHOST', [false, 'The local IP address']) ], Msf::Exploit::Capture @@ -75,6 +74,7 @@ module Exploit::Capture len = (opts['SNAPLEN'] || datastore['SNAPLEN'] || 65535).to_i tim = (opts['TIMEOUT'] || datastore['TIMEOUT'] || 0).to_i fil = opts['FILTER'] || datastore['FILTER'] + arp = opts['ARPCAP'] || false # Look for a PCAP file cap = datastore['PCAPFILE'] || '' @@ -88,10 +88,13 @@ module Exploit::Capture dev = datastore['INTERFACE'] || ::Pcap.lookupdev system("ifconfig", dev, "up") self.capture = ::Pcap.open_live(dev, len, true, tim) + self.arp_capture = ::Pcap.open_live(dev, 512, true, tim) if arp end if (not self.capture) raise RuntimeError, "Could not start the capture process" + elsif (arp and !self.arp_capture) + raise RuntimeError, "Could not start the ARP capture process" end self.capture.setfilter(fil) if fil @@ -100,6 +103,7 @@ module Exploit::Capture def close_pcap return if not self.capture self.capture = nil + self.arp_capture = nil GC.start() end @@ -171,6 +175,14 @@ module Exploit::Capture inject pkt end + def sendto(payload="", dhost=nil, bcast=false) + dst_mac,src_mac = lookup_eth(dhost) + if dst_mac == "ff:ff:ff:ff:ff:ff" and not bcast + return false + end + inject_eth(:payload => payload, :eth_daddr => dst_mac, :eth_saddr => src_mac) + end + # Depending on what kind of packet you get, the resultant hash returned will # contain one or several Racket objects. def readreply(proto=:udp) @@ -225,10 +237,10 @@ module Exploit::Capture # # We still need to know our own src_mac, though, since we assume we want # a response. To do this, we send a UDP trigger packet with a normal - # UDPSocket connect, to either the gateway host (GWHOST), if known, or to + # UDPSocket connect, to either the gateway host (GATEWAY), if known, or to # a random(ish) IP known to be beyond the default gateway. We then listen # for our own UDP packet (via readreply) -- it need not get a response - # from GWHost or the random fake IP. + # from GATEWAY or the random fake IP. # # Note, if IANA assigns 177/8 in the future, then the default fake-remote # IP address will have to be changed (unless you don't mind sending them @@ -247,7 +259,7 @@ module Exploit::Capture # # TODO: Reorganize this. # - def lookup_eth(addr=nil) + def lookup_eth(addr=nil,iface=nil) self.arp_cache = {} unless self.arp_cache.kind_of? Hash eth_pair = [nil,nil] # [dst_mac, src_mac] will go here. raise RuntimeError, "Could not access the capture process." if not self.capture @@ -256,7 +268,7 @@ module Exploit::Capture eth_pair[0] = self.arp_cache[addr] || arp(addr) || self.arp_cache[:gateway] eth_pair[1] = self.arp_cache[Rex::Socket.source_address(addr)] if (eth_pair[0].nil? || eth_pair[1].nil?) - dst_host = (datastore['GWHOST'] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s) + dst_host = (datastore['GATEWAY'] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s) dst_port = rand(30000)+1024 secret = "#{Rex::Text.rand_text(rand(0xff)+1)}" UDPSocket.open.send(secret,0,dst_host,dst_port) @@ -312,7 +324,7 @@ module Exploit::Capture self.arp_cache = {} end - attr_accessor :capture, :arp_cache + attr_accessor :capture, :arp_cache, :arp_capture end