From 70127c09fb5f050f5d68eaf18256799088d1b13e Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Mon, 14 Mar 2011 15:58:17 +0000 Subject: [PATCH] Fixes #3939 by setting the racket bits correctly. git-svn-id: file:///home/svn/framework3/trunk@11958 4d416f70-5f16-0410-b530-b9f4589650da --- modules/auxiliary/scanner/rogue/rogue_recv.rb | 6 +++--- modules/auxiliary/scanner/rogue/rogue_send.rb | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/modules/auxiliary/scanner/rogue/rogue_recv.rb b/modules/auxiliary/scanner/rogue/rogue_recv.rb index 6e0c0530ce..4da84474bb 100644 --- a/modules/auxiliary/scanner/rogue/rogue_recv.rb +++ b/modules/auxiliary/scanner/rogue/rogue_recv.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary end def build_filter - "icmp or (" + + "(icmp and icmp[0] == 0) or (" + "tcp and (tcp[13] == 0x12 or (tcp[13] & 0x04) != 0) and " + "src port #{datastore['RPORT']} and dst port #{datastore['CPORT']} " + ")" @@ -76,8 +76,8 @@ class Metasploit3 < Msf::Auxiliary icmp = Racket::L4::ICMP.new(ip.payload) reply = {:raw => r, :eth => eth, :ip => ip, :icmp => icmp} reply[:type] = :icmp - return if(icmp.payload[4,2] != [datastore['ECHOID']].pack('n')) - reply[:internal] = Rex::Socket.addr_ntoa(icmp.payload[0,4]) + return if(icmp.payload[0,2] != [datastore['ECHOID']].pack('n')) + reply[:internal] = Rex::Socket.addr_ntoa(icmp.payload[4,4]) reply[:external] = ip.src_ip return reply when 6 diff --git a/modules/auxiliary/scanner/rogue/rogue_send.rb b/modules/auxiliary/scanner/rogue/rogue_send.rb index becf1734ba..ddd75f813b 100644 --- a/modules/auxiliary/scanner/rogue/rogue_send.rb +++ b/modules/auxiliary/scanner/rogue/rogue_send.rb @@ -89,8 +89,9 @@ class Metasploit3 < Msf::Auxiliary n.l3.id = rand(0x10000) n.l3.ttl = 255 - n.l4 = Racket::L4::ICMP.new - n.l4.type = 8 + n.l4 = Racket::L4::ICMPEcho.new + n.l4.id = datastore['ECHOID'] + n.l4.sequence = 1 n.l4.payload = Rex::Socket.addr_aton(dst) + [datastore['ECHOID']].pack('n') + Rex::Text.rand_text(26) n.l4.fix!