Configurable fix for #4305

Rename UDP_SECRET to just SECRET, as it is used for more than just UDP Rename and properly document GATEWAY option Introduce an option to configure what UDP port will be probed
2014-12-04 13:17:34 -08:00 · 2014-12-04 13:17:34 -08:00 · 7f425fc3ab
parent f22d7191cd
commit 7f425fc3ab
1 changed files with 15 additions and 8 deletions
--- a/lib/msf/core/exploit/capture.rb
+++ b/lib/msf/core/exploit/capture.rb
@ -37,8 +37,16 @@ module Msf

        register_advanced_options(
          [
-            OptInt.new('UDP_SECRET', [true, 'The 32-bit cookie for UDP probe requests.', 1297303091]),
-            OptAddress.new('GATEWAY', [false, 'The gateway IP address. This will be used rather than a random remote address for the UDP probe, if set.']),
+            OptInt.new('SECRET', [true, 'A 32-bit cookie for probe requests.', 'MSF!'.unpack('N')]),
+            OptAddress.new('GATEWAY_PROBE_HOST',
+                           [
+                             true,
+                             'Send a TTL=1 random UDP datagram to this host to discover the default gateway\'s MAC',
+                             'www.metasploit.com'])
+            OptPort.new('GATEWAY_PROBE_PORT',
+                        [
+                          false,
+                          'The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset)'])
          ], Msf::Exploit::Capture
        )

@ -116,7 +124,7 @@ module Msf
          self.capture = ::Pcap.open_live(dev, len, true, tim)
          if do_arp
            self.arp_capture = ::Pcap.open_live(dev, 512, true, tim)
-            preamble         = datastore['UDP_SECRET'].to_i
+            preamble         = datastore['SECRET'].to_i
            arp_filter       = "arp[6:2] = 2 or (udp[8:4] = #{preamble})"
            self.arp_capture.setfilter(arp_filter)
          end
@ -303,9 +311,9 @@ module Msf
      end

      def probe_gateway(addr)
-        dst_host = (datastore['GATEWAY'] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s)
-        dst_port = rand(30000)+1024
-        preamble = [datastore['UDP_SECRET']].pack("N")
+        dst_host = datastore['GATEWAY_PROBE_HOST']
+        dst_port = datastore['GATEWAY_PROBE_PORT'] == 0 ? rand(30000) + 1024 : datastore['GATEWAY_PROBE_PORT']
+        preamble = [datastore['SECRET']].pack("N")
        secret   = "#{preamble}#{Rex::Text.rand_text(rand(0xff)+1)}"

        begin
@ -313,9 +321,8 @@ module Msf
            sock.setsockopt(::Socket::IPPROTO_IP, ::Socket::IP_TTL, 1)
            sock.send(secret, 0, dst_host, dst_port)
          end
-          #UDPSocket.open.send(secret, 0, dst_host, dst_port)
        rescue Errno::ENETUNREACH
-          # This happens on networks with no gatway. We'll need to use a
+          # This happens on networks with no gateway. We'll need to use a
          # fake source hardware address.
          self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
        end