Commit Graph

922 Commits (b51ecda9d6262dfbb888d4bdad2e2ccadcf14baa)

Author SHA1 Message Date
zerosum0x0 c8ff2adf06 added support for smb client 2018-01-27 20:49:17 -07:00
Brent Cook 03d1523d43
Land #6611, add native DNS to Rex, MSF mixin, sample modules 2018-01-22 23:54:32 -06:00
Pearce Barry ba75d19d34
Fix failing spec. 2018-01-19 15:52:25 -06:00
Pearce Barry 2a6b3671bf
Add connection addr+port info to http response object.
Update owa_login to use this instead of doing lookups on its own.
2018-01-19 13:37:33 -06:00
William Vu 2916c5ae45 Rescue Rex::Proto::SunRPC::RPCTimeout
Coincidentally, this also fixes the rescue in the library, since
rescuing Timeout instead of Timeout::Error does nothing.
2018-01-12 19:34:59 -06:00
RageLtMan c65c03722c Migrate native DNS services to Dnsruby data format
Dnsruby provides advanced options like DNSSEC in its data format
and is a current and well supported library.
The infrastructure services - resolver, server, etc, were designed
for a standalone configuration, and carry entirely too much weight
and redundancy to implement for this context. Instead of porting
over their native resolver, update the Net::DNS subclassed Rex
Resolver to use Dnsruby data formats and method calls.
Update the Msf namespace infrastructure mixins and native server
module with new method calls and workarounds for some instance
variables having only readers without writers. Implement the Rex
ServerManager to start and stop the DNS service adding relevant
alias methods to the Rex::Proto::DNS::Server class.

Rex services are designed to be modular and lightweight, as well
as implement the sockets, threads, and other low-level interfaces.
Dnsruby's operations classes implement their own threading and
socket semantics, and do not fit with the modular mixin workflow
used throughout Framework. So while the updated resolver can be
seen as adding rubber to the tire fire, converting to dnsruby's
native classes for resolvers, servers, and caches, would be more
like adding oxy acetylene and heavy metals.

Testing:
  Internal tests for resolution of different record types locally
and over pivot sessions.
2018-01-12 05:00:00 -05:00
jgor 51e5fb450f Detect and return on bad VNC negotiations 2018-01-05 10:12:13 -06:00
Brent Cook c2bb144d0f
Land #9302, Implement ARD auth and add remote CVE-2017-13872 (iamroot) module 2017-12-28 14:11:26 -06:00
Jon Hart 962bc71d10
Merge branch 'feature/mqtt' into feature/mqtt-login 2017-12-20 18:58:36 -08:00
Jon Hart cf21d13b2e
Resolve conflict 2017-12-20 18:58:16 -08:00
Jon Hart d0b3abc14b
Better handling of MQTT endpoints which don't require authentication
Arguably this is working around LoginScanner's inability to provide
blank usernames AND passwords
2017-12-20 18:02:52 -08:00
Jon Hart 2e62d77e36
Add new method for fetching parsed cookies from an HTTP response
This fixed #9332.
2017-12-20 16:19:44 -08:00
Jon Hart 741d08f604
Style cleanup 2017-12-20 13:33:47 -08:00
Jon Hart f15309bc48
Add basic framework for interacting with MQTT 2017-12-20 12:28:02 -08:00
jgor b99f044de5 Implement VNC security type 30 (Apple Remote Desktop) authentication 2017-12-14 13:57:38 -06:00
Brent Cook 71f13db918 style updates 2017-09-26 15:58:43 -05:00
RageLtMan 8d60fdf9e7 Bug - HTTP Client can call :shutdown on closed IO
When running Rex HTTP client calls across pivots, pivot sockets
can get closed by the remote server, resulting in a closed :conn
object within the client object. The clients :close method calls
self.conn.shutdown which raises an 'IOError closed stream' on what
is effectively a TCPSocket object in a closed state (under the Rex
abstraction).

Resolve by moving the self.conn.closed? check into the conditional
just above the :shutdown call, and remove if from the underlying
:close call as calling :close on an already closed TCPSocket
returns nil as opposed to throwing an exception like the :shutdown
method.
2017-09-10 03:09:59 -04:00
h00die dc358dd087 unknow to unknown 2017-08-18 11:33:48 -04:00
Tabish Imran f1b07b5c6d Add send_cmd_data function from /lib/metasploit/framework/ftp/client.rb to class 2017-08-02 01:14:08 +05:30
Tabish Imran 0b001fdea6 Modify to reduce rubocop offenses 2017-07-25 17:46:05 +05:30
Tabish Imran da8cb48639 Add FTP protocol client implementation 2017-07-25 00:56:34 +05:30
Tabish Imran ab37ccb173 Add FTP protocol support 2017-07-25 00:56:19 +05:30
Anderson 959f9fe2d2 Updated lib/rex/proto/http/client_request.rb to ensure that the host header is formatted 2017-06-29 12:05:02 -07:00
RageLtMan 1a253f92a1 Finalize DNS spoofing module
DNS spoofing module should be feature complete, with forwarding of
requests which do not have cached answers (can be disabled same as
the native server module), empty replies to reduce client wait on
outstanding DNS requests, and post-send output in verbose mode
to reduce garbage and execution time in the critical/racy path.

This module is best used in conditions where MITM is achieved by
way of MAC spoofing, route interception, or compromise of an inline
host on the datapath. The attacker should avoid forwarding
original requests to the intended destination, or if this is not
possible, prevent replies from traversing the MITM space in order
to avoid race conditions between the spoofer and victim.

Example iptables configuration on MITM host:
 iptables -t nat -A POSTROUTING -o eth0 -p udp ! --dport 53 -j ...

Testing:
  Internal testing in Virtualbox local network, atop 802.11, and
mostly in Neutron (with port security disabled on the VIFs) atop
OpenStack Liberty ML2+OVS.
2017-06-23 19:59:02 -04:00
RageLtMan deef4a94fe Allow DNS::Server::Cache to find '*' names
Allow retrieval of '*' from stored static entries for spoofing
all domains to any IP using wildcard names. Replace the wildcard
response with the name submitted to the search in the response.

Fix improper checks in DNS::Packet for Resolv objects from decode
to encode.

Misc cleanup for records not responding to :address, convenience
methods, and packet structure.
2017-06-23 19:59:01 -04:00
RageLtMan 07dd59fb85 Import native DNS spoofing module and cleanup
Import PCAP-based DNS spoofing server module:
This module uses the Capture mixin to sniff and parse packets off
the wire, then match answers to sniffed requests from static
entries in the server's cache. If answers are found, they are
appended to a cloned packet with reverse saddr/daddr pairs at
layers 2-4, the qr bit is set, and it is injected back into the
interface from where it came.

Minor cleanup in the Rex::Proto::DNS::Server::Cache class to allow
multiple address->name pairs and fix issues when adding multiple
static entries.
2017-06-23 19:58:43 -04:00
RageLtMan b60990c19c Use a MockDnsClient object for request state
In order to handle TCP and UDP clients in a common manner, the
DNS server created a Rex::Socket::Udp object to represent the
client object allowing for a client.write(response) approach to
returning results for both TCP and UDP clients. During work on
the common socket abstractions (#6692) it became apparent that
remote pivoted sockets cannot be created with the same exact param
set used on the server socket - sockets dont reuse with localhost
and localport params being the same, an exception is raised from
the Windows side of the pivot abstraction. Creating a new socket
for every request is also needless overhead and noise.

Create the MockDnsClient class to  consume peerhost, peerport, and
the DNS server's UDP socket as arguments in order to execute a
sendto() from the existing socket when sending a response. A write
method is provided in the class for common interface between the
UDP and TCP request handlers.

This has been tested in conjunction with #6692 and shown to be
successful as serving remote requests from the IO.select polled
pivot socket running on a Windows host via Meterpreter.
2017-06-23 19:58:42 -04:00
RageLtMan fec23cf0fd Remove setsockopt calls from DNS server 2017-06-23 19:58:42 -04:00
RageLtMan d64962994c Packet.valid_hostname? should be a class method 2017-06-23 19:58:40 -04:00
RageLtMan a555ee716e Fix typo in Rex DNS Server 2017-06-23 19:58:40 -04:00
RageLtMan e86ca56dd1 add :closed? method to Meterpreter Channel
Implement a check for self.cid.nil? in Meterpreter's Channel class
in the :closed? method for compatibility with the Socket's :closed?

Touch up the Rex DNS server's stop method using this method on
pivot sockets.

Add SOL_SOCKET and SO_REUSEADDR options to the Rex UDP sockets
created by the DNS components - the server socket, as well as the
client abstraction socket.
2017-06-23 19:58:39 -04:00
RageLtMan 570987aecd Missing lines from Proto::DNS::Packet 2017-06-23 19:58:39 -04:00
RageLtMan 00611e97fb Rex::Proto::DNS::Packet generate req/resp
Create default generator methods for DNS request and response in
the Packet module.

Packet.generate_request is directly adapted from
Net::DNS::Resolver.make_query_packet with conveniences added from
the local namespace.

Packet.generate_response is a convenience wrapper for attaching
responses to request, flipping the qr bit, and adjusting the rCode
for NXDomain or NoError depending on whether the response has any
answers or not. Existing responses being passed into this method
with new answers or an empty array will have their rCode updated
accordingly for NoError and NXDomain.

Clean up Rex::Proto::DNS::Server by use of the convenience method
and removal of the :validate method (as its now in Packet).

Add Packet.valid_hostname? as a wrapper for matching against the
Rex::Proto::DNS::Constants::MATCH_HOSTNAME regex.
2017-06-23 19:58:38 -04:00
RageLtMan 3b7c1955c8 Rex::Proto::DNS::Packet::Raw convenience methods
Add convenience methods for little and big endian operations on
DNS packet contents. Use the convenience methods for quick ID
and request length extraction without full packet parsing.
2017-06-23 19:58:38 -04:00
RageLtMan de0867aaba Address wchen-r7's initial comments
Advanced options are now camel cased
Use :blank? on datastore options instead of serial checks for :nil?
and :empty?
Rex::Proto::DNS::Server :on_client_data updated to ask the tcp_sock
to close this client if it exists in the rescue clause.
2017-06-23 19:58:38 -04:00
RageLtMan 2347c8df99 Create basic packet manipulation modules
Create Rex::Proto::DNS::Packet and Packet::Raw to allow common
parsing, validation, and raw data operations across both Rex and
Msf namespaces.

The modules contain class methods and do not need to be mixed in
to use their functionality Packet.method is enough, and reduces GC
strain since new objects are not constantly being instantiated, and
these modules contain no internal state.

Clean up UDP socket leak from Rex::Proto::DNS::Server under certain
conditions.

Create Msf::Exploit::DNS::Common mixin to provide descendants with
access to Packet and the hostname Regex.

-----

Testing:
  Tested running the RC provided in the pull request
  Manual testing in IRB/Pry while porting PoC for CVE-2015-7547
2017-06-23 19:58:37 -04:00
RageLtMan 2679c26e88 Create and implement Rex::IO::GramServer mixin
Rex::IO::StreamServer provides consistent methods and accessors
for TcpServer type consumers, but includes logic for client actions
which are not relevant in a datagram context - connect and
disconnect actions, as well as any notion of stateful session
persistence (the clients queue) do not apply in this paradigm.

Implement a Rex::IO::GramServer mixin which provides common methods
for dispatching requests and sending responses. Defines the same
callback structure for procs as used in the StreamServer, though
utilizing dispatch_request_proc and send_response_proc with client
and data parameters for efficient interception of execution flow
when dealing with stateless comms.

Rewire Rex::Proto::DNS server to use instance variables along the
same convention as other modules, implement the GramServer mixin,
and minor misc cleanup.

-----

Change calling conventions in Rex::Proto::DNS::Server to match
other components.

Clean up the Msf::Exploit::DNS namespace with generic server
interfaces.

Fix the advanged options naming convention - as hdm pointed out,
evasion options use the '::' separator, advanced options use "_".

-----

Testing:
  Basic functional tests in Pry for now.
2017-06-23 19:58:37 -04:00
RageLtMan a9f1fcec7f Set resolver comm and ctx manually 2017-06-23 19:58:36 -04:00
RageLtMan b5c89c4ffe Server::Cache.cache_record graceful failure
Bail out early unless the monitor thread is running since pruning
will not automatically occur. Continue to raise an exception when
invalid cache attempts are made. If this behavior is not desired,
override the method or create a descendant with altered behavior.
2017-06-23 19:58:35 -04:00
RageLtMan 4467cef902 Allow Server to start without caching 2017-06-23 19:58:34 -04:00
RageLtMan 3afc5d2da1 Add running? check to Server 2017-06-23 19:58:34 -04:00
RageLtMan 7b370622c4 Resolver - add accessors for comm and ctx 2017-06-23 19:58:34 -04:00
RageLtMan 332862bfea Server needs a resolver to perform fwd lookups
Dont send requests to a nil object for lookups, it's not very good
at that.
2017-06-23 19:58:33 -04:00
RageLtMan b1b43555cf Fixup Resolver socket creation slop 2017-06-23 19:58:33 -04:00
RageLtMan 6e86ac6e1b Tweak Server and Resolver
Create default_dispatch_request method in Server to allow an
intercepted dispatch request to fall back into default exec flow.

Add attr_reader to the records hash in Cache

Provide Resolver and Server with comm option for their sockets.
2017-06-23 19:58:33 -04:00
RageLtMan e3c372834e Update Resolver's use of Rex Sockets
Compose configuration hashes for the Rex Sockets used in requests
based on the Resolver's own configuration, including passing the
Framework context, and CHOST/CPORT options in from Msf namespaces.
2017-06-23 19:58:32 -04:00
RageLtMan a8c3adf19c Move recursion bit logic into the fwd lookup 2017-06-23 19:58:32 -04:00
RageLtMan 136cc964f5 Accessors, cache stop lock fix, and resp header
Missed the attr_accessors in first commit - added.

Updated Cache stop method to iterate over the resulting Array of
records without holding a write lock over it (:each vs :map).

Glanced over https://www.ietf.org/rfc/rfc1035.txt and set proper
bits for the response and recursion fields prior to passing off the
data for return.

TODO:
  Write mixin for easier packet manipulation with configurable
response builders which can determine proper settings for header
fields based on server/resolver configuration. Document to allow
exploit/vector developers to make use of the functionality...
2017-06-23 19:58:32 -04:00
RageLtMan 9f49903b14 Initial implementation of Rex::Proto::DNS
Add Rex::Proto::DNS and Rex::Proto::DNS::Constants namespaces
Create Rex::Proto::DNS::Resolver from Net::DNS::Resolver
Create Rex::Proto::DNS::Server and Rex::Proto::DNS::Server::Cache

Constants -
  A Rex::Socket style MATCH_HOSTNAME regex has been added to
help validate DNS names.

Resolver -
  Based off of old work creating Rex socket overrides in the
Net::DNS::Resolver as well as allowing for proxying and making
automatic adjustments to use TCP for proxied connections. This
resolver pivots with MSF, uses proxies, and doesnt pull in the
default /etc/resolv.conf information which can lead to info leak.
  Automatically sends Net::DNS::Packet and Resolv::DNS::Message
objects to the appropriate nameservers.
  TODO: Review for potential low level concurrent resolution impl.

Server::Cache -
  Threadsafe wrapper around a Hash which holds Net::DNS::RR keys
with Time.to_i values for counting eviction/stale time without
altering the original record.
  Takes records with a TTL of < 1 as static entries which are not
flushed or pruned by the monitor thread.

Server -
  A standard Rex level server allowing for client connections with
TCP and UDP listeners. Provides common framework for handling the
different transports by creating a "client" type object as a Rex
UDP socket and passing it back to the dispatch/sender methods.
This server can host listeners on remote pivot targets since it
utilizes Rex sockets, and should not leak internal information
from the resolver as easily either.
  Can be configured with a custom resolver regardless of its own
listener configuration (UDP/TCP mix is fine), and carries a
threadsafe wrapper for swapping the resolvers nameservers under
a Mutex.synchronize. Since listeners and resolvers can pivot,
a compromised host in one environment can serve DNS information
obtained by the resolver pivoting through a completely different
target.
  The server takes blocks for dispatch and send functions which
when defined, will intercept the standard execution flow which is
to parse the request, check the cache for corresponding records,
then forward the remaining questions in a request via the resolver,
and build + send a response back to the client.
  The accessors for dispatch and send, resolver, and cache are
accessible at runtime, though it is likely unsafe to replace the
cache and resolver while they are accessed from other threads.

-----

Testing:
  Initial testing performed in IRB/Pry generating manual requests.
  Subsequent checks performed using the running server as the sys
resolver.
  Additional testing is needed - the default dispatch_request
behavior may not be correct (i need to check the RFCs for this) as
it handles multiple questions for A records. This should be tuned
to be RFC compliant, with inheriting classes changing behavior as
needed. We also need to ensure that we're not leaking our own DNS
information to our targets, so all sorts of abuse is in order.

-----

TODO:
  Create Msf::Exploit::DNS namespace utilizing this functionality.
  - Move the threaded enum_dns work, as well as work from 6187,
into the namespace
  - Review existing modules for functional overlap and move here
as needed. This should be done in separate commits/PRs.
  Create specific DNS servers for spoofing, exploit delivery, and
finally handling DNS tunnels (the primary reason for this work).
  Write spec
  - Convince/coerce a friendly soul in the community to handle
spec for this fiasco while building further functionality.
2017-06-23 19:58:29 -04:00
William Webb 47a659f554
Land #8185, Convert ntp modules to bindata 2017-06-22 09:37:58 -05:00