module Msf ### # # This module provides methods for sending and receiving # raw packets. It should be preferred over the soon-to-be # deprecated Rex::Socket::Ip mixin. # # Please see the pcaprub documentation for more information. # ### module Exploit::Capture # # Initializes an instance of an exploit module that captures traffic # def initialize(info = {}) super register_options( [ OptPath.new('PCAPFILE', [false, 'The name of the PCAP capture file to process']), OptString.new('INTERFACE', [false, 'The name of the interface']), OptString.new('FILTER', [false, 'The filter string for capturing traffic']), OptInt.new('SNAPLEN', [true, 'The number of bytes to capture', 65535]), OptInt.new('TIMEOUT', [true, 'The number of seconds to wait for new data', 500]), # This needs some explaining, really. OptAddress.new('GWHOST', [false, 'The gateway IP address']), OptAddress.new('LHOST', [false, 'The local IP address']) ], Msf::Exploit::Capture ) require 'racket' begin require 'pcaprub' @pcaprub_loaded = true rescue ::Exception => e @pcaprub_loaded = false @pcaprub_error = e end datastore['ARP_CACHE'] = {} end def stats_recv return(0) if not self.capture self.capture.stats['recv'] end def stats_drop return(0) if not self.capture self.capture.stats['drop'] end def stats_ifdrop return(0) if not self.capture self.capture.stats['ifdrop'] end # # Opens a handle to the specified device # def open_pcap(opts={}) if (not @pcaprub_loaded) print_status("The Pcaprub module is not available: #{@pcaprub_error}") raise RuntimeError, "Pcaprub not available" end # Capture device dev = nil len = (opts['SNAPLEN'] || datastore['SNAPLEN'] || 65535).to_i tim = (opts['TIMEOUT'] || datastore['TIMEOUT'] || 0).to_i fil = opts['FILTER'] || datastore['FILTER'] # Look for a PCAP file cap = datastore['PCAPFILE'] || '' if(not cap.empty?) if(not File.exists?(cap)) raise RuntimeError, "The PCAP file #{cap} could not be found" end self.capture = ::Pcap.open_offline(cap) else dev = datastore['INTERFACE'] || ::Pcap.lookupdev system("ifconfig", dev, "up") self.capture = ::Pcap.open_live(dev, len, true, tim) end if (not self.capture) raise RuntimeError, "Could not start the capture process" end self.capture.setfilter(fil) if fil end def close_pcap return if not self.capture self.capture = nil GC.start() end def capture_extract_ies(raw) set = {} ret = 0 idx = 0 len = 0 while (idx < raw.length) len = raw[idx+1] return set if not len set[ raw[idx] ] ||= [] set[ raw[idx] ].push(raw[idx + 2, len]) idx += len + 2 end return set end # # This monstrosity works around a series of bugs in the interrupt # signal handling of Ruby 1.9 # def each_packet return if not capture begin @capture_count = 0 reader = Thread.new do capture.each do |pkt| yield(pkt) @capture_count += 1 end end reader.join rescue ::Exception raise $! ensure reader.kill if reader.alive? end @capture_count end # Injects a packet on the wire. For all injection-related functions, it's # on the module to open up a capture device first (this way, we don't # needlessly spawn new capture devices). def inject(pkt) if not self.capture raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" else self.capture.inject(pkt) end end # Injects an Ethernet packet with an optional payload. def inject_eth(args={}) eth_daddr = args[:eth_daddr] || "ff:ff:ff:ff:ff:ff" eth_saddr = args[:eth_saddr] || "00:00:00:00:00:00" eth_type = args[:eth_type] || 0x0800 # IP default payload = args[:payload] n = Racket::Racket.new n.l2 = Racket::L2::Ethernet.new n.l2.dst_mac = eth_daddr n.l2.src_mac = eth_saddr n.l2.ethertype = eth_type pkt = n.pack pkt += payload if payload inject pkt end # Depending on what kind of packet you get, the resultant hash returned will # contain one or several Racket objects. def readreply(proto=:udp) reply = nil to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 if not self.capture raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" else begin Timeout.timeout(to) do self.capture.each do |r| eth = Racket::L2::Ethernet.new(r) case proto when :arp next if not eth.ethertype == 0x0806 arp = Racket::L3::ARP.new(eth.payload) reply = {:raw => r, :eth => eth, :arp => arp} break when :ip next if not eth.ethertype == 0x0800 ip = Racket::L3::IPv4.new(eth.payload) reply = {:raw => r, :eth => eth, :ip => ip} break when :udp ip = Racket::L3::IPv4.new(eth.payload) next if not ip.protocol == 17 udp = Racket::L4::UDP.new(ip.payload) reply = {:raw => r, :eth => eth, :ip => ip, :udp => udp, :payload => udp.payload} break when :tcp ip = Racket::L3::IPv4.new(eth.payload) next if not ip.protocol == 6 tcp = Racket::L4::TCP.new(ip.payload) reply = {:raw => r, :eth => eth, :ip => ip, :tcp => tcp, :payload => tcp.payload} break end end end rescue Timeout::Error end end return reply end # This ascertains the correct Ethernet addresses one should use to # ensure injected IP packets actually get where they are going. It # also manages the 'ARP_CACHE' data store. # # This is done by first generating two packets: First, we try to ARP # the target IP address. If it's on the local network, this will usually # elicit a response of [dst_mac, dst_ip] -- see arp, below. # # We still need to know our own src_mac, though, since we assume we want # a response. To do this, we send a UDP trigger packet with a normal # UDPSocket connect, to either the gateway host (GWHOST), if known, or to # a random(ish) IP known to be beyond the default gateway. We then listen # for our own UDP packet (via readreply) -- it need not get a response # from GWHost or the random fake IP. # # Note, if IANA assigns 177/8 in the future, then the default fake-remote # IP address will have to be changed (unless you don't mind sending them # probe packets). # # Finally, if all of this fails to get an adequate response, a default # ethernet address pair of ["ff:ff:ff:ff:ff:ff","00:00:00:00:00:00"] will # be used by the inject_eth function (above), unless the calling module # decides against it. In switched networks, you should always get a correct # pair for a remote address, the same pair for an unroutable address # (eg, 127.0.0.1), or a correct pair for a local address (if the target # responds to ARPs at all). # # TODO: Fix PcapRub to return a subnet mask so I can determine ahead of # time if it's in the local network. # # TODO: Reorganize this. # def lookup_eth(addr=nil) eth_pair = [nil,nil] # [dst_mac, src_mac] will go here. raise RuntimeError, "Could not access the capture process." if not self.capture to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 # Try to ARP the real IP first. eth_pair[0] = datastore['ARP_CACHE'][addr] || arp(addr) || datastore['ARP_CACHE'][:gateway] eth_pair[1] = datastore['ARP_CACHE'][Rex::Socket.source_address(addr)] if (eth_pair[0].nil? || eth_pair[1].nil?) dst_host = (datastore['GWHOST'] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s) dst_port = rand(30000)+1024 secret = "#{Rex::Text.rand_text(rand(0xff)+1)}" UDPSocket.open.send(secret,0,dst_host,dst_port) begin Timeout.timeout(to) do while(my_packet = readreply(:udp)) if my_packet[:payload] = secret eth_pair[0] ||= my_packet[:eth].dst_mac eth_pair[1] = my_packet[:eth].src_mac datastore['ARP_CACHE'][:gateway] = my_packet[:eth].dst_mac datastore['ARP_CACHE'][Rex::Socket.source_address(addr)] = my_packet[:eth].src_mac return eth_pair else next end end end rescue Timeout::Error end else return eth_pair end end # A pure-Ruby ARP exchange. def arp(target_ip=nil) return datastore['ARP_CACHE'][target_ip] if datastore['ARP_CACHE'][target_ip] to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 raise RuntimeError, "Could not access the capture process." if not self.capture n = Racket::Racket.new n.l3 = Racket::L3::ARP.new n.l3.opcode = 1 n.l3.tpa = target_ip || datastore['RHOST'] inject_eth(:eth_type => 0x0806, :payload => n.pack) begin Timeout.timeout(to) do while (my_packet = readreply(:arp)) if my_packet[:arp].spa == target_ip datastore['ARP_CACHE'][target_ip] = my_packet[:arp].sha return datastore['ARP_CACHE'][target_ip] else next end end end rescue Timeout::Error end end # Allow modules to reset their arp caches arbitrarily. def expire_arpcache datastore['ARP_CACHE'] = {} end attr_accessor :capture, :arp_cache end end