354 lines
10 KiB
Ruby
354 lines
10 KiB
Ruby
module Msf
|
|
|
|
###
|
|
#
|
|
# This module provides methods for sending and receiving
|
|
# raw packets. It should be preferred over the soon-to-be
|
|
# deprecated Rex::Socket::Ip mixin.
|
|
#
|
|
# Please see the pcaprub documentation for more information.
|
|
#
|
|
###
|
|
|
|
module Exploit::Capture
|
|
|
|
#
|
|
# Initializes an instance of an exploit module that captures traffic
|
|
#
|
|
|
|
def initialize(info = {})
|
|
super
|
|
|
|
register_options(
|
|
[
|
|
OptPath.new('PCAPFILE', [false, 'The name of the PCAP capture file to process']),
|
|
OptString.new('INTERFACE', [false, 'The name of the interface']),
|
|
OptString.new('FILTER', [false, 'The filter string for capturing traffic']),
|
|
OptInt.new('SNAPLEN', [true, 'The number of bytes to capture', 65535]),
|
|
OptInt.new('TIMEOUT', [true, 'The number of seconds to wait for new data', 500]),
|
|
OptAddress.new('GATEWAY', [false, 'The gateway IP address'])
|
|
|
|
], Msf::Exploit::Capture
|
|
)
|
|
|
|
register_advanced_options(
|
|
[
|
|
OptInt.new('ARP_SECRET', [true, 'The 32-bit cookie for ARP and UDP probe requests.', 1297303091])
|
|
], Msf::Exploit::Capture
|
|
)
|
|
|
|
require 'racket'
|
|
|
|
begin
|
|
require 'pcaprub'
|
|
@pcaprub_loaded = true
|
|
rescue ::Exception => e
|
|
@pcaprub_loaded = false
|
|
@pcaprub_error = e
|
|
end
|
|
|
|
end
|
|
|
|
def stats_recv(pcap=self.capture)
|
|
return(0) if not pcap
|
|
pcap.stats['recv']
|
|
end
|
|
|
|
def stats_drop(pcap=self.capture)
|
|
return(0) if not pcap
|
|
pcap.stats['drop']
|
|
end
|
|
|
|
def stats_ifdrop(pcap=self.capture)
|
|
return(0) if not pcap
|
|
pcap.stats['ifdrop']
|
|
end
|
|
|
|
#
|
|
# Opens a handle to the specified device
|
|
#
|
|
def open_pcap(opts={})
|
|
|
|
if (not @pcaprub_loaded)
|
|
print_status("The Pcaprub module is not available: #{@pcaprub_error}")
|
|
raise RuntimeError, "Pcaprub not available"
|
|
end
|
|
|
|
# Capture device
|
|
dev = nil
|
|
len = (opts['SNAPLEN'] || datastore['SNAPLEN'] || 65535).to_i
|
|
tim = (opts['TIMEOUT'] || datastore['TIMEOUT'] || 0).to_i
|
|
fil = opts['FILTER'] || datastore['FILTER']
|
|
arp = opts['ARPCAP'] || true
|
|
|
|
# Look for a PCAP file
|
|
cap = datastore['PCAPFILE'] || ''
|
|
|
|
if(not cap.empty?)
|
|
if(not File.exists?(cap))
|
|
raise RuntimeError, "The PCAP file #{cap} could not be found"
|
|
end
|
|
self.capture = ::Pcap.open_offline(cap)
|
|
else
|
|
dev = datastore['INTERFACE'] || ::Pcap.lookupdev
|
|
system("ifconfig", dev, "up")
|
|
self.capture = ::Pcap.open_live(dev, len, true, tim)
|
|
if arp
|
|
self.arp_capture = ::Pcap.open_live(dev, 512, true, tim)
|
|
preamble = datastore['ARP_SECRET'].to_i
|
|
arp_filter = "arp host #{IPAddr.new(preamble, Socket::AF_INET).to_s} or (udp[8:4] = #{preamble})"
|
|
self.arp_capture.setfilter(arp_filter)
|
|
end
|
|
end
|
|
|
|
if (not self.capture)
|
|
raise RuntimeError, "Could not start the capture process"
|
|
elsif (arp and !self.arp_capture)
|
|
raise RuntimeError, "Could not start the ARP capture process"
|
|
end
|
|
|
|
self.capture.setfilter(fil) if fil
|
|
end
|
|
|
|
def close_pcap
|
|
return if not self.capture
|
|
self.capture = nil
|
|
self.arp_capture = nil
|
|
GC.start()
|
|
end
|
|
|
|
def capture_extract_ies(raw)
|
|
set = {}
|
|
ret = 0
|
|
idx = 0
|
|
len = 0
|
|
|
|
while (idx < raw.length)
|
|
len = raw[idx+1]
|
|
return set if not len
|
|
set[ raw[idx] ] ||= []
|
|
set[ raw[idx] ].push(raw[idx + 2, len])
|
|
idx += len + 2
|
|
end
|
|
|
|
return set
|
|
end
|
|
|
|
#
|
|
# This monstrosity works around a series of bugs in the interrupt
|
|
# signal handling of Ruby 1.9
|
|
#
|
|
def each_packet
|
|
return if not capture
|
|
begin
|
|
@capture_count = 0
|
|
reader = Thread.new do
|
|
capture.each do |pkt|
|
|
yield(pkt)
|
|
@capture_count += 1
|
|
end
|
|
end
|
|
reader.join
|
|
rescue ::Exception
|
|
raise $!
|
|
ensure
|
|
reader.kill if reader.alive?
|
|
end
|
|
|
|
@capture_count
|
|
end
|
|
|
|
# Injects a packet on the wire. For all injection-related functions, it's
|
|
# on the module to open up a capture device first (this way, we don't
|
|
# needlessly spawn new capture devices).
|
|
def inject(pkt="",pcap=self.capture)
|
|
if not pcap
|
|
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
|
|
else
|
|
pcap.inject(pkt)
|
|
end
|
|
end
|
|
|
|
# Injects an Ethernet packet with an optional payload.
|
|
def inject_eth(args={})
|
|
eth_daddr = args[:eth_daddr] || "ff:ff:ff:ff:ff:ff"
|
|
eth_saddr = args[:eth_saddr] || "00:00:00:00:00:00"
|
|
eth_type = args[:eth_type] || 0x0800 # IP default
|
|
payload = args[:payload]
|
|
pcap = args[:pcap] || self.capture
|
|
n = Racket::Racket.new
|
|
n.l2 = Racket::L2::Ethernet.new
|
|
n.l2.dst_mac = eth_daddr
|
|
n.l2.src_mac = eth_saddr
|
|
n.l2.ethertype = eth_type
|
|
pkt = n.pack
|
|
pkt += payload if payload
|
|
inject pkt,pcap
|
|
end
|
|
|
|
# Capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires
|
|
# a payload and a destination address. To send to the broadcast address, set bcast
|
|
# to true (this will guarantee that packets will be sent even if ARP doesn't work
|
|
# out).
|
|
def capture_sendto(payload="", dhost=nil, bcast=false)
|
|
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" unless self.capture
|
|
raise RuntimeError, "Must specify a host to sendto" unless dhost
|
|
dst_mac,src_mac = lookup_eth(dhost)
|
|
if dst_mac == "ff:ff:ff:ff:ff:ff" and not bcast
|
|
return false
|
|
end
|
|
inject_eth(:payload => payload, :eth_daddr => dst_mac, :eth_saddr => src_mac)
|
|
end
|
|
|
|
# Depending on what kind of packet you get, the resultant hash returned will
|
|
# contain one or several Racket objects.
|
|
def inject_reply(proto=:udp,pcap=self.capture)
|
|
reply = nil
|
|
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
|
|
if not pcap
|
|
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
|
|
else
|
|
begin
|
|
Timeout.timeout(to) do
|
|
pcap.each do |r|
|
|
eth = Racket::L2::Ethernet.new(r)
|
|
case proto
|
|
when :arp
|
|
next if not eth.ethertype == 0x0806
|
|
arp = Racket::L3::ARP.new(eth.payload)
|
|
reply = {:raw => r, :eth => eth, :arp => arp}
|
|
break
|
|
when :ip
|
|
next if not eth.ethertype == 0x0800
|
|
ip = Racket::L3::IPv4.new(eth.payload)
|
|
reply = {:raw => r, :eth => eth, :ip => ip}
|
|
break
|
|
when :udp
|
|
ip = Racket::L3::IPv4.new(eth.payload)
|
|
next if not ip.protocol == 17
|
|
udp = Racket::L4::UDP.new(ip.payload)
|
|
reply = {:raw => r, :eth => eth, :ip => ip, :udp => udp, :payload => udp.payload}
|
|
break
|
|
when :tcp
|
|
ip = Racket::L3::IPv4.new(eth.payload)
|
|
next if not ip.protocol == 6
|
|
tcp = Racket::L4::TCP.new(ip.payload)
|
|
reply = {:raw => r, :eth => eth, :ip => ip, :tcp => tcp, :payload => tcp.payload}
|
|
break
|
|
end
|
|
end
|
|
end
|
|
rescue Timeout::Error
|
|
end
|
|
end
|
|
return reply
|
|
end
|
|
|
|
# This ascertains the correct Ethernet addresses one should use to
|
|
# ensure injected IP packets actually get where they are going, and
|
|
# manages the self.arp_cache hash. It always uses self.arp_capture
|
|
#
|
|
# This is done by first generating two packets: First, we try to ARP
|
|
# the target IP address. If it's on the local network, this will usually
|
|
# elicit a response of [dst_mac, dst_ip] -- see arp, below.
|
|
#
|
|
# We still need to know our own src_mac, though, since we assume we want
|
|
# a response. To do this, we send a UDP trigger packet with a normal
|
|
# UDPSocket connect, to either the gateway host (GATEWAY), if known, or to
|
|
# a random(ish) IP known to be beyond the default gateway. We then listen
|
|
# for our own UDP packet (via inject_reply) -- it need not get a response
|
|
# from GATEWAY or the random fake IP.
|
|
#
|
|
# Note, if IANA assigns 177/8 in the future, then the default fake-remote
|
|
# IP address will have to be changed (unless you don't mind sending them
|
|
# probe packets).
|
|
#
|
|
# Finally, if all of this fails to get an adequate response, a default
|
|
# ethernet address pair of ["ff:ff:ff:ff:ff:ff","00:00:00:00:00:00"] will
|
|
# be used by the inject_eth function (above), unless the calling module
|
|
# decides against it. In switched networks, you should always get a correct
|
|
# pair for a remote address, the same pair for an unroutable address
|
|
# (eg, 127.0.0.1), or a correct pair for a local address (if the target
|
|
# responds to ARPs at all).
|
|
#
|
|
# TODO: Fix PcapRub to return a subnet mask so I can determine ahead of
|
|
# time if it's in the local network.
|
|
#
|
|
# TODO: Reorganize this.
|
|
#
|
|
def lookup_eth(addr=nil,iface=nil)
|
|
self.arp_cache = {} unless self.arp_cache.kind_of? Hash
|
|
eth_pair = [nil,nil] # [dst_mac, src_mac] will go here.
|
|
raise RuntimeError, "Could not access the capture process." if not self.arp_capture
|
|
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
|
|
# Try to ARP the real IP first.
|
|
eth_pair[0] = self.arp_cache[addr] || arp(addr) || self.arp_cache[:gateway]
|
|
eth_pair[1] = self.arp_cache[Rex::Socket.source_address(addr)]
|
|
if (eth_pair[0].nil? || eth_pair[1].nil?)
|
|
dst_host = (datastore['GATEWAY'] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s)
|
|
dst_port = rand(30000)+1024
|
|
preamble = [datastore['ARP_SECRET']].pack("N")
|
|
secret = "#{preamble}#{Rex::Text.rand_text(rand(0xff)+1)}"
|
|
UDPSocket.open.send(secret,0,dst_host,dst_port)
|
|
begin
|
|
Timeout.timeout(to) do
|
|
while(my_packet = inject_reply(:udp,self.arp_capture))
|
|
if my_packet[:payload] = secret
|
|
eth_pair[0] ||= my_packet[:eth].dst_mac
|
|
eth_pair[1] = my_packet[:eth].src_mac
|
|
self.arp_cache[:gateway] = my_packet[:eth].dst_mac
|
|
self.arp_cache[Rex::Socket.source_address(addr)] = my_packet[:eth].src_mac
|
|
return eth_pair
|
|
else
|
|
next
|
|
end
|
|
end
|
|
end
|
|
rescue Timeout::Error
|
|
end
|
|
else
|
|
return eth_pair
|
|
end
|
|
end
|
|
|
|
# A pure-Ruby ARP exchange. It always uses self.arp_capture.
|
|
def arp(target_ip=nil)
|
|
return self.arp_cache[target_ip] if self.arp_cache[target_ip]
|
|
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
|
|
raise RuntimeError, "Could not access the capture process." if not self.arp_capture
|
|
n = Racket::Racket.new
|
|
n.l3 = Racket::L3::ARP.new
|
|
n.l3.opcode = 1
|
|
n.l3.tpa = target_ip || datastore['RHOST']
|
|
n.l3.spa = IPAddr.new(datastore['ARP_SECRET'].to_i, Socket::AF_INET).to_s
|
|
inject_eth(:eth_type => 0x0806,
|
|
:payload => n.pack,
|
|
:pcap => self.arp_capture
|
|
)
|
|
begin
|
|
Timeout.timeout(to) do
|
|
while (my_packet = inject_reply(:arp,self.arp_capture))
|
|
if my_packet[:arp].spa == target_ip
|
|
self.arp_cache[target_ip] = my_packet[:arp].sha
|
|
return self.arp_cache[target_ip]
|
|
else
|
|
next
|
|
end
|
|
end
|
|
end
|
|
rescue Timeout::Error
|
|
end
|
|
end
|
|
|
|
# Allow modules to reset their arp caches arbitrarily.
|
|
def expire_arpcache
|
|
self.arp_cache = {}
|
|
end
|
|
|
|
attr_accessor :capture, :arp_cache, :arp_capture
|
|
|
|
end
|
|
|
|
end
|
|
|