metasploit-framework/lib/msf/core/exploit/capture.rb

299 lines
8.0 KiB
Ruby

module Msf
###
#
# This module provides methods for sending and receiving
# raw packets. It should be preferred over the soon-to-be
# deprecated Rex::Socket::Ip mixin.
#
# Please see the pcaprub documentation for more information.
#
###
module Exploit::Capture
#
# Initializes an instance of an exploit module that captures traffic
#
def initialize(info = {})
super
register_options(
[
OptPath.new('PCAPFILE', [false, 'The name of the PCAP capture file to process']),
OptString.new('INTERFACE', [false, 'The name of the interface']),
OptString.new('FILTER', [false, 'The filter string for capturing traffic']),
OptInt.new('SNAPLEN', [true, 'The number of bytes to capture', 65535]),
OptInt.new('TIMEOUT', [true, 'The number of seconds to wait for new data', 1]),
# This needs some explaining, really.
OptAddress.new('GWHOST', [false, 'The gateway IP address']),
OptAddress.new('LHOST', [false, 'The local IP address'])
], Msf::Exploit::Capture
)
require 'racket'
begin
require 'pcaprub'
@pcaprub_loaded = true
rescue ::Exception => e
@pcaprub_loaded = false
@pcaprub_error = e
end
end
def stats_recv
return(0) if not self.capture
self.capture.stats['recv']
end
def stats_drop
return(0) if not self.capture
self.capture.stats['drop']
end
def stats_ifdrop
return(0) if not self.capture
self.capture.stats['ifdrop']
end
#
# Opens a handle to the specified device
#
def open_pcap(opts={})
if (not @pcaprub_loaded)
print_status("The Pcaprub module is not available: #{@pcaprub_error}")
raise RuntimeError, "Pcaprub not available"
end
# Capture device
dev = nil
len = (opts['SNAPLEN'] || datastore['SNAPLEN'] || 65535).to_i
tim = (opts['TIMEOUT'] || datastore['TIMEOUT'] || 0).to_i
fil = opts['FILTER'] || datastore['FILTER']
# Look for a PCAP file
cap = datastore['PCAPFILE'] || ''
if(not cap.empty?)
if(not File.exists?(cap))
raise RuntimeError, "The PCAP file #{cap} could not be found"
end
self.capture = ::Pcap.open_offline(cap)
else
dev = datastore['INTERFACE'] || ::Pcap.lookupdev
system("ifconfig", dev, "up")
self.capture = ::Pcap.open_live(dev, len, true, tim)
end
if (not self.capture)
raise RuntimeError, "Could not start the capture process"
end
self.capture.setfilter(fil) if fil
end
def close_pcap
return if not self.capture
self.capture = nil
GC.start()
end
def capture_extract_ies(raw)
set = {}
ret = 0
idx = 0
len = 0
while (idx < raw.length)
len = raw[idx+1]
return set if not len
set[ raw[idx] ] ||= []
set[ raw[idx] ].push(raw[idx + 2, len])
idx += len + 2
end
return set
end
#
# This monstrosity works around a series of bugs in the interrupt
# signal handling of Ruby 1.9
#
def each_packet
return if not capture
begin
@capture_count = 0
reader = Thread.new do
capture.each do |pkt|
yield(pkt)
@capture_count += 1
end
end
reader.join
rescue ::Exception
raise $!
ensure
reader.kill if reader.alive?
end
@capture_count
end
# Injects a packet on the wire. For all injection-related functions, it's
# on the module to open up a capture device first (this way, we don't
# needlessly spawn new capture devices).
def inject(pkt)
if not self.capture
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
else
self.capture.inject(pkt)
end
end
# Injects an Ethernet packet with an optional payload.
def inject_eth(args={})
eth_daddr = args[:eth_daddr] || "ff:ff:ff:ff:ff:ff"
eth_saddr = args[:eth_saddr] || "00:00:00:00:00:00"
eth_type = args[:eth_type] || 0x0800 # IP default
payload = args[:payload]
n = Racket::Racket.new
n.l2 = Racket::L2::Ethernet.new
n.l2.dst_mac = eth_daddr
n.l2.src_mac = eth_saddr
n.l2.ethertype = eth_type
pkt = n.pack
pkt += payload if payload
inject pkt
end
# Depending on what kind of packet you get, the resultant hash returned will
# contain one or several Racket objects.
def readreply(proto=:udp)
reply = nil
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
if not self.capture
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
else
begin
Timeout.timeout(to) do
self.capture.each do |r|
eth = Racket::L2::Ethernet.new(r)
case proto
when :arp
next if not eth.ethertype == 0x0806
arp = Racket::L3::ARP.new(eth.payload)
reply = {:raw => r, :eth => eth, :arp => arp}
break
when :ip
next if not eth.ethertype == 0x0800
ip = Racket::L3::IPv4.new(eth.payload)
reply = {:raw => r, :eth => eth, :ip => ip}
break
when :udp
ip = Racket::L3::IPv4.new(eth.payload)
next if not ip.protocol == 17
udp = Racket::L4::UDP.new(ip.payload)
reply = {:raw => r, :eth => eth, :ip => ip, :udp => udp, :payload => udp.payload}
break
when :tcp
ip = Racket::L3::IPv4.new(eth.payload)
next if not ip.protocol == 6
tcp = Racket::L4::TCP.new(ip.payload)
reply = {:raw => r, :eth => eth, :ip => ip, :tcp => tcp, :payload => tcp.payload}
break
end
end
end
rescue Timeout::Error
end
end
return reply
end
# This ascertains the correct Ethernet addresses one should use to
# ensure injected IP packets actually get where they are going.
#
# This is done by first generating two packets: First, we try to ARP
# the target IP address. If it's on the local network, this will usually
# elicit a response of [dst_mac, dst_ip] -- see arp, below.
#
# We still need to know our own src_mac, though, since we assume we want
# a response. To do this, we send a UDP trigger packet with a normal
# UDPSocket connect, to either the gateway host (GWHOST), if known, or to
# a random(ish) IP known to be beyond the default gateway. We then listen
# for our own UDP packet (via readreply) -- it need not get a response
# from GWHost or the random fake IP.
#
# Note, if IANA assigns 177/8 in the future, then the default fake-remote
# IP address will have to be changed (unless you don't mind sending them
# probe packets).
#
# Finally, if all of this fails to get an adequate response, a default
# ethernet address pair of ["ff:ff:ff:ff:ff:ff","00:00:00:00:00:00"] will
# be used by the inject_eth function (above). In switched networks, though,
# you should always get a correct pair for a remote address, the same pair
# for an unroutable address (eg, 127.0.0.1), or a correct pair for a local
# addres (if the target responds to ARPs at all).
def lookup_eth(addr=nil)
raise RuntimeError, "Could not access the capture process." if not self.capture
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
eth_pair = [nil,nil] # [dst_mac, src_mac] will go here.
# Try to ARP the real IP first.
arp_result = arp(addr)
dst_host = (datastore['GWHOST'] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s)
eth_pair[0] = arp_result[0] if arp_result.kind_of? Array
dst_port = rand(30000)+1024
secret = "#{Rex::Text.rand_text(rand(0xff)+1)}"
UDPSocket.open.send(secret,0,dst_host,dst_port)
begin
Timeout.timeout(to) do
while(my_packet = readreply(:udp))
if my_packet[:payload] = secret
eth_pair[0] ||= my_packet[:eth].dst_mac
eth_pair[1] = my_packet[:eth].src_mac
return eth_pair
else
next
end
end
end
rescue Timeout::Error
end
end
# A pure-Ruby ARP exchange.
def arp(target_ip=nil)
to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
raise RuntimeError, "Could not access the capture process." if not self.capture
n = Racket::Racket.new
n.l3 = Racket::L3::ARP.new
n.l3.opcode = 1
n.l3.tpa = target_ip || datastore['RHOST']
inject_eth(:eth_type => 0x0806,
:payload => n.pack)
begin
Timeout.timeout(to) do
while (my_packet = readreply(:arp))
if my_packet[:arp].spa == target_ip
return [my_packet[:arp].sha,target_ip]
else
next
end
end
end
rescue Timeout::Error
end
end
attr_accessor :capture
end
end