Allow retrieval of '*' from stored static entries for spoofing
all domains to any IP using wildcard names. Replace the wildcard
response with the name submitted to the search in the response.
Fix improper checks in DNS::Packet for Resolv objects from decode
to encode.
Misc cleanup for records not responding to :address, convenience
methods, and packet structure.
Advanced options are now camel cased
Use :blank? on datastore options instead of serial checks for :nil?
and :empty?
Rex::Proto::DNS::Server :on_client_data updated to ask the tcp_sock
to close this client if it exists in the rescue clause.
Create Rex::Proto::DNS::Packet and Packet::Raw to allow common
parsing, validation, and raw data operations across both Rex and
Msf namespaces.
The modules contain class methods and do not need to be mixed in
to use their functionality Packet.method is enough, and reduces GC
strain since new objects are not constantly being instantiated, and
these modules contain no internal state.
Clean up UDP socket leak from Rex::Proto::DNS::Server under certain
conditions.
Create Msf::Exploit::DNS::Common mixin to provide descendants with
access to Packet and the hostname Regex.
-----
Testing:
Tested running the RC provided in the pull request
Manual testing in IRB/Pry while porting PoC for CVE-2015-7547
Rex::IO::StreamServer provides consistent methods and accessors
for TcpServer type consumers, but includes logic for client actions
which are not relevant in a datagram context - connect and
disconnect actions, as well as any notion of stateful session
persistence (the clients queue) do not apply in this paradigm.
Implement a Rex::IO::GramServer mixin which provides common methods
for dispatching requests and sending responses. Defines the same
callback structure for procs as used in the StreamServer, though
utilizing dispatch_request_proc and send_response_proc with client
and data parameters for efficient interception of execution flow
when dealing with stateless comms.
Rewire Rex::Proto::DNS server to use instance variables along the
same convention as other modules, implement the GramServer mixin,
and minor misc cleanup.
-----
Change calling conventions in Rex::Proto::DNS::Server to match
other components.
Clean up the Msf::Exploit::DNS namespace with generic server
interfaces.
Fix the advanged options naming convention - as hdm pointed out,
evasion options use the '::' separator, advanced options use "_".
-----
Testing:
Basic functional tests in Pry for now.
Exploit::Remote::TcpServer contains functionality required by the
hybrid Udp/Tcp Exploit::Remote::DNS::Server. In order to avoid
having to maintain a set of compatible methods across the transport
implementations, create a new mixin "above" the TcpServer to handle
common socket operations - Exploit::Remote::SocketServer.
Copy Exploit::Remote::TcpServer to Exploit::Remote::SocketServer.
Remove common code from Exploit::Remote::TcpServer, remove TCP/SSL
specific code from Exploit::Remote::SocketServer. Require and
include Exploit::Remote::SocketServer in Exploit::Remote::TcpServer
Testing:
Basic testing using the telnet capture server which utilzies the
modified Exploit::Remote::TcpServer mixin:
```
use auxiliary/server/capture/telnet
(2016-02-28)15:23 (S:0 J:0)msf auxiliary(telnet) > exploit
[*] Auxiliary module execution completed
(2016-02-28)15:23 (S:0 J:1)msf auxiliary(telnet) >
[*] [2016.02.28-15:23:39] Listening on 0.0.0.0:23...
[*] [2016.02.28-15:23:39] Server started.
[*] [2016.02.28-15:23:48] TELNET LOGIN 127.0.0.1:60408 jack / jill
Interrupt: use the 'exit' command to quit
```
The add_static_hosts method used old interfaces and had not been
tested prior.
Address the interfaces, functionally check the logic, and add the
method into start_service to automatically process the static
hosts entries set in the DS.
Built atop the Rex::Proto::DNS work to implement mixins for client
and server functionality, providing common interfaces for querying
domain name servers, and providing domain name services to clients
across Rex sockets. Fully functional native DNS server module is
included to demonstrate functionality, serve as a spoofing DNS
server, a collecting proxy, or any other number of DNS functions.
-----
At the core of this work is a Rex::Proto::DNS::Resolver object
descended from Net::DNS::Resolver with overrides and alterations
for using Rex sockets. The sockets implementation has been in use
internally for a number of years and is well tested. Changes have
been made to provider better interface for higher level components.
The resolver provides forward lookup capability for the server
(Rex::Proto::DNS::Server) which also implements a self-pruning
Cache subclass capable of holding static entries. The server can
operate in TCP or UDP mode, and provides a common abstraction for
addressing TCP and UDP clients by passing a Rex::Socket::Udp
mock client around with the data object to higher level consumers.
Finally, as is standard practice when building full service objects
from Rex to Msf, the server allows consumers to efficiently take
execution control at the request and response handlers by passing
Procs into the constructor (or manually assigning at runtime) for
execution instead of the default call chain.
The service, lookup, and caching functionality is encapsulated and
stands on its own to be used by consumers other than the standard
Msf::Exploit::Remote namespaces. It is intended to serve as the
driver and transport handler for pending DNS tunnel transports,
and can be used by exploit and auxiliary modules directly.
-----
The Msf::Exploit::Remote namespace receives DNS, DNS::Client, and
DNS::Server mixins providing common interfaces for Rex::Proto::DNS
objects. These mixins create convenience methods for executing
queries, serving requests, and configuring the Rex providers.
DNS::Client mixin attempts to "intelligently" configure the client
resolver's name servers and options from the data store. Accessor,
query, and configuration methods are provided in this mixin. Of
note are the wildcard and switchdns methods which were adapted
from prior work by others (likely Carlos Perez) which can be used
by numerous consumer modules. Consumers should use setup_client
during their run call to ensure the resolver is appropriately
configured.
DNS::Server mixin creates common service wrappers for modules to
utilize along with a configuration mechanism analagous to the
one used by the Client mixin, called setup_server, and calling
the setup_client method if present. Note that when setup_server
is called, the consumer does not need to call setup_resolver.
------
At the framework module level, a native dns server is provided
to showcase the mixin functionality and provide everything from
normal DNS services, to tunneling proxies (with cache disabled),
spoofing services, and MITM functionality via the handler Procs
for requests and responses.
Use auxiliary/server/dns/native_server to get started.
-----
Testing:
Basic local testing completed.
Needs to be checked for info leaks - we used to leak a lot.
Needs to be checked for functionality under varying configs.
Notes:
We have a serious problem with the datastore somewhere in the
Msf namespace. Datastore options must be validated with
options.validate(datastore) or they are all Strings, which
completely destroys any type-dependent logic consuming
datastore values. This must be addressed separately and all
calls to options.validate(datastore) should be removed (other
work has included such calls as well, this just proved that
the problem exists upstream).
Future work:
Implement sessions transports atop the DNS infrastructure in
order to provide native DNS tunneling.
Present convenience interfaces in Msf::Exploit::Powershell ns for
decoding and decompressing PSH strings built with Rex::Powershell
or compatible implementations.
the fallback to the original default was failing because
it was assuming rhost was already set, so it would always
go back to the first default target. now the auto_target? method
only returns true if can pull an auto_target_host
if the module authour added an automatic target
we skip our routine, to let the module's own automatic targeting
take over as it likely be better
MS-2325
targets now filtered by OS name, but a little
more processing may be needed on this part because
it looks like what you'd expect in os_flavor gets jammed
into name instead
MS-2325
RageLtMan