adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2056ff6899438627c4acb61bfab8b79ec0014dc3
metasploit-gs/lib/msf/core/exploit/capture.rb
T
Matt Buck 2056ff6899 Merge master 
Squashed commit of the following:

commit 1dcad7c21b
Merge: 1a2f35d 35d29f5
Author: OJ <oj@buffered.io>
Date:   Thu Mar 19 14:43:27 2015 +1000

    Land #4953 : Updated POSIX meterpreter binaries

commit 35d29f5d08
Author: Brent Cook <bcook@rapid7.com>
Date:   Wed Mar 18 22:57:03 2015 -0500

    update linux meterpreter bins

commit 1a2f35d806
Merge: 076f15f 346b1d5
Author: OJ <oj@buffered.io>
Date:   Thu Mar 19 12:41:20 2015 +1000

    Land #4951: Dynamic URI generation for Java/Python reverse_http(s)

commit 076f15f933
Merge: b33e7f4 3f8ed56
Author: Spencer McIntyre <zeroSteiner@gmail.com>
Date:   Wed Mar 18 20:59:54 2015 -0400

    Land #4792 @jakxx Publish It PUI file exploit

commit 3f8ed56a9a
Author: Spencer McIntyre <zeroSteiner@gmail.com>
Date:   Wed Mar 18 20:57:58 2015 -0400

    Add available space to the payload info

commit b33e7f477c
Merge: 0d1f205 5dd718e
Author: joev <joev@metasploit.com>
Date:   Wed Mar 18 17:17:34 2015 -0500

    Land #4947, h0ng10's TWiki exploit.

commit 346b1d539f
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 16:24:01 2015 -0500

    Revert Java back to static size for cache purposes (less cpu usage on startup)

commit 33bbf7cb7e
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 16:08:11 2015 -0500

    Dynamic URI generation for python/java http(s) stagers

commit 0d1f2055c5
Merge: e943cb5 dab4333
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 15:31:22 2015 -0500

    Lands #4949 which fixes #4845

commit dab4333867
Author: rwhitcroft <rw81junk@gmail.com>
Date:   Wed Mar 18 16:07:46 2015 -0400

    updated asm in block

commit 7ae97393e0
Author: rwhitcroft <rw81junk@gmail.com>
Date:   Wed Mar 18 15:34:31 2015 -0400

    fix x64/reverse_https stager shellcode

commit e943cb550f
Merge: d152c41 d1a2f58
Author: OJ <oj@buffered.io>
Date:   Wed Mar 18 22:34:52 2015 +1000

    Land #4585 : CVE-2015-0975 XXE in OpenNMS

commit d1a2f58303
Author: OJ <oj@buffered.io>
Date:   Wed Mar 18 22:17:44 2015 +1000

    Fix of regex for file capture and format tweaks

commit 5dd718e4fa
Author: Hans-Martin Münch (h0ng10) <muench@mogwaisecurity.de>
Date:   Wed Mar 18 09:51:51 2015 +0100

    Better description

commit 00de437918
Author: Hans-Martin Münch (h0ng10) <muench@mogwaisecurity.de>
Date:   Wed Mar 18 09:45:08 2015 +0100

    Initial commit

commit fa7242388b
Author: OJ <oj@buffered.io>
Date:   Wed Mar 18 18:18:54 2015 +1000

    Move the module to the correct location

commit d152c41826
Merge: b46e5f8 b62da42
Author: OJ <oj@buffered.io>
Date:   Wed Mar 18 17:42:19 2015 +1000

    Land #4934 : Proxy and auth support in reverse_http(s)

commit b62da42927
Merge: c607cf7 b46e5f8
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 01:51:15 2015 -0500

    Merge branch 'master' into feature/add-proxies-to-wininet

commit b46e5f8d13
Merge: bd4738b 97def50
Author: OJ <oj@buffered.io>
Date:   Wed Mar 18 16:49:13 2015 +1000

    Land #4295 : Refactory proxy-enabled payload handling

commit c607cf7b11
Merge: 0513852 bd4738b
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 01:45:44 2015 -0500

    Merging master

commit 97def50cc2
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 01:26:59 2015 -0500

    Whitespace cleanup

commit 8d3cb8bde5
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 01:25:42 2015 -0500

    Fix up meterpreter patching arguments and names

commit ef443c83b9
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 01:21:53 2015 -0500

    Fix overgreed search/replace

commit 390a704cc7
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 01:19:05 2015 -0500

    Cleanup proxyhost/proxyport arguments to match new names

commit f7a06d8e44
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 01:15:32 2015 -0500

    Rework PROXY_{HOST|PORT|TYPE|USERNAME|PASSWORD) to the new syntax

commit 3aa8cb69a4
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 01:08:09 2015 -0500

    Fix two use cases of PROXYHOST/PROXYPORT

commit 87a489907c
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Dec 15 14:48:09 2014 -0600

    Place an IPv6 proxy IP between brackets

commit 259db269bd
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Dec 2 15:36:14 2014 -0600

    Remove user/pass and invalid class from the options

commit 2ab14e7e79
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 01:01:10 2015 -0500

    Adds IPv6 and option-related issues with the previous patch

commit 0601946830
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Dec 2 13:29:39 2014 -0600

    Don't mandate and default PROXY_HOST (miscopy from the proxy stager)

commit a4df6d539f
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 00:59:59 2015 -0500

    Cleanup proxy handling code (consistency & bugs)

    One subtle bug was that each time a request was received, a null byte was being appended to the datastore options for PROXY_USERNAME and PROXY_PASSWORD. Eventually this would break new sessions. This change centralizes the proxy configuration and cleans up the logic.

commit 85fb534e63
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Dec 2 12:57:30 2014 -0600

    Fix up the offset detection again, cleanup redundant code

commit 2f13988d7b
Author: HD Moore <hd_moore@rapid7.com>
Date:   Tue Dec 2 12:33:53 2014 -0600

    Use OptPort vs OptInt and cleanup the description

commit a01be365b0
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 18 00:59:13 2015 -0500

    Rework PROXYHOST/PROXYPORT to PROXY_HOST/PROXY_PORT

    This also cleans up the windows reverse_https_proxy stager.

commit b197b7aaf0
Author: jakxx <jakx.ppr@gmail.com>
Date:   Tue Mar 17 19:24:13 2015 -0400

    Additional Updates

    -Removed unused mixin
    -Cleaned up Module name
    -Cleaned up author name

commit bd4738b93e
Merge: 47a7f99a d7fa0ec
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 17 17:37:55 2015 -0500

    Land #4827, capture and nbns fixups

commit d7fa0ec669
Author: James Lee <egypt@metasploit.com>
Date:   Tue Mar 17 17:36:45 2015 -0500

    Let IPAddr#hton do the calculating

commit 47a7f99aae
Merge: d1d6378 5fd3637
Author: Brent Cook <bcook@rapid7.com>
Date:   Tue Mar 17 16:22:46 2015 -0500

    Land #4930, @hmoore-r7 winhttp stager certificate check

commit 085e6cc815
Author: jakxx <jakx.ppr@gmail.com>
Date:   Tue Mar 17 16:39:56 2015 -0400

    Implemented Recommended Changes

    -corrected spelling error
    -set only option to required
    -dumped header data to included file
    -Used Rex for jmp values

commit 0490af8ba8
Author: jstnkndy <jstnkndy@gmail.com>
Date:   Tue Mar 17 10:20:22 2015 -0400

    Added error checks, randomness, and uuid delimeter

commit f3fc4003d0
Author: jstnkndy <jstnkndy@gmail.com>
Date:   Tue Mar 17 10:19:40 2015 -0400

    typo

commit b92d243c0e
Merge: e0a7f53 766a07a
Author: jstnkndy <jstnkndy@gmail.com>
Date:   Tue Mar 17 10:18:32 2015 -0400

    Merge branch 'module-cve-2015-0975' of https://github.com/jstnkndy/metasploit-framework into module-cve-2015-0975

commit e0a7f531cc
Author: jstnkndy <jstnkndy@gmail.com>
Date:   Tue Mar 17 10:10:51 2015 -0400

    Added error checking, randomness, uuid delimiters

commit 2ea984423b
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Mar 16 14:08:01 2015 -0500

    while(true)->loop, use thread.join

commit 5fd3637d34
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Mar 16 14:00:51 2015 -0500

    Remove the i32 size specifier (not needed)

commit 69d9280748
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Mar 16 13:52:13 2015 -0500

    Fix yard docs, retries, push.i8 instructions. See commit 05138524e3

    Note that StagerRetryCount is not defined here, but will be in the parent class once #4934 lands

commit 05138524e3
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Mar 16 13:35:36 2015 -0500

    Fix yard docs, fix retries, trim bytes, retested and working

commit 69a808b744
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Mar 16 12:14:42 2015 -0500

    StagerProxy -> PayloadProxy

commit f361e4ee52
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Mar 16 00:22:10 2015 -0500

    Prefer the new-style proxy datastore options when available

commit 7e89281485
Author: HD Moore <hd_moore@rapid7.com>
Date:   Mon Mar 16 00:03:31 2015 -0500

    Adds proxy (with authentication) support to reverse_http(s)

commit 8e37342c50
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Mar 14 16:52:04 2015 -0500

    Comment typo

commit 0d12ca49a7
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Mar 14 16:19:13 2015 -0500

    Work around lack of option normalization during size calculation

commit 03019cf451
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Mar 14 15:53:21 2015 -0500

    Adds StagerVerifySSLCert support (SHA1 of HandlerSSLCert)

commit 11593800b6
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sat Mar 14 15:52:23 2015 -0500

    Move X509 PEM parsing into Rex::Parser::X509Certificate

commit 1001061a96
Author: HD Moore <hd_moore@rapid7.com>
Date:   Wed Mar 4 18:52:18 2015 -0600

    Initialize @capture_count

commit 1b1716bcf6
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Feb 22 22:01:01 2015 -0600

    Fix a handful of bugs that broke this modules. Fixes #4799

commit 9730a1655e
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Feb 22 22:00:42 2015 -0600

    Small cleanups to the LLMR responder module

commit bdd5276524
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Feb 22 21:53:47 2015 -0600

    This fixes a number of issues with the Capture mixin

     * The use of www.metasploit.com in a datastore option results in a DNS lookup (infoleak). Switch to 8.8.8.8 (TTL=1)
     * The hackey code around #each_packet is no longer necessary in newer Ruby versions
     * The arp()/probe_gateway() calls to inject_reply() had broken logic leading to early exit and missed replies
     * The arp() function now tries up to three times to get a reply (helpful with lossy L2)
     * GC.start is extraneous and should be removed
     * Increased timeouts

commit 615d71de6e
Author: HD Moore <hd_moore@rapid7.com>
Date:   Sun Feb 22 21:51:33 2015 -0600

    Remove extraneous calls to GC.start()

commit 44a7e7e4bc
Author: jakxx <jakx.ppr@gmail.com>
Date:   Wed Feb 18 13:22:54 2015 -0500

    publish-it fileformat exploit

commit 766a07a904
Author: jstnkndy <jstnkndy@gmail.com>
Date:   Tue Jan 13 22:08:08 2015 -0500

    Add CVE-2015-0975 XXE for OpenNMS <= 14.0.2
2015-03-19 10:47:33 -05:00

570 lines
20 KiB
Ruby
Raw Blame History

# -*- coding: binary -*-
module Msf
###
#
# This module provides methods for sending and receiving
# raw packets. It should be preferred over the soon-to-be
# deprecated Rex::Socket::Ip and Msf::Exploite::Remote::Ip
# mixins.
#
# Please see the pcaprub documentation for more information
# on how to use capture objects.
#
###
class Exploit
module Capture
#
# Initializes an instance of an exploit module that captures traffic
#
def initialize(info = {})
super
register_options(
[
OptPath.new('PCAPFILE', [false, 'The name of the PCAP capture file to process']),
OptString.new('INTERFACE', [false, 'The name of the interface']),
OptString.new('FILTER', [false, 'The filter string for capturing traffic']),
OptInt.new('SNAPLEN', [true, 'The number of bytes to capture', 65535]),
OptInt.new('TIMEOUT', [true, 'The number of seconds to wait for new data', 500]),
Opt::RHOST
], Msf::Exploit::Capture
)
register_advanced_options(
[
OptInt.new('SECRET', [true, 'A 32-bit cookie for probe requests.', 'MSF!'.unpack('N').first]),
OptAddress.new('GATEWAY_PROBE_HOST',
[
true,
'Send a TTL=1 random UDP datagram to this host to discover the default gateway\'s MAC',
'8.8.8.8']),
OptPort.new('GATEWAY_PROBE_PORT',
[
false,
'The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset)'])
], Msf::Exploit::Capture
)
require 'packetfu'
begin
require 'pcaprub'
@pcaprub_loaded = true
rescue ::LoadError => e
@pcaprub_loaded = false
@pcaprub_error = e
end
begin
require 'network_interface'
@network_interface_loaded = true
rescue ::LoadError => e
@network_interface_loaded = false
@network_interface_error = e
end
end
def stats_recv(pcap=self.capture)
return(0) unless pcap
pcap.stats['recv']
end
def stats_drop(pcap=self.capture)
return(0) unless pcap
pcap.stats['drop']
end
def stats_ifdrop(pcap=self.capture)
return(0) unless pcap
pcap.stats['ifdrop']
end
#
# Opens a handle to the specified device
#
def open_pcap(opts={})
check_pcaprub_loaded
if RUBY_PLATFORM == "i386-mingw32"
if opts['INTERFACE'] or datastore['INTERFACE']
dev = opts['INTERFACE'] || datastore['INTERFACE']
if is_interface?(dev)
dev = get_interface_guid(dev)
end
end
else
dev = opts['INTERFACE'] || datastore['INTERFACE'] || nil
end
len = (opts['SNAPLEN'] || datastore['SNAPLEN'] || 65535).to_i
tim = (opts['TIMEOUT'] || datastore['TIMEOUT'] || 0).to_i
fil = opts['FILTER'] || datastore['FILTER']
do_arp = (opts['ARPCAP'] == false) ? false : true
# Look for a PCAP file
cap = datastore['PCAPFILE'] || ''
if (not cap.empty?)
if (not File.exists?(cap))
raise RuntimeError, "The PCAP file #{cap} could not be found"
end
self.capture = ::Pcap.open_offline(cap)
else
dev ||= ::Pcap.lookupdev
unless RUBY_PLATFORM == "i386-mingw32"
system("ifconfig", dev, "up")
end
self.capture = ::Pcap.open_live(dev, len, true, tim)
if do_arp
self.arp_capture = ::Pcap.open_live(dev, 512, true, tim)
preamble = datastore['SECRET'].to_i
arp_filter = "arp[6:2] = 2 or (udp[8:4] = #{preamble})"
self.arp_capture.setfilter(arp_filter)
end
end
if (not self.capture)
raise RuntimeError, "Could not start the capture process"
elsif (do_arp and !self.arp_capture and cap.empty?)
raise RuntimeError, "Could not start the ARP capture process"
end
self.capture.setfilter(fil) if fil
end
def close_pcap
return unless self.capture
self.capture = nil
self.arp_capture = nil
end
def capture_extract_ies(raw)
set = {}
idx = 0
len = 0
while (idx < raw.length)
len = raw[idx+1]
return set unless len
set[raw[idx]] ||= []
set[raw[idx]].push(raw[idx + 2, len])
idx += len + 2
end
return set
end
#
# Loop through each packet
#
def each_packet
return unless capture
@capture_count ||= 0
capture.each do |pkt|
yield(pkt)
@capture_count += 1
end
@capture_count
end
# Injects a packet on the wire. For all injection-related functions, it's
# on the module to open up a capture device first (this way, we don't
# needlessly spawn new capture devices).
def inject(pkt="", pcap=self.capture)
check_pcaprub_loaded
if not pcap
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
else
pcap.inject(pkt.to_s) # Can be a PacketFu Packet object or a pre-packed string
end
end
# Injects an Ethernet packet with an optional payload. The payload
# may be a regular PacketFu packet, an EthHeader, or a string.
def inject_eth(args={})
eth_daddr = args[:eth_daddr] || "ff:ff:ff:ff:ff:ff"
eth_saddr = args[:eth_saddr] || "00:00:00:00:00:00"
eth_type = args[:eth_type] || 0x0800 # IP default
payload = args[:payload]
pcap = args[:pcap] || self.capture
p = PacketFu::EthPacket.new
p.eth_daddr = eth_daddr
p.eth_saddr = eth_saddr
p.eth_proto = eth_type
if payload
if payload.kind_of? PacketFu::EthPacket
p.payload = payload.eth_header.body
elsif payload.kind_of? PacketFu::EthHeader
p.payload = payload.body
else
p.payload = payload.to_s
end
end
inject p.to_s, pcap
end
def inject_pcap(pcap_file, filter=nil, delay = 0, pcap=self.capture)
check_pcaprub_loaded
unless pcap
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
end
if (not File.exists?(pcap_file))
raise RuntimeError, "The PCAP file #{pcap_file} could not be found"
end
if (pcap_file.empty?)
raise RuntimeError, "The PCAP file #{pcap_file} is empty"
end
capture_file = ::Pcap.open_offline(pcap_file)
capture_file.setfilter(filter) if filter
while (pkt = capture_file.next) do
pcap.inject(pkt)
Rex.sleep((delay * 1.0)/1000)
end
end
# capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires
# a payload and a destination address. To send to the broadcast address, set bcast
# to true (this will guarantee that packets will be sent even if ARP doesn't work
# out).
def capture_sendto(payload="", dhost=nil, bcast=false, dev=nil)
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" unless self.capture
raise RuntimeError, "Must specify a host to sendto" unless dhost
dev ||= datastore['INTERFACE']
dst_mac, src_mac = lookup_eth(dhost, dev)
if dst_mac == nil and not bcast
return false
end
inject_eth(:payload => payload, :eth_daddr => dst_mac, :eth_saddr => src_mac)
end
# The return value either be a PacketFu::Packet object, or nil
def inject_reply(proto=:udp, pcap=self.capture)
# Defaults to ~2 seconds
to = (datastore['TIMEOUT'] * 4) / 1000.0
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" if not pcap
begin
::Timeout.timeout(to) do
pcap.each do |r|
packet = PacketFu::Packet.parse(r)
next unless packet.proto.map { |x| x.downcase.to_sym }.include? proto
return packet
end
end
rescue ::Timeout::Error
end
nil
end
# This ascertains the correct Ethernet addresses one should use to
# ensure injected IP packets actually get where they are going, and
# manages the self.arp_cache hash. It always uses self.arp_capture
# to inject and capture packets, and will always first fire off a
# UDP packet using the regular socket to learn the source host's
# and gateway's mac addresses.
def lookup_eth(addr=nil, iface=nil)
raise RuntimeError, "Could not access the capture process." unless self.arp_capture
self.arp_cache ||= {}
self.dst_cache ||= {}
return self.dst_cache[addr] if self.dst_cache[addr]
if !self.arp_cache[Rex::Socket.source_address(addr)]
probe_gateway(addr)
end
src_mac = self.arp_cache[Rex::Socket.source_address(addr)]
if should_arp?(addr)
dst_mac = self.arp_cache[addr] || arp(addr)
else
dst_mac = self.arp_cache[:gateway]
end
self.dst_cache[addr] = [dst_mac, src_mac]
end
def probe_gateway(addr)
dst_host = datastore['GATEWAY_PROBE_HOST']
dst_port = datastore['GATEWAY_PROBE_PORT'] == 0 ? rand(30000) + 1024 : datastore['GATEWAY_PROBE_PORT']
preamble = [datastore['SECRET']].pack("N")
secret = "#{preamble}#{Rex::Text.rand_text(rand(0xff)+1)}"
begin
UDPSocket.open do |sock|
sock.setsockopt(::Socket::IPPROTO_IP, ::Socket::IP_TTL, 1)
sock.send(secret, 0, dst_host, dst_port)
end
rescue Errno::ENETUNREACH
# This happens on networks with no gateway. We'll need to use a
# fake source hardware address.
self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
end
begin
to = ((datastore['TIMEOUT'] || 500).to_f * 8) / 1000.0
::Timeout.timeout(to) do
loop do
my_packet = inject_reply(:udp, self.arp_capture)
next unless my_packet
next unless my_packet.payload == secret
dst_mac = self.arp_cache[:gateway] = my_packet.eth_daddr
src_mac = self.arp_cache[Rex::Socket.source_address(addr)] = my_packet.eth_saddr
return [dst_mac, src_mac]
end
end
rescue ::Timeout::Error
# Well, that didn't work (this is common on networks where there's no gateway, like
# VMWare network interfaces. We'll need to use a fake source hardware address.
self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
end
end
# A pure-Ruby ARP exchange. It uses self.arp_capture to send and recv
# packets, rather than self.capture.
def arp(target_ip=nil)
return self.arp_cache[target_ip] if self.arp_cache[target_ip]
return self.arp_cache[:gateway] unless should_arp? target_ip
source_ip = Rex::Socket.source_address(target_ip)
raise RuntimeError, "Could not access the capture process." unless self.arp_capture
p = arp_packet(target_ip, source_ip)
# Try up to 3 times to get an ARP response
1.upto(3) do
inject_eth(:eth_type => 0x0806,
:payload => p,
:pcap => self.arp_capture,
:eth_saddr => self.arp_cache[Rex::Socket.source_address(target_ip)]
)
begin
to = ((datastore['TIMEOUT'] || 500).to_f * 8) / 1000.0
::Timeout.timeout(to) do
loop do
my_packet = inject_reply(:arp, self.arp_capture)
next unless my_packet
next unless my_packet.arp_saddr_ip == target_ip
self.arp_cache[target_ip] = my_packet.eth_saddr
return self.arp_cache[target_ip]
end
end
rescue ::Timeout::Error
end
end
nil
end
# Creates a full ARP packet, mainly for use with inject_eth()
def arp_packet(target_ip=nil, source_ip=nil)
p = PacketFu::ARPPacket.new
p.arp_opcode = 1
p.arp_daddr_ip = target_ip || datastore['RHOST']
p.arp_saddr_ip = source_ip || datastore['LHOST']
my_eth = self.arp_cache[Rex::Socket.source_address(target_ip)]
p.arp_saddr_mac = my_eth || "00:00:00:00:00:00"
return p
end
# Allow modules to reset their arp caches arbitrarily.
def expire_arpcache
self.arp_cache = {}
end
# For compatabilty with Msf::Exploit::Remote::Ip
def rhost
datastore['RHOST']
end
def check_pcaprub_loaded
if not @pcaprub_loaded
print_status("The Pcaprub module is not available: #{@pcaprub_error}")
raise RuntimeError, "Pcaprub not available"
elsif not @network_interface_loaded
print_status("The NetworkInterface module is not available: #{@network_interface_error}")
raise RuntimeError, "NetworkInterface not available"
else
true
end
end
def lookupnet
check_pcaprub_loaded
dev = datastore['INTERFACE'] || ::Pcap.lookupdev
begin
my_ip, my_mask = Pcap.lookupnet(dev)
# convert the netmask obtained from the relevant interface to CIDR
cidr_mask = my_mask.to_s(2).count('1')
my_net = IPAddr.new("#{my_ip}/#{cidr_mask}")
rescue RuntimeError => e
@pcaprub_error = e
print_status("Cannot stat device: #{@pcaprub_error}")
raise RuntimeError, "Pcaprub error: #{@pcaprub_error}"
end
return my_net
end
def should_arp?(ip)
lookupnet.include?(IPAddr.new(ip))
end
attr_accessor :capture, :arp_cache, :arp_capture, :dst_cache
# Netifaces code
def netifaces_implemented?
@network_interface_loaded and
NetworkInterface.respond_to?(:interfaces) and
NetworkInterface.respond_to?(:addresses)
end
def list_interfaces
check_pcaprub_loaded
NetworkInterface.interfaces
end
def is_interface?(dev)
check_pcaprub_loaded
if RUBY_PLATFORM == "i386-mingw32"
if dev =~ /\\Device\\NPF_\{[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}\}/
return NetworkInterface.interfaces.include?(dev)
elsif dev.to_s =~ /^[0-9]{1,2}$/
if (dev.to_i <= NetworkInterface.interfaces.length) and (dev.to_i >= 0)
return true
else
return false
end
else
return false
end
else
return NetworkInterface.interfaces.include?(dev)
end
end
# This function is usefull only on windows where pcaprub use the GUID
def get_interface_guid(dev)
check_pcaprub_loaded
if RUBY_PLATFORM == "i386-mingw32"
if dev.to_s =~ /^[0-9]{1,2}$/
if is_interface?(dev)
NetworkInterface.interfaces[(dev.to_i) - 1]
else
return dev
end
else
return dev
end
else #Non windows
return dev
end
end
def get_mac(dev)
check_pcaprub_loaded
dev = get_interface_guid(dev)
addrs = NetworkInterface.addresses(dev)
raise RuntimeError, "Interface #{dev} does not exist" if !addrs
raise RuntimeError, "Can not get mac address for interface #{dev}" if !addrs[NetworkInterface::AF_LINK][0]['addr']
addrs[NetworkInterface::AF_LINK][0]['addr']
end
def get_ipv4_addr_count(dev)
check_pcaprub_loaded
dev = get_interface_guid(dev)
addrs = NetworkInterface.addresses(dev)
raise RuntimeError, "Interface #{dev} does not exist" if !addrs
addrs[NetworkInterface::AF_INET].length
end
def get_ipv4_addr(dev, num=0)
check_pcaprub_loaded
dev = get_interface_guid(dev)
addrs = NetworkInterface.addresses(dev)
raise RuntimeError, "Interface #{dev} does not exist" if !addrs
raise RuntimeError, "Interface #{dev} does not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
raise RuntimeError, "Can not get the IPv4 address for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['addr']
addrs[NetworkInterface::AF_INET][num]['addr']
end
def get_ipv4_netmask(dev, num=0)
check_pcaprub_loaded
dev = get_interface_guid(dev)
addrs = NetworkInterface.addresses(dev)
raise RuntimeError, "Interface #{dev} does not exist" if !addrs
raise RuntimeError, "Interface #{dev} does not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
raise RuntimeError, "Can not get IPv4 netmask for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['netmask']
addrs[NetworkInterface::AF_INET][num]['netmask']
end
def get_ipv4_broadcast(dev, num=0)
check_pcaprub_loaded
dev = get_interface_guid(dev)
addrs = NetworkInterface.addresses(dev)
raise RuntimeError, "Interface #{dev} do not exists" if !addrs
raise RuntimeError, "Interface #{dev} do not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
raise RuntimeError, "Can not get IPv4 broadcast address for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['broadcast']
addrs[NetworkInterface::AF_INET][num]['broadcast']
end
def get_ipv6_addr_count(dev)
check_pcaprub_loaded
dev = get_interface_guid(dev)
raise RuntimeError, "IPv6 information is not available on this platform" unless ::NetworkInterface.const_defined?(:AF_INET6)
addrs = NetworkInterface.addresses(dev)
raise RuntimeError, "Interface #{dev} do not exists" if !addrs
addrs[NetworkInterface::AF_INET6].length
end
# NOTE: IPv6 is not implemented on Windows
def get_ipv6_addr(dev, num=0)
check_pcaprub_loaded
dev = get_interface_guid(dev)
raise RuntimeError, "IPv6 information is not available on this platform" unless ::NetworkInterface.const_defined?(:AF_INET6)
addrs = NetworkInterface.addresses(dev)
raise RuntimeError, "Interface #{dev} do not exists" if !addrs
raise RuntimeError, "Interface #{dev} do not have an ipv6 address at position #{num}" if addrs[NetworkInterface::AF_INET6].length < num + 1
raise RuntimeError, "Can not get ipv6 address for interface #{dev}" if !addrs[NetworkInterface::AF_INET6][num]['addr']
addrs[NetworkInterface::AF_INET6][num]['addr'].gsub(/%(.)*$/, '')
end
def get_ipv6_netmask(dev, num=0)
check_pcaprub_loaded
dev = get_interface_guid(dev)
raise RuntimeError, "IPv6 information is not available on this platform" unless ::NetworkInterface.const_defined?(:AF_INET6)
addrs = NetworkInterface.addresses(dev)
raise RuntimeError, "Interface #{dev} do not exists" if !addrs
raise RuntimeError, "Interface #{dev} do not have an ipv6 address at position #{num}" if addrs[NetworkInterface::AF_INET6].length < num + 1
raise RuntimeError, "Can not get ipv6 netmask address for interface #{dev}" if !addrs[NetworkInterface::AF_INET6][num]['netmask']
addrs[NetworkInterface::AF_INET6][num]['netmask']
end
# Protocol-specific encoding/decoding methods until more
# application protos get into PacketFu proper
# Intended to be used as the payload to an ICMP echo request's payload
def capture_icmp_echo_pack(id=nil, seq=nil, payload=nil)
id ||= rand(0x10000)
seq ||= rand(0x10000)
[id, seq, payload.to_s].pack("nna*")
end
# Decodes and ICMP echo request or response.
def capture_icmp_echo_unpack(data)
data.unpack("nna*")
end
end
end
end
Reference in New Issue View Git Blame Copy Permalink