metasploit-gs/lib/msf/core/exploit/dns/client.rb

# -*- coding: binary -*-
require 'msf/core'
require 'rex/proto/dns'


module Msf

###
#
# This module exposes methods for querying a remote DNS service
#
###
module Exploit::Remote::DNS
module Client

  include Common
  include Exploit::Remote::Udp
  include Exploit::Remote::Tcp

  #
  # Initializes an exploit module that interacts with a DNS server.
  #
  def initialize(info = {})
    super

    deregister_options('RHOST')
    register_options(
      [
        Opt::RPORT(53),
        Opt::Proxies,
        OptString.new('DOMAIN', [ false, "The target domain name"]),
        OptString.new('NS', [ false, "Specify the nameservers to use for queries, space separated" ]),
        OptString.new('SEARCHLIST', [ false, "DNS domain search list, comma separated"]),
        OptInt.new('THREADS', [true, "Number of threads to use in threaded queries", 1])
      ], Exploit::Remote::DNS::Client
    )

    register_advanced_options(
      [
        OptString.new('DnsClientDefaultNS', [ false, "Specify the default to use for queries, space separated", '8.8.8.8 8.8.4.4' ]),   
        OptInt.new('DnsClientRetry', [ false, "Number of times to try to resolve a record if no response is received", 2]),
        OptInt.new('DnsClientRetryInterval', [ false, "Number of seconds to wait before doing a retry", 2]),
        OptBool.new('DnsClientReportARecords', [false, "Add hosts found via BRT and RVL to DB", true]),
        OptBool.new('DnsClientRVLExistingOnly', [false, "Only perform lookups on hosts in DB", true]),
        OptBool.new('DnsClientTcpDns', [false, "Run queries over TCP", false]),
        OptPath.new('DnsClientResolvconf', [true, "Resolvconf formatted configuration file to use for Resolver", "/dev/null"])
      ], Exploit::Remote::DNS::Client
    )

    register_autofilter_ports([ 53 ])
    register_autofilter_services(%W{ dns })
  end


  #
  # Convenience wrapper around Resolver's query method - send DNS request
  #
  # @param domain [String] Domain for which to request a record
  # @param type [String] Type of record to request for domain
  #
  # @return [Net::DNS::RR] DNS response
  def query(domain = datastore['DOMAIN'], type = 'A')
    client.query(domain, type)
  end

  #
  # Performs a set of asynchronous lookups for an array of domain,type pairs
  #
  # @param queries [Array] Set of domain,type pairs to pass into #query
  # @param threadmax [Fixnum] Max number of running threads at a time
  # @param block [Proc] Code block to execute with the query result
  #
  # @return [Array] Resulting set of responses or responses processed by passed blocks
  def query_async(queries = [], threadmax = datastore['THREADS'], &block)
    running = []
    while !queries.empty?
      domain, type = queries.shift
      running << framework.threads.spawn("Module(#{self.refname})-#{domain} #{type}", false) do |qat|
        if block
          block.call(query(domain,type))
        else
          query(domain,type)
        end
      end
      while running.map(:alive?).count >= threadmax
        Rex::ThreadSafe.sleep(1)
      end
    end
    return running.join
  end

  #
  # Switch DNS forwarders in resolver with thread safety
  #
  # @param ns [Array, String] List of (or single) nameservers to use
  def set_nameserver(ns = [])
    if ns.respond_to?(:split)
      ns = [ns]
    end
    @lock.synchronize do
      @dns_resolver.nameserver = ns.flatten
    end
  end

  #
  # Switch nameservers to use explicit NS or SOA for target
  #
  # @param domain [String] Domain for which to find SOA
  def switchdns(domain)
    if not datastore['NS'].blank?
      vprint_status("Using DNS Server: #{client.nameserver.join(', ')}")
      client.nameserver = process_nameservers
    else
      resp_soa = client.query(target, "SOA")
      if (resp_soa)
        (resp_soa.answer.select { |i| i.class == Net::DNS::RR::SOA}).each do |rr|
          resp_1_soa = client.search(rr.mname)
          if (resp_1_soa and resp_1_soa.answer[0])
            set_nameserver(resp_1_soa.answer.map(&:address).compact.map(&:to_s))
            print_status("Set DNS Server to #{target} NS: #{client.nameserver.join(', ')}")
            break
          end
        end
      end
    end
  end

  #
  # Detect if target has wildcards enabled for a record type
  #
  # @param target [String] Domain to test
  # @param type [String] Record type to test
  #
  # @return [String] Address which is returned for wildcard requests
  def wildcard(domain, type = "A")
    addr = false
    rendsub = rand(10000).to_s
    response = query("#{rendsub}.#{target}", type)
    if response.answer.length != 0
      vprint_status("This domain has wildcards enabled!!")
      response.answer.each do |rr|
        print_status("Wildcard IP for #{rendsub}.#{target} is: #{rr.address.to_s}") if rr.class != Net::DNS::RR::CNAME
        addr = rr.address.to_s
      end
    end
    return addr
  end

  #
  # Returns the resolver
  #
  def client
    @dns_resolver
  end

  #
  # Returns the target host
  #
  def rhost
    datastore['RHOST']
  end

  #
  # Returns the remote port
  #
  def rport
    datastore['RPORT']
  end

  #
  # Returns the Host and Port as a string
  #
  def peer
    "#{rhost}:#{rport}"
  end

  #
  # Returns the configured proxy list
  #
  def proxies
    datastore['Proxies']
  end

  #
  # Create and configure Resolver object
  #
  def setup_resolver
    options.validate(datastore) # This is a hack, DS values should not be Strings prior to this
    config = {
      :config_file => datastore['DnsClientResolvconf'],
      :nameservers => process_nameservers,
      :port => datastore['RPORT'],
      :retry_number => datastore['DnsClientRetry'].to_i,
      :retry_interval => datastore['DnsClientRetryInterval'].to_i,
      :use_tcp => datastore['DnsClientTcpDns'],
      :context => {'Msf' => framework, 'MsfExploit' => self}
    }
    if datastore['SEARCHLIST']
      if datastore['SEARCHLIST'].split(',').all? do |search|
        search.match(MATCH_HOSTNAME)
      end
        config[:search_list] = datastore['SEARCHLIST'].split(',')
      else
        raise 'Domain search list must consist of valid domains'
      end
    end
    if datastore['CHOST']
      config[:source_address] = IPAddr.new(datastore['CHOST'].to_s)
    end
    if datastore['CPORT']
      config[:source_port] = datastore['CPORT'] unless datastore['CPORT'] == 0
    end
    if datastore['Proxies']
      vprint_status("Using DNS/TCP resolution for proxy config")
      config[:use_tcp] = true
      config[:proxies] = datastore['Proxies']
    end
    @dns_resolver = Rex::Proto::DNS::Resolver.new(config)
    @dns_resolver_lock = Mutex.new unless @dns_resolver_lock
  end

  #
  # Sets the resolver's nameservers
  # Uses explicitly defined NS option if set
  # Uses RHOSTS if not explicitly defined
  def process_nameservers
    unless datastore['NS'].blank?
      if datastore['NS'].split(/\s|,/).all? do |nameserver|
        Rex::Socket.it_ip_addr?(nameserver)
      end
        return datastore['NS'].split(/\s|,/)
      else
        raise "Nameservers must be proper IP addresses"
      end
    else
      ns = []
      rw = Rex::Socket::RangeWalker.new(datastore['DnsClientDefaultNS'].split(/\s|,/))
      while addr = rw.next_ip
        # break if addr.nil?
        ns << addr
      end
      return ns.compact
    end
  end

end
end
end