From ecf286a8c455c832f1b0c66965cd0c3fcaaea167 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Thu, 3 Oct 2013 10:31:54 -0400
Subject: [PATCH 1/4] Add support for stdapi_net_resolve_host.

---
 data/meterpreter/ext_server_stdapi.py | 57 +++++++++++++++++++++++++++
 data/meterpreter/meterpreter.py       | 20 +++++++++-
 2 files changed, 76 insertions(+), 1 deletion(-)

diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py
index 98b1c235d0..1ce23044fc 100644
--- a/data/meterpreter/ext_server_stdapi.py
+++ b/data/meterpreter/ext_server_stdapi.py
@@ -149,6 +149,8 @@ TLV_TYPE_NETWORK_INTERFACE =   TLV_META_TYPE_GROUP   | 1433
 TLV_TYPE_SUBNET_STRING =       TLV_META_TYPE_STRING  | 1440
 TLV_TYPE_NETMASK_STRING =      TLV_META_TYPE_STRING  | 1441
 TLV_TYPE_GATEWAY_STRING =      TLV_META_TYPE_STRING  | 1442
+TLV_TYPE_ROUTE_METRIC =        TLV_META_TYPE_UINT    | 1443
+TLV_TYPE_ADDR_TYPE =           TLV_META_TYPE_UINT    | 1444
 
 # Socket
 TLV_TYPE_PEER_HOST =           TLV_META_TYPE_STRING  | 1500
@@ -273,6 +275,9 @@ ERROR_FAILURE = 1
 # errors.
 ERROR_CONNECTION_ERROR = 10000
 
+WIN_AF_INET  = 2
+WIN_AF_INET6 = 23
+
 def get_stat_buffer(path):
 	si = os.stat(path)
 	rdev = 0
@@ -290,6 +295,27 @@ def get_stat_buffer(path):
 	st_buf += struct.pack('<II', blksize, blocks)
 	return st_buf
 
+def inet_pton(family, address):
+	if hasattr(socket, 'inet_pton'):
+		return socket.inet_pton(family, address)
+	elif has_windll:
+		WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
+		lpAddress = (ctypes.c_ubyte * 28)()
+		lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
+		if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
+			raise Exception('WSAStringToAddress failed')
+		if family == socket.AF_INET:
+			return ''.join(map(chr, lpAddress[4:8]))
+		elif family == socket.AF_INET6:
+			return ''.join(map(chr, lpAddress[8:24]))
+	raise Exception('no suitable inet_pton functionality is available')
+
+def resolve_host(hostname, family):
+	address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0]
+	family = address_info[0]
+	address = address_info[4][0]
+	return {'family':family, 'address':address, 'packed_address':inet_pton(family, address)}
+
 def windll_GetNativeSystemInfo():
 	if not has_windll:
 		return None
@@ -687,6 +713,37 @@ def stdapi_fs_stat(request, response):
 	response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
 	return ERROR_SUCCESS, response
 
+@meterpreter.register_function
+def stdapi_net_resolve_host(request, response):
+	hostname = packet_get_tlv(request, TLV_TYPE_HOST_NAME)['value']
+	family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
+	if family == WIN_AF_INET:
+		family = socket.AF_INET
+	elif family == WIN_AF_INET6:
+		family = socket.AF_INET6
+	else:
+		raise Exception('invalid family')
+	result = resolve_host(hostname, family)
+	response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
+	response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_net_resolve_hosts(request, response):
+	family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
+	if family == WIN_AF_INET:
+		family = socket.AF_INET
+	elif family == WIN_AF_INET6:
+		family = socket.AF_INET6
+	else:
+		raise Exception('invalid family')
+	for hostname in packet_enum_tlvs(request, TLV_TYPE_HOST_NAME):
+		hostname = hostname['value']
+		result = resolve_host(hostname, family)
+		response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
+		response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
+	return ERROR_SUCCESS, response
+
 @meterpreter.register_function
 def stdapi_net_socket_tcp_shutdown(request, response):
 	channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index 59bd457271..211d9f94c3 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -111,6 +111,24 @@ def packet_get_tlv(pkt, tlv_type):
 		offset += tlv[0]
 	return {}
 
+def packet_enum_tlvs(pkt, tlv_type = None):
+	offset = 0
+	while (offset < len(pkt)):
+		tlv = struct.unpack('>II', pkt[offset:offset+8])
+		if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type):
+			val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
+			if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
+				val = val.split('\x00', 1)[0]
+			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
+				val = struct.unpack('>I', val)[0]
+			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
+				val = bool(struct.unpack('b', val)[0])
+			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
+				pass
+			yield {'type':tlv[1], 'length':tlv[0], 'value':val}
+		offset += tlv[0]
+	raise StopIteration()
+
 def tlv_pack(*args):
 	if len(args) == 2:
 		tlv = {'type':args[0], 'value':args[1]}
@@ -271,7 +289,7 @@ class PythonMeterpreter(object):
 		if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
 			return ERROR_FAILURE
 		preloadlib_methods = self.extension_functions.keys()
-		i = code.InteractiveInterpreter({'meterpreter':self, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
+		i = code.InteractiveInterpreter({'meterpreter':self, 'packet_enum_tlvs':packet_enum_tlvs, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
 		i.runcode(compile(data_tlv['value'], '', 'exec'))
 		postloadlib_methods = self.extension_functions.keys()
 		new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)

From 7414dff9583e5f6049e90bc5a7b4a9d7b1f14df3 Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Fri, 4 Oct 2013 08:51:13 -0400
Subject: [PATCH 2/4] Add fault tolerance for resolve_hosts.

---
 data/meterpreter/ext_server_stdapi.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py
index 1ce23044fc..b0b02b86e6 100644
--- a/data/meterpreter/ext_server_stdapi.py
+++ b/data/meterpreter/ext_server_stdapi.py
@@ -739,7 +739,10 @@ def stdapi_net_resolve_hosts(request, response):
 		raise Exception('invalid family')
 	for hostname in packet_enum_tlvs(request, TLV_TYPE_HOST_NAME):
 		hostname = hostname['value']
-		result = resolve_host(hostname, family)
+		try:
+			result = resolve_host(hostname, family)
+		except socket.error:
+			result = {'family':family, 'packed_address':''}
 		response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
 		response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
 	return ERROR_SUCCESS, response

From 6c382c8eb79a7cc55fcde33d50486c19ade68fde Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed, 9 Oct 2013 16:52:53 -0400
Subject: [PATCH 3/4] Return nil on error, and move the module to post/multi.

---
 .../extensions/stdapi/net/resolve.rb          |  4 +-
 modules/post/multi/gather/resolve_hosts.rb    | 67 +++++++++++++++++++
 modules/post/windows/gather/resolve_hosts.rb  | 10 ++-
 3 files changed, 78 insertions(+), 3 deletions(-)
 create mode 100644 modules/post/multi/gather/resolve_hosts.rb

diff --git a/lib/rex/post/meterpreter/extensions/stdapi/net/resolve.rb b/lib/rex/post/meterpreter/extensions/stdapi/net/resolve.rb
index 832c607b0c..0a212fa22f 100644
--- a/lib/rex/post/meterpreter/extensions/stdapi/net/resolve.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/net/resolve.rb
@@ -48,7 +48,7 @@ class Resolve
   def resolve_hosts(hostnames, family=AF_INET)
     request = Packet.create_request('stdapi_net_resolve_hosts')
     request.add_tlv(TLV_TYPE_ADDR_TYPE, family)
-    
+
     hostnames.each do |hostname|
       request.add_tlv(TLV_TYPE_HOST_NAME, hostname)
     end
@@ -84,7 +84,7 @@ class Resolve
     end
 
     if raw.empty?
-      ip = ""
+      ip = nil
     else
       if type == AF_INET
         ip = Rex::Socket.addr_ntoa(raw[0..3])
diff --git a/modules/post/multi/gather/resolve_hosts.rb b/modules/post/multi/gather/resolve_hosts.rb
new file mode 100644
index 0000000000..076acee24f
--- /dev/null
+++ b/modules/post/multi/gather/resolve_hosts.rb
@@ -0,0 +1,67 @@
+#
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Post
+
+  def initialize(info={})
+    super( update_info( info,
+      'Name'          => 'Windows Resolve Hosts',
+      'Description'   => %q{
+        Resolves hostnames to either IPv4 or IPv6 addresses from the perspective of the remote host.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ],
+      'Platform'      => %w{ win python },
+      'SessionTypes'  => [ 'meterpreter' ]
+    ))
+
+      register_options([
+        OptString.new('HOSTNAMES', [true, 'Comma seperated list of hostnames to resolve.']),
+        OptEnum.new('AI_FAMILY', [true, 'Address Family', 'IPv4', ['IPv4', 'IPv6'] ])
+      ], self.class)
+  end
+
+  def run
+    hosts = datastore['HOSTNAMES'].split(',')
+
+    if datastore['AI_FAMILY'] == 'IPv4'
+      family = AF_INET
+    else
+      family = AF_INET6
+    end
+
+    # Clear whitespace
+    hosts.collect{|x| x.strip!}
+
+    print_status("Attempting to resolve '#{hosts.join(', ')}' on #{sysinfo['Computer']}") if not sysinfo.nil?
+
+    response = client.net.resolve.resolve_hosts(hosts, family)
+
+    table = Rex::Ui::Text::Table.new(
+      'Indent' => 0,
+      'SortIndex' => -1,
+      'Columns' =>
+      [
+        'Hostname',
+        'IP',
+      ]
+    )
+
+    response.each do |result|
+      if result[:ip].nil?
+        table << [result[:hostname], '[Failed To Resolve]']
+      else
+        table << [result[:hostname], result[:ip]]
+      end
+    end
+
+    table.print
+  end
+end
diff --git a/modules/post/windows/gather/resolve_hosts.rb b/modules/post/windows/gather/resolve_hosts.rb
index 55c2cda5e4..40a557fabd 100644
--- a/modules/post/windows/gather/resolve_hosts.rb
+++ b/modules/post/windows/gather/resolve_hosts.rb
@@ -10,6 +10,10 @@ require 'rex'
 
 class Metasploit3 < Msf::Post
 
+  require 'msf/core/module/deprecated'
+  include Msf::Module::Deprecated
+  deprecated Date.new(2013, 12, 9), 'post/multi/gather/resolve_hosts'
+
   def initialize(info={})
     super( update_info( info,
       'Name'          => 'Windows Resolve Hosts',
@@ -55,7 +59,11 @@ class Metasploit3 < Msf::Post
     )
 
     response.each do |result|
-      table << [result[:hostname], result[:ip]]
+      if result[:ip].nil?
+        table << [result[:hostname], '[Failed To Resolve]']
+      else
+        table << [result[:hostname], result[:ip]]
+      end
     end
 
     table.print

From be139beb209230c4c58a96b69f4a56db54f52a2a Mon Sep 17 00:00:00 2001
From: Spencer McIntyre <zeroSteiner@gmail.com>
Date: Wed, 9 Oct 2013 17:11:47 -0400
Subject: [PATCH 4/4] Remove windows from title of multi module.

---
 modules/post/multi/gather/resolve_hosts.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/post/multi/gather/resolve_hosts.rb b/modules/post/multi/gather/resolve_hosts.rb
index 076acee24f..0bb3572335 100644
--- a/modules/post/multi/gather/resolve_hosts.rb
+++ b/modules/post/multi/gather/resolve_hosts.rb
@@ -12,7 +12,7 @@ class Metasploit3 < Msf::Post
 
   def initialize(info={})
     super( update_info( info,
-      'Name'          => 'Windows Resolve Hosts',
+      'Name'          => 'Resolve Hosts',
       'Description'   => %q{
         Resolves hostnames to either IPv4 or IPv6 addresses from the perspective of the remote host.
       },