Fixes #5038, missed a couple mentions of Racket. Excised now for sure.
git-svn-id: file:///home/svn/framework3/trunk@13371 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
eedc77e2ba
commit
b22ca615c7
|
@ -166,7 +166,7 @@ module Exploit::Capture
|
||||||
if not pcap
|
if not pcap
|
||||||
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
|
raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
|
||||||
else
|
else
|
||||||
pcap.inject(pkt)
|
pcap.inject(pkt.to_s) # Can be a PacketFu Packet object or a pre-packed string
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -10,8 +10,6 @@
|
||||||
##
|
##
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
require 'racket'
|
|
||||||
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Auxiliary
|
class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
|
@ -57,25 +55,16 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
|
|
||||||
open_pcap
|
open_pcap
|
||||||
|
|
||||||
n = Racket::Racket.new
|
p = PacketFu::UDPPacket.new
|
||||||
|
p.ip_saddr = datastore['LHOST']
|
||||||
|
p.ip_daddr = ip
|
||||||
|
p.ip_ttl = 255
|
||||||
|
p.udp_src = 123
|
||||||
|
p.udp_dst = 123
|
||||||
|
p.payload = ["\x17", "\x97\x00\x00\x00"][rand(2)]
|
||||||
|
p.recalc
|
||||||
|
capture_sendto(p,ip)
|
||||||
|
|
||||||
n.l3 = Racket::L3::IPv4.new
|
|
||||||
n.l3.src_ip = datastore['LHOST']
|
|
||||||
n.l3.dst_ip = ip
|
|
||||||
n.l3.protocol = 17
|
|
||||||
n.l3.id = rand(0xffff)+1
|
|
||||||
n.l3.ttl = 255
|
|
||||||
|
|
||||||
n.l4 = Racket::L4::UDP.new
|
|
||||||
n.l4.src_port = 123
|
|
||||||
n.l4.dst_port = 123
|
|
||||||
n.l4.payload = ["\x17","\x97\x00\x00\x00"][rand(2)]
|
|
||||||
|
|
||||||
n.l4.fix!(n.l3.src_ip, n.l3.dst_ip)
|
|
||||||
|
|
||||||
buff = n.pack
|
|
||||||
|
|
||||||
capture_sendto(buff, ip)
|
|
||||||
close_pcap
|
close_pcap
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -67,24 +67,23 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
hosts.each do |dhost|
|
hosts.each do |dhost|
|
||||||
if dhost != shost
|
if dhost != shost
|
||||||
probe = buildprobe(shost, smac, dhost)
|
probe = buildprobe(shost, smac, dhost)
|
||||||
capture.inject(probe)
|
inject(probe)
|
||||||
|
|
||||||
while(reply = getreply())
|
while(reply = getreply())
|
||||||
next if not reply[:arp]
|
next unless reply.is_arp?
|
||||||
print_status("#{reply[:arp].spa} appears to be up.")
|
print_status("#{reply.arp_saddr_ip} appears to be up.")
|
||||||
|
report_host(:host => reply.arp_saddr_ip, :mac=>reply.arp_saddr_mac)
|
||||||
report_host(:host => reply[:arp].spa, :mac=>reply[:arp].sha)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
etime = Time.now.to_f + datastore['TIMEOUT']
|
etime = Time.now.to_f + datastore['TIMEOUT']
|
||||||
while (Time.now.to_f < etime)
|
while (Time.now.to_f < etime)
|
||||||
while(reply = getreply())
|
while(reply = getreply())
|
||||||
next if not reply[:arp]
|
next unless reply.is_arp?
|
||||||
print_status("#{reply[:arp].spa} appears to be up.")
|
print_status("#{reply.arp_saddr_ip} appears to be up.")
|
||||||
|
report_host(:host => reply.arp_saddr_ip, :mac=>reply.arp_saddr_mac)
|
||||||
report_host(:host => reply[:arp].spa, :mac=>reply[:arp].sha)
|
|
||||||
end
|
end
|
||||||
Kernel.select(nil, nil, nil, 0.50)
|
Kernel.select(nil, nil, nil, 0.50)
|
||||||
end
|
end
|
||||||
|
@ -95,31 +94,26 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
def buildprobe(shost, smac, dhost)
|
def buildprobe(shost, smac, dhost)
|
||||||
n = Racket::Racket.new
|
p = PacketFu::ARPPacket.new
|
||||||
n.l2 = Racket::L2::Ethernet.new(Racket::Misc.randstring(14))
|
p.eth_saddr = smac
|
||||||
n.l2.src_mac = smac
|
p.eth_daddr = "ff:ff:ff:ff:ff:ff"
|
||||||
n.l2.dst_mac = 'ff:ff:ff:ff:ff:ff'
|
p.arp_opcode = 1
|
||||||
n.l2.ethertype = 0x0806
|
p.arp_saddr_mac = p.eth_saddr
|
||||||
|
p.arp_daddr_mac = p.eth_daddr
|
||||||
n.l3 = Racket::L3::ARP.new
|
p.arp_saddr_ip = shost
|
||||||
n.l3.opcode = Racket::L3::ARP::ARPOP_REQUEST
|
p.arp_daddr_ip = dhost
|
||||||
n.l3.sha = n.l2.src_mac
|
p.recalc
|
||||||
n.l3.tha = n.l2.dst_mac
|
p
|
||||||
n.l3.spa = shost
|
|
||||||
n.l3.tpa = dhost
|
|
||||||
n.pack
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def getreply
|
def getreply
|
||||||
pkt = capture.next
|
pkt_bytes = capture.next
|
||||||
return if not pkt
|
Kernel.select(nil,nil,nil,0.1)
|
||||||
|
return unless pkt_bytes
|
||||||
eth = Racket::L2::Ethernet.new(pkt)
|
pkt = PacketFu::Packet.parse(pkt_bytes)
|
||||||
return if not eth.ethertype == 0x0806
|
return unless pkt.is_arp?
|
||||||
|
return unless pkt.arp_opcode == 2
|
||||||
arp = Racket::L3::ARP.new(eth.payload)
|
pkt
|
||||||
return if not arp.opcode == Racket::L3::ARP::ARPOP_REPLY
|
|
||||||
|
|
||||||
{:raw => pkt, :eth => eth, :arp => arp}
|
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -36,34 +36,30 @@ class Metasploit3 < Msf::Auxiliary
|
||||||
max_epoch = ::Time.now.to_i + timeout
|
max_epoch = ::Time.now.to_i + timeout
|
||||||
|
|
||||||
while(::Time.now.to_i < max_epoch)
|
while(::Time.now.to_i < max_epoch)
|
||||||
pkt = capture.next()
|
pkt_bytes = capture.next()
|
||||||
Kernel.select(nil,nil,nil,0.1)
|
Kernel.select(nil,nil,nil,0.1)
|
||||||
next if not pkt
|
next if not pkt_bytes
|
||||||
eth = Racket::L2::Ethernet.new(pkt)
|
p = PacketFu::Packet.parse(pkt_bytes)
|
||||||
|
# Don't bother checking if it's an echo reply, since Neighbor Solicitations
|
||||||
next if not eth.ethertype.eql?(Racket::L2::Ethernet::ETHERTYPE_IPV6)
|
# and any other response is just as good.
|
||||||
ipv6 = Racket::L3::IPv6.new(eth.payload)
|
next unless p.is_ipv6?
|
||||||
|
host_addr = p.ipv6_saddr
|
||||||
next if not ipv6.nhead == 0x3a
|
host_mac = p.eth_saddr
|
||||||
icmpv6 = Racket::L4::ICMPv6.new(ipv6.payload)
|
next if host_mac == smac
|
||||||
|
unless hosts[host_addr] == host_mac
|
||||||
next if not icmpv6.type == Racket::L4::ICMPv6Generic::ICMPv6_TYPE_ECHO_REPLY
|
|
||||||
|
|
||||||
icmpv6 = Racket::L4::ICMPv6EchoReply.new(ipv6.payload)
|
|
||||||
host_addr = Racket::L3::Misc.long2ipv6(ipv6.src_ip)
|
|
||||||
host_mac = eth.src_mac
|
|
||||||
|
|
||||||
if(!hosts[host_addr].eql?(host_mac))
|
|
||||||
hosts[host_addr] = host_mac
|
hosts[host_addr] = host_mac
|
||||||
print_status(" |*| #{host_addr} => #{host_mac}")
|
print_status(" |*| #{host_addr} => #{host_mac}")
|
||||||
# report_host(:mac => host_mac, :host => host_addr)
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
return(hosts)
|
return hosts
|
||||||
|
end
|
||||||
|
|
||||||
|
def smac
|
||||||
|
datastore['SMAC'].to_s.empty? ? ipv6_mac : datastore['SMAC']
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
# Start caputre
|
# Start capture
|
||||||
open_pcap({'FILTER' => "icmp6"})
|
open_pcap({'FILTER' => "icmp6"})
|
||||||
|
|
||||||
# Send ping
|
# Send ping
|
||||||
|
|
|
@ -11,7 +11,6 @@
|
||||||
|
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
require 'racket'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
|
@ -10,7 +10,6 @@
|
||||||
##
|
##
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
require 'racket'
|
|
||||||
|
|
||||||
class Metasploit3 < Msf::Exploit::Remote
|
class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = GreatRanking
|
Rank = GreatRanking
|
||||||
|
|
Loading…
Reference in New Issue