PageRenderTime 79ms CodeModel.GetById 17ms RepoModel.GetById 1ms app.codeStats 0ms

/lib/msf/core/exploit/ipv6.rb

https://bitbucket.org/jrossi/metasploit
Ruby | 263 lines | 170 code | 55 blank | 38 comment | 43 complexity | 6b620d6481dc93bfaf1d6f209a4df8f5 MD5 | raw file
Possible License(s): GPL-2.0, LGPL-2.1, BSD-3-Clause 
    

  1. ##
    2. 

  2. # $Id$
    3. 

  3. ##
    4. 

  4. 

  5. module Msf
    6. 

  6. 

  7. ###
    8. 

  8. #
    9. 

  9. # This module provides common tools for IPv6
    10. 

  10. #
    11. 

  11. ###
    12. 

  12. module Exploit::Remote::Ipv6
    13. 

  13. 

  14. 	require 'racket'
    15. 

  15. 

  16. 	#
    17. 

  17. 	# Initializes an instance of an exploit module that captures traffic
    18. 

  18. 	#
    19. 

  19. 	def initialize(info = {})
    20. 

  20. 		super
    21. 

  21. 		register_options(
    22. 

  22. 			[
    23. 

  23. 				OptString.new('INTERFACE', [false, 'The name of the interface']),
    24. 

  24. 				OptString.new("SMAC", [ false, "The source MAC address"]),
    25. 

  25. 				OptAddress.new("SHOST", [ false, "The source IPv6 address" ] ),
    26. 

  26. 				OptInt.new("TIMEOUT", [ true, "Timeout when waiting for host response.", 5])
    27. 

  27. 			], Msf::Exploit::Remote::Ipv6
    28. 

  28. 		)
    29. 

  29. 

  30. 		begin
    31. 

  31. 			require 'pcaprub'
    32. 

  32. 			@pcaprub_loaded = true
    33. 

  33. 		rescue ::Exception => e
    34. 

  34. 			@pcaprub_loaded = false
    35. 

  35. 			@pcaprub_error  = e
    36. 

  36. 		end
    37. 

  37. 	end
    38. 

  38. 

  39. 

  40. 	#
    41. 

  41. 	# Shortcut method for resolving our local interface name
    42. 

  42. 	#
    43. 

  43. 	def ipv6_interface(opts={})
    44. 

  44. 		opts['INTERFACE'] || datastore['INTERFACE'] || ::Pcap.lookupdev
    45. 

  45. 	end
    46. 

  46. 	
    47. 

  47. 	#
    48. 

  48. 	# Shortcut method for determining our link-local address
    49. 

  49. 	#
    50. 

  50. 	def ipv6_link_address(opts={})
    51. 

  51. 		Rex::Socket.ipv6_link_address(ipv6_interface(opts))
    52. 

  52. 	end
    53. 

  53. 

  54. 	#
    55. 

  55. 	# Shortcut method for determining our MAC address
    56. 

  56. 	#
    57. 

  57. 	def ipv6_mac(opts={})
    58. 

  58. 		Rex::Socket.ipv6_mac(ipv6_interface(opts))
    59. 

  59. 	end
    60. 

  60. 	
    61. 

  61. 	#
    62. 

  62. 	# Opens a pcaprub capture interface to inject packets, and sniff ICMPv6 packets
    63. 

  63. 	#
    64. 

  64. 

  65. 	def open_icmp_pcap(opts = {})
    66. 

  66. 		check_pcaprub_loaded
    67. 

  67. 

  68. 		dev = ipv6_interface(opts)
    69. 

  69. 		len = 65535
    70. 

  70. 		tim = 0
    71. 

  71. 		@ipv6_icmp6_capture = ::Pcap.open_live(dev, len, true, tim)
    72. 

  72. 		@ipv6_icmp6_capture.setfilter("icmp6")
    73. 

  73. 	end
    74. 

  74. 

  75. 	#
    76. 

  76. 	# Close the capture interface
    77. 

  77. 	#
    78. 

  78. 	def close_icmp_pcap()
    79. 

  79. 		check_pcaprub_loaded
    80. 

  80. 

  81. 		return if not @ipv6_icmp6_capture
    82. 

  82. 		@ipv6_icmp6_capture = nil
    83. 

  83. 		GC.start()
    84. 

  84. 	end
    85. 

  85. 

  86. 	#
    87. 

  87. 	# Send out a ICMPv6 neighbor solicitation, and
    88. 

  88. 	# return the associated MAC address
    89. 

  89. 	#
    90. 

  90. 	def solicit_ipv6_mac(dhost, opts = {})
    91. 

  91. 		check_pcaprub_loaded
    92. 

  92. 

  93. 		dhost_intf = dhost + '%' + ipv6_interface(opts)
    94. 

  94. 

  95. 		smac = opts['SMAC'] || datastore['SMAC'] || ipv6_mac
    96. 

  96. 		shost = opts['SHOST'] || datastore['SHOST'] || Rex::Socket.source_address(dhost_intf)
    97. 

  97. 		timeout = opts['TIMEOUT'] || datastore['TIMEOUT'] || 3
    98. 

  98. 

  99. 		open_icmp_pcap()
    100. 

  100. 

  101. 		p = Racket::Racket.new()
    102. 

  102. 		p.l2 = Racket::L2::Ethernet.new()
    103. 

  103. 		p.l2.src_mac = smac
    104. 

  104. 		p.l2.dst_mac = Racket::L3::Misc.soll_mcast_mac(dhost)
    105. 

  105. 		p.l2.ethertype = Racket::L2::Ethernet::ETHERTYPE_IPV6
    106. 

  106. 

  107. 		p.l3 = Racket::L3::IPv6.new()
    108. 

  108. 		p.l3.src_ip = Racket::L3::Misc.ipv62long(shost)
    109. 

  109. 		p.l3.dst_ip = Racket::L3::Misc.ipv62long(Racket::L3::Misc.soll_mcast_addr6(dhost))
    110. 

  110. 		p.l3.ttl = 255
    111. 

  111. 		p.l3.nhead = 0x3a
    112. 

  112. 		p.l3.fix!()
    113. 

  113. 

  114. 		p.l4 = Racket::L4::ICMPv6NeighborSolicitation.new()
    115. 

  115. 		p.l4.address = Racket::L3::Misc.ipv62long(dhost)
    116. 

  116. 		p.l4.add_option(0x01, Racket::L2::Misc.mac2string(p.l2.src_mac))
    117. 

  117. 		p.l4.fix!(p.l3.src_ip, p.l3.dst_ip)
    118. 

  118. 

  119. 		@ipv6_icmp6_capture.inject(p.pack())
    120. 

  120. 

  121. 		# Wait for a response
    122. 

  122. 		max_epoch = ::Time.now.to_i + timeout
    123. 

  123. 		while(::Time.now.to_i < max_epoch)
    124. 

  124. 			pkt = @ipv6_icmp6_capture.next()
    125. 

  125. 			next if not pkt
    126. 

  126. 

  127. 			eth = Racket::L2::Ethernet.new(pkt)
    128. 

  128. 			next if eth.ethertype != Racket::L2::Ethernet::ETHERTYPE_IPV6
    129. 

  129. 

  130. 			ipv6 = Racket::L3::IPv6.new(eth.payload)
    131. 

  131. 			next if ipv6.nhead != 0x3a
    132. 

  132. 

  133. 			icmpv6 = Racket::L4::ICMPv6.new(ipv6.payload)
    134. 

  134. 			next if icmpv6.type != Racket::L4::ICMPv6Generic::ICMPv6_TYPE_NEIGHBOR_ADVERTISEMENT
    135. 

  135. 

  136. 			icmpv6 = Racket::L4::ICMPv6NeighborAdvertisement.new(ipv6.payload)
    137. 

  137. 			if(icmpv6 and
    138. 

  138. 					 ipv6.dst_ip == Racket::L3::Misc.ipv62long(shost) and
    139. 

  139. 					 ipv6.src_ip == Racket::L3::Misc.ipv62long(dhost))
    140. 

  140. 				icmpv6options = icmpv6.get_options()
    141. 

  141. 

  142. 				icmpv6options.each() do |opt|
    143. 

  143. 					id = opt[1]
    144. 

  144. 					if(id == ICMPv6OptionLinkAddress::ICMPv6_OPTION_TYPE_ID)
    145. 

  145. 						addr = ICMPv6OptionLinkAddress.new(opt[2]).lladdr
    146. 

  146. 						close_icmp_pcap()
    147. 

  147. 						return(addr)
    148. 

  148. 					end
    149. 

  149. 				end
    150. 

  150. 

  151. 				# If there is no addr option, return the ethernet mac
    152. 

  152. 				close_icmp_pcap()
    153. 

  153. 				return(eth.src_mac)
    154. 

  154. 			end
    155. 

  155. 

  156. 		end
    157. 

  157. 

  158. 		close_icmp_pcap()
    159. 

  159. 		return(nil)
    160. 

  160. 	end
    161. 

  161. 

  162. 	#
    163. 

  163. 	# Send a ICMPv6 Echo Request, and wait for the
    164. 

  164. 	# associated ICMPv6 Echo Response
    165. 

  165. 	#
    166. 

  166. 	def ping6(dhost, opts={})
    167. 

  167. 		check_pcaprub_loaded
    168. 

  168. 

  169. 		dhost_intf = dhost + '%' + ipv6_interface(opts)
    170. 

  170. 

  171. 		smac = opts['SMAC'] || datastore['SMAC'] || ipv6_mac
    172. 

  172. 		shost = opts['SHOST'] || datastore['SHOST'] || Rex::Socket.source_address(dhost_intf)
    173. 

  173. 		dmac = opts['DMAC'] || solicit_ipv6_mac(dhost)
    174. 

  174. 		timeout = opts['TIMEOUT'] || datastore['TIMEOUT']
    175. 

  175. 		wait = opts['WAIT']
    176. 

  176. 

  177. 

  178. 		if(wait.eql?(nil))
    179. 

  179. 			wait = true
    180. 

  180. 		end
    181. 

  181. 

  182. 		dmac.eql?(nil) and return false
    183. 

  183. 

  184. 		open_icmp_pcap()
    185. 

  185. 

  186. 		# Create ICMPv6 Request
    187. 

  187. 		p = Racket::Racket.new()
    188. 

  188. 		p.l2 = Racket::L2::Ethernet.new()
    189. 

  189. 		p.l2.src_mac = smac
    190. 

  190. 		p.l2.dst_mac = dmac
    191. 

  191. 		p.l2.ethertype = Racket::L2::Ethernet::ETHERTYPE_IPV6
    192. 

  192. 

  193. 		p.l3 = Racket::L3::IPv6.new()
    194. 

  194. 		p.l3.src_ip = Racket::L3::Misc.ipv62long(shost)
    195. 

  195. 		p.l3.dst_ip = Racket::L3::Misc.ipv62long(dhost)
    196. 

  196. 		p.l3.nhead = 0x3a
    197. 

  197. 		p.l3.fix!()
    198. 

  198. 

  199. 		p.l4 = Racket::L4::ICMPv6EchoRequest.new()
    200. 

  200. 		p.l4.id = rand(65000)
    201. 

  201. 		p.l4.sequence = 1
    202. 

  202. 		p.l4.payload = Rex::Text.rand_text(8)
    203. 

  203. 		p.l4.fix!(p.l3.src_ip, p.l3.dst_ip)
    204. 

  204. 

  205. 		@ipv6_icmp6_capture.inject(p.pack())
    206. 

  206. 

  207. 		if(wait.eql?(true))
    208. 

  208. 			print_status("Waiting for ping reply...")
    209. 

  209. 			print_line("")
    210. 

  210. 			# Wait for a response
    211. 

  211. 			max_epoch = ::Time.now.to_i + timeout
    212. 

  212. 			while(::Time.now.to_i < max_epoch)
    213. 

  213. 				pkt = @ipv6_icmp6_capture.next()
    214. 

  214. 				next if not pkt
    215. 

  215. 

  216. 				eth = Racket::L2::Ethernet.new(pkt)
    217. 

  217. 				next if eth.ethertype != Racket::L2::Ethernet::ETHERTYPE_IPV6
    218. 

  218. 

  219. 				ipv6 = Racket::L3::IPv6.new(eth.payload)
    220. 

  220. 				next if ipv6.nhead != 0x3a
    221. 

  221. 

  222. 				icmpv6 = Racket::L4::ICMPv6.new(ipv6.payload)
    223. 

  223. 				next if icmpv6.type != Racket::L4::ICMPv6Generic::ICMPv6_TYPE_ECHO_REPLY
    224. 

  224. 

  225. 				icmpv6 = Racket::L4::ICMPv6EchoReply.new(ipv6.payload)
    226. 

  226. 				if(icmpv6 and
    227. 

  227. 						 ipv6.dst_ip == p.l3.src_ip and
    228. 

  228. 						 ipv6.src_ip == p.l3.dst_ip and
    229. 

  229. 						 icmpv6.id == p.l4.id and
    230. 

  230. 						 icmpv6.sequence == p.l4.sequence)
    231. 

  231. 

  232. 					close_icmp_pcap()
    233. 

  233. 					return(true)
    234. 

  234. 				end
    235. 

  235. 

  236. 			end # End while
    237. 

  237. 		end
    238. 

  238. 

  239. 		close_icmp_pcap()
    240. 

  240. 		return(false)
    241. 

  241. 	end
    242. 

  242. 

  243. 	def check_pcaprub_loaded
    244. 

  244. 		unless @pcaprub_loaded
    245. 

  245. 			print_status("The Pcaprub module is not available: #{@pcaprub_error}")
    246. 

  246. 			raise RuntimeError, "Pcaprub not available"
    247. 

  247. 		else
    248. 

  248. 			true
    249. 

  249. 	end
    250. 

  250. 

  251. end
    252. 

  252. 

  253. class ICMPv6OptionLinkAddress < RacketPart
    254. 

  254. 	ICMPv6_OPTION_TYPE_ID = 1
    255. 

  255. 	hex_octets :lladdr, 48
    256. 

  256. 	def initialize(*args)
    257. 

  257. 		super(*args)
    258. 

  258. 	end
    259. 

  259. end
    260. 

  260. 

  261. end
    262. 

  262. end
    263. 

  263. 

  264.