/lib/msf/core/exploit/ipv6.rb

https://github.com/Jonono2/metasploit-framework · Ruby · 321 lines · 227 code · 45 blank · 49 comment · 40 complexity · 94201fb579f80bade5beb584b608ec43 MD5 · raw file

  1. # -*- coding: binary -*-
  2. module Msf
  3. ###
  4. #
  5. # This module provides common tools for IPv6
  6. #
  7. ###
  8. module Exploit::Remote::Ipv6
  9. #
  10. # Initializes an instance of an exploit module that captures traffic
  11. #
  12. def initialize(info = {})
  13. super
  14. register_options(
  15. [
  16. OptString.new('INTERFACE', [false, 'The name of the interface']),
  17. OptString.new("SMAC", [ false, "The source MAC address"]),
  18. OptAddress.new("SHOST", [ false, "The source IPv6 address" ] ),
  19. OptInt.new("TIMEOUT", [ true, "Timeout when waiting for host response.", 5])
  20. ], Msf::Exploit::Remote::Ipv6
  21. )
  22. begin
  23. require 'pcaprub'
  24. @pcaprub_loaded = true
  25. rescue ::Exception => e
  26. @pcaprub_loaded = false
  27. @pcaprub_error = e
  28. end
  29. end
  30. #
  31. # Shortcut method for resolving our local interface name
  32. #
  33. def ipv6_interface(opts={})
  34. opts['INTERFACE'] || datastore['INTERFACE'] || ::Pcap.lookupdev
  35. end
  36. #
  37. # Shortcut method for determining our link-local address
  38. #
  39. def ipv6_link_address(opts={})
  40. Rex::Socket.ipv6_link_address(ipv6_interface(opts))
  41. end
  42. #
  43. # Shortcut method for determining our MAC address
  44. #
  45. def ipv6_mac(opts={})
  46. Rex::Socket.ipv6_mac(ipv6_interface(opts))
  47. end
  48. #
  49. # Opens a pcaprub capture interface to inject packets, and sniff ICMPv6 packets
  50. #
  51. def open_icmp_pcap(opts = {})
  52. check_pcaprub_loaded
  53. dev = ipv6_interface(opts)
  54. len = 65535
  55. tim = 0
  56. @ipv6_icmp6_capture = ::Pcap.open_live(dev, len, true, tim)
  57. @ipv6_icmp6_capture.setfilter("icmp6")
  58. end
  59. #
  60. # Close the capture interface
  61. #
  62. def close_icmp_pcap()
  63. check_pcaprub_loaded
  64. return if not @ipv6_icmp6_capture
  65. @ipv6_icmp6_capture = nil
  66. GC.start()
  67. end
  68. #
  69. # Send out a ICMPv6 neighbor solicitation, and
  70. # return the associated MAC address
  71. #
  72. def solicit_ipv6_mac(dhost, opts = {})
  73. check_pcaprub_loaded
  74. dhost_intf = dhost + '%' + ipv6_interface(opts)
  75. smac = opts['SMAC'] || datastore['SMAC'] || ipv6_mac
  76. shost = opts['SHOST'] || datastore['SHOST'] || Rex::Socket.source_address(dhost_intf)
  77. timeout = opts['TIMEOUT'] || datastore['TIMEOUT'] || 3
  78. open_icmp_pcap()
  79. p2 = PacketFu::IPv6Packet.new
  80. p2.eth_saddr = smac
  81. p2.eth_daddr = ipv6_soll_mcast_mac(dhost)
  82. p2.ipv6_saddr = shost
  83. p2.ipv6_daddr = ipv6_soll_mcast_addr6(dhost)
  84. p2.ipv6_hop = 255
  85. p2.ipv6_next = 0x3a
  86. p2.payload = ipv6_neighbor_solicitation(
  87. IPAddr.new(dhost).to_i,
  88. p2.eth_src
  89. )
  90. p2.ipv6_len = p2.payload.size
  91. ipv6_checksum!(p2)
  92. @ipv6_icmp6_capture.inject(p2.to_s)
  93. # Wait for a response
  94. max_epoch = ::Time.now.to_i + timeout
  95. while(::Time.now.to_i < max_epoch)
  96. pkt_bytes = @ipv6_icmp6_capture.next()
  97. next if not pkt_bytes
  98. pkt = PacketFu::Packet.parse(pkt_bytes) rescue nil
  99. next unless pkt
  100. next unless pkt.is_ipv6?
  101. next unless pkt.ipv6_next == 0x3a
  102. next unless pkt.payload
  103. next if pkt.payload.empty?
  104. next unless pkt.payload[0,1] == "\x88" # Neighbor advertisement
  105. if(IPAddr.new(pkt.ipv6_daddr).to_i == IPAddr.new(shost).to_i and
  106. IPAddr.new(pkt.ipv6_saddr).to_i == IPAddr.new(dhost).to_i)
  107. ipv6opts = pkt.payload[24,pkt.payload.size]
  108. next unless ipv6opts
  109. parsed_opts = ipv6_parse_options(ipv6opts)
  110. parsed_opts.each do |opt|
  111. if opt[0] == 2
  112. addr = PacketFu::EthHeader.str2mac(opt.last)
  113. close_icmp_pcap()
  114. return(addr)
  115. end
  116. end
  117. close_icmp_pcap
  118. return(pkt.eth_saddr)
  119. end
  120. end
  121. close_icmp_pcap
  122. return nil
  123. end
  124. #
  125. # Send a ICMPv6 Echo Request, and wait for the
  126. # associated ICMPv6 Echo Response
  127. #
  128. def ping6(dhost, opts={})
  129. check_pcaprub_loaded
  130. dhost_intf = dhost + '%' + ipv6_interface(opts)
  131. smac = opts['SMAC'] || datastore['SMAC'] || ipv6_mac
  132. shost = opts['SHOST'] || datastore['SHOST'] || Rex::Socket.source_address(dhost_intf)
  133. dmac = opts['DMAC'] || solicit_ipv6_mac(dhost)
  134. timeout = opts['TIMEOUT'] || datastore['TIMEOUT']
  135. wait = opts['WAIT']
  136. if(wait.eql?(nil))
  137. wait = true
  138. end
  139. dmac.eql?(nil) and return false
  140. open_icmp_pcap()
  141. # Create ICMPv6 Request
  142. p = PacketFu::IPv6Packet.new
  143. p.eth_saddr = smac
  144. p.eth_daddr = dmac
  145. p.ipv6_saddr = shost
  146. p.ipv6_daddr = dhost
  147. p.ipv6_next = 0x3a
  148. icmp_id = rand(65000)
  149. icmp_seq = 1
  150. icmp_payload = Rex::Text.rand_text(8)
  151. p.payload = ipv6_icmpv6_echo_request(icmp_id,icmp_seq,icmp_payload)
  152. p.ipv6_len = p.payload.to_s.size
  153. ipv6_checksum!(p)
  154. @ipv6_icmp6_capture.inject(p.to_s)
  155. if(wait.eql?(true))
  156. print_status("Waiting for ping reply...")
  157. print_line("")
  158. # Wait for a response
  159. max_epoch = ::Time.now.to_i + timeout
  160. while(::Time.now.to_i < max_epoch)
  161. pkt = @ipv6_icmp6_capture.next()
  162. next if not pkt
  163. response_pkt = PacketFu::Packet.parse(pkt) rescue nil
  164. next unless response_pkt
  165. next unless response_pkt.is_ipv6?
  166. next unless response_pkt.payload
  167. next if response_pkt.payload.empty?
  168. next unless response_pkt.payload[0,1] == "\x81" # Echo reply
  169. if( response_pkt.ipv6_daddr == p.ipv6_saddr and
  170. response_pkt.ipv6_saddr == p.ipv6_daddr and
  171. response_pkt.ipv6_daddr == p.ipv6_saddr and
  172. response_pkt.payload[4,2] == p.payload[4,2] and # Id
  173. response_pkt.payload[6,2] == p.payload[6,2] # Seq
  174. )
  175. close_icmp_pcap()
  176. return(true)
  177. end
  178. end # End while
  179. end
  180. close_icmp_pcap()
  181. return(false)
  182. end
  183. #
  184. # Helper methods that haven't made it upstream yet. Mostly packet data
  185. # packers, also a checksum calculator.
  186. #
  187. def ipv6_icmpv6_echo_request(id,seq,data)
  188. type = 0x80
  189. code = 0
  190. checksum = 0
  191. id ||= rand(0x10000)
  192. seq ||= rand(0x10000)
  193. [type,code,checksum,id,seq,data].pack("CCnnna*")
  194. end
  195. # Simple tlv parser
  196. def ipv6_parse_options(data)
  197. pos = 0
  198. opts = []
  199. while pos < data.size
  200. type, len = data[pos,2].unpack("CC")
  201. this_opt = [type,len]
  202. this_opt << data[pos+2, (pos-2 + (len * 8))]
  203. opts << this_opt
  204. pos += this_opt.pack("CCa*").size
  205. end
  206. opts
  207. end
  208. # From Jon Hart's Racket::L3::Misc#linklocaladdr(), which
  209. # is from Daniele Bellucci
  210. def ipv6_linklocaladdr(mac)
  211. mac = mac.split(":")
  212. mac[0] = (mac[0].to_i(16) ^ (1 << 1)).to_s(16)
  213. ["fe80", "", mac[0,2].join, mac[2,2].join("ff:fe"), mac[4,2].join].join(":")
  214. end
  215. # From Jon Hart's Racket::L3::Misc#soll_mcast_addr6(),
  216. # which is from DDniele Belluci
  217. def ipv6_soll_mcast_addr6(addr)
  218. h = addr.split(':')[-2, 2]
  219. m = []
  220. m << 'ff'
  221. m << (h[0].to_i(16) & 0xff).to_s(16)
  222. m << ((h[1].to_i(16) & (0xff << 8)) >> 8).to_s(16)
  223. m << (h[1].to_i(16) & 0xff).to_s(16)
  224. 'ff02::1:' + [m[0,2].join, m[2,2].join].join(':')
  225. end
  226. # From Jon Hart's Racket::L3::Misc#soll_mcast_mac()
  227. def ipv6_soll_mcast_mac(addr)
  228. h = addr.split(':')[-2, 2]
  229. m = []
  230. m << 'ff'
  231. m << (h[0].to_i(16) & 0xff).to_s(16)
  232. m << ((h[1].to_i(16) & (0xff << 8)) >> 8).to_s(16)
  233. m << (h[1].to_i(16) & 0xff).to_s(16)
  234. '33:33:' + m.join(':')
  235. end
  236. # Usual ghetto strategy from PacketFu
  237. def ipv6_checksum!(pkt)
  238. check_data = pkt.headers.last[:ipv6_src].to_s.unpack("n8")
  239. check_data << pkt.headers.last[:ipv6_dst].to_s.unpack("n8")
  240. check_data << pkt.ipv6_len
  241. check_data << [0,58]
  242. check_payload = pkt.payload.size % 2 == 0 ? pkt.payload : pkt.payload + "\x00"
  243. check_data << check_payload.unpack("n*")
  244. check_data.flatten!
  245. checksum = check_data.inject(0) {|sum,x| sum += x}
  246. checksum = checksum % 0xffff
  247. checksum = 0xffff - checksum
  248. checksum == 0 ? 0xffff : checksum
  249. pkt.payload[2,2] = [checksum].pack("n")
  250. pkt
  251. end
  252. # Takes a neighbor and smac as arguments, The Neighbor
  253. # value must be an int, while the smac must be a string.
  254. # Very rudimentary and temporary.
  255. def ipv6_neighbor_solicitation(neigh,smac)
  256. target = neigh.to_s(16).scan(/../).map {|x| x.to_i(16)}.pack("C*")
  257. type = 135
  258. code = 0
  259. checksum = 0
  260. reserved = 0
  261. opt_type = 1
  262. opt_len = 1
  263. [type, code, checksum, reserved,
  264. target, opt_type, opt_len, smac
  265. ].pack("CCnNa16CCa6")
  266. end
  267. def check_pcaprub_loaded
  268. unless @pcaprub_loaded
  269. print_status("The Pcaprub module is not available: #{@pcaprub_error}")
  270. raise RuntimeError, "Pcaprub not available"
  271. else
  272. true
  273. end
  274. end
  275. end
  276. end