capture.rb | searchcode

/lib/msf/core/exploit/capture.rb

https://github.com/Jonono2/metasploit-framework
Ruby | 573 lines | 446 code | 72 blank | 55 comment | 74 complexity | 041efddc22341a5f3fd4fee1d378d87f MD5 | raw file
Possible License(s): BSD-3-Clause, Apache-2.0, GPL-3.0, LGPL-2.1, GPL-2.0

# -*- coding: binary -*-
module Msf

###
#
# This module provides methods for sending and receiving
# raw packets. It should be preferred over the soon-to-be
# deprecated Rex::Socket::Ip and Msf::Exploite::Remote::Ip
# mixins.
#
# Please see the pcaprub documentation for more information
# on how to use capture objects.
#
###

  class Exploit
    module Capture

      #
      # Initializes an instance of an exploit module that captures traffic
      #

      def initialize(info = {})
        super

        register_options(
          [
            OptPath.new('PCAPFILE', [false, 'The name of the PCAP capture file to process']),
            OptString.new('INTERFACE', [false, 'The name of the interface']),
            OptString.new('FILTER', [false, 'The filter string for capturing traffic']),
            OptInt.new('SNAPLEN', [true, 'The number of bytes to capture', 65535]),
            OptInt.new('TIMEOUT', [true, 'The number of seconds to wait for new data', 500]),
            Opt::RHOST

          ], Msf::Exploit::Capture
        )

        register_advanced_options(
          [
            OptInt.new('UDP_SECRET', [true, 'The 32-bit cookie for UDP probe requests.', 1297303091]),
            OptAddress.new('GATEWAY', [false, 'The gateway IP address. This will be used rather than a random remote address for the UDP probe, if set.']),
            OptInt.new('NETMASK', [false, 'The local network mask. This is used to decide if an address is in the local network.', 24]),
          ], Msf::Exploit::Capture
        )

        require 'packetfu'

        begin
          require 'pcaprub'
          @pcaprub_loaded = true
        rescue ::LoadError => e
          @pcaprub_loaded = false
          @pcaprub_error  = e
        end

        begin
          require 'network_interface'
          @network_interface_loaded = true
        rescue ::LoadError => e
          @network_interface_loaded = false
          @network_interface_error  = e
        end

      end

      def stats_recv(pcap=self.capture)
        return(0) unless pcap
        pcap.stats['recv']
      end

      def stats_drop(pcap=self.capture)
        return(0) unless pcap
        pcap.stats['drop']
      end

      def stats_ifdrop(pcap=self.capture)
        return(0) unless pcap
        pcap.stats['ifdrop']
      end

      #
      # Opens a handle to the specified device
      #
      def open_pcap(opts={})
        check_pcaprub_loaded
        if RUBY_PLATFORM == "i386-mingw32"
          if opts['INTERFACE'] or datastore['INTERFACE']
            dev = opts['INTERFACE'] || datastore['INTERFACE']
            if is_interface?(dev)
              dev = get_interface_guid(dev)
            end
          end
        else
          dev = opts['INTERFACE'] || datastore['INTERFACE'] || nil
        end

        len = (opts['SNAPLEN'] || datastore['SNAPLEN'] || 65535).to_i
        tim = (opts['TIMEOUT'] || datastore['TIMEOUT'] || 0).to_i
        fil = opts['FILTER'] || datastore['FILTER']
        do_arp = (opts['ARPCAP'] == false) ? false : true

        # Look for a PCAP file
        cap = datastore['PCAPFILE'] || ''

        if (not cap.empty?)
          if (not File.exists?(cap))
            raise RuntimeError, "The PCAP file #{cap} could not be found"
          end
          self.capture = ::Pcap.open_offline(cap)
        else
          dev ||= ::Pcap.lookupdev

          unless RUBY_PLATFORM == "i386-mingw32"
            system("ifconfig", dev, "up")
          end

          self.capture = ::Pcap.open_live(dev, len, true, tim)
          if do_arp
            self.arp_capture = ::Pcap.open_live(dev, 512, true, tim)
            preamble         = datastore['UDP_SECRET'].to_i
            arp_filter       = "arp[6:2] = 2 or (udp[8:4] = #{preamble})"
            self.arp_capture.setfilter(arp_filter)
          end
        end

        if (not self.capture)
          raise RuntimeError, "Could not start the capture process"
        elsif (do_arp and !self.arp_capture and cap.empty?)
          raise RuntimeError, "Could not start the ARP capture process"
        end

        self.capture.setfilter(fil) if fil
      end

      def close_pcap
        return unless self.capture
        self.capture     = nil
        self.arp_capture = nil
        GC.start()
      end

      def capture_extract_ies(raw)
        set = {}
        idx = 0
        len = 0

        while (idx < raw.length)
          len = raw[idx+1]
          return set unless len
          set[raw[idx]] ||= []
          set[raw[idx]].push(raw[idx + 2, len])
          idx += len + 2
        end

        return set
      end

      #
      # This monstrosity works around a series of bugs in the interrupt
      # signal handling of Ruby 1.9
      #
      def each_packet
        return unless capture
        begin
          @capture_count = 0
          reader         = framework.threads.spawn("PcapReceiver", false) do
            capture.each do |pkt|
              yield(pkt)
              @capture_count += 1
            end
          end
          reader.join
        rescue ::Exception
          raise $!
        ensure
          reader.kill if reader.alive?
        end

        @capture_count
      end

      # Injects a packet on the wire. For all injection-related functions, it's
      # on the module to open up a capture device first (this way, we don't
      # needlessly spawn new capture devices).
      def inject(pkt="", pcap=self.capture)
        check_pcaprub_loaded
        if not pcap
          raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
        else
          pcap.inject(pkt.to_s) # Can be a PacketFu Packet object or a pre-packed string
        end
      end

      # Injects an Ethernet packet with an optional payload. The payload
      # may be a regular PacketFu packet, an EthHeader, or a string.
      def inject_eth(args={})
        eth_daddr   = args[:eth_daddr] || "ff:ff:ff:ff:ff:ff"
        eth_saddr   = args[:eth_saddr] || "00:00:00:00:00:00"
        eth_type    = args[:eth_type] || 0x0800 # IP default
        payload     = args[:payload]
        pcap        = args[:pcap] || self.capture
        p           = PacketFu::EthPacket.new
        p.eth_daddr = eth_daddr
        p.eth_saddr = eth_saddr
        p.eth_proto = eth_type
        if payload
          if payload.kind_of? PacketFu::EthPacket
            p.payload = payload.eth_header.body
          elsif payload.kind_of? PacketFu::EthHeader
            p.payload = payload.body
          else
            p.payload = payload.to_s
          end
        end
        inject p.to_s, pcap
      end

      def inject_pcap(pcap_file, filter=nil, delay = 0, pcap=self.capture)
        check_pcaprub_loaded
        unless pcap
          raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
        end

        if (not File.exists?(pcap_file))
          raise RuntimeError, "The PCAP file #{pcap_file} could not be found"
        end

        if (pcap_file.empty?)
          raise RuntimeError, "The PCAP file #{pcap_file} is empty"
        end

        capture_file = ::Pcap.open_offline(pcap_file)
        capture_file.setfilter(filter) if filter
        while (pkt = capture_file.next) do
          pcap.inject(pkt)
          Rex.sleep((delay * 1.0)/1000)
        end
        GC.start
      end

      # Capture_sendto is intended to replace the old Rex::Socket::Ip.sendto method. It requires
      # a payload and a destination address. To send to the broadcast address, set bcast
      # to true (this will guarantee that packets will be sent even if ARP doesn't work
      # out).
      def capture_sendto(payload="", dhost=nil, bcast=false, dev=nil)
        raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)" unless self.capture
        raise RuntimeError, "Must specify a host to sendto" unless dhost
        dev              ||= datastore['INTERFACE']
        dst_mac, src_mac = lookup_eth(dhost, dev)
        if dst_mac == nil and not bcast
          return false
        end
        inject_eth(:payload => payload, :eth_daddr => dst_mac, :eth_saddr => src_mac)
      end

      # The return value either be a PacketFu::Packet object, or nil
      def inject_reply(proto=:udp, pcap=self.capture)
        reply = nil
        to    = (datastore['TIMEOUT'] || 500).to_f / 1000.0
        if not pcap
          raise RuntimeError, "Could not access the capture process (remember to open_pcap first!)"
        else
          begin
            ::Timeout.timeout(to) do
              pcap.each do |r|
                packet = PacketFu::Packet.parse(r)
                next unless packet.proto.map { |x| x.downcase.to_sym }.include? proto
                reply = packet
                break
              end
            end
          rescue ::Timeout::Error
          end
        end
        return reply
      end

      # This ascertains the correct Ethernet addresses one should use to
      # ensure injected IP packets actually get where they are going, and
      # manages the self.arp_cache hash. It always uses self.arp_capture
      # to inject and capture packets, and will always first fire off a
      # UDP packet using the regular socket to learn the source host's
      # and gateway's mac addresses.
      def lookup_eth(addr=nil, iface=nil)
        raise RuntimeError, "Could not access the capture process." unless self.arp_capture

        self.arp_cache ||= {}
        self.dst_cache ||= {}

        return self.dst_cache[addr] if self.dst_cache[addr]

        if !self.arp_cache[Rex::Socket.source_address(addr)]
          probe_gateway(addr)
        end

        src_mac = self.arp_cache[Rex::Socket.source_address(addr)]
        if should_arp?(addr)
          dst_mac = self.arp_cache[addr] || arp(addr)
        else
          dst_mac = self.arp_cache[:gateway]
        end

        self.dst_cache[addr] = [dst_mac, src_mac]
      end

      def probe_gateway(addr)
        dst_host = (datastore['GATEWAY'] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s)
        dst_port = rand(30000)+1024
        preamble = [datastore['UDP_SECRET']].pack("N")
        secret   = "#{preamble}#{Rex::Text.rand_text(rand(0xff)+1)}"

        begin
          UDPSocket.open.send(secret, 0, dst_host, dst_port)
        rescue Errno::ENETUNREACH
          # This happens on networks with no gatway. We'll need to use a
          # fake source hardware address.
          self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
        end

        begin
          to = (datastore['TIMEOUT'] || 1500).to_f / 1000.0
          ::Timeout.timeout(to) do
            while (my_packet = inject_reply(:udp, self.arp_capture))
              if my_packet.payload == secret
                dst_mac = self.arp_cache[:gateway] = my_packet.eth_daddr
                src_mac = self.arp_cache[Rex::Socket.source_address(addr)] = my_packet.eth_saddr
                return [dst_mac, src_mac]
              else
                next
              end
            end
          end
        rescue ::Timeout::Error
          # Well, that didn't work (this common on networks where there's no gatway, like
          # VMWare network interfaces. We'll need to use a fake source hardware address.
          self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
        end
      end

      # A pure-Ruby ARP exchange. It uses self.arp_capture to send and recv
      # packets, rather than self.capture.
      def arp(target_ip=nil)
        return self.arp_cache[target_ip] if self.arp_cache[target_ip]
        return self.arp_cache[:gateway] unless should_arp? target_ip
        source_ip = Rex::Socket.source_address(target_ip)
        raise RuntimeError, "Could not access the capture process." unless self.arp_capture
        p = arp_packet(target_ip, source_ip)
        inject_eth(:eth_type  => 0x0806,
          :payload   => p,
          :pcap      => self.arp_capture,
          :eth_saddr => self.arp_cache[Rex::Socket.source_address(target_ip)]
        )
        begin
          to = (datastore['TIMEOUT'] || 500).to_f / 1000.0
          ::Timeout.timeout(to) do
            while (my_packet = inject_reply(:arp, self.arp_capture))
              if my_packet.arp_saddr_ip == target_ip
                self.arp_cache[target_ip] = my_packet.eth_saddr
                return self.arp_cache[target_ip]
              else
                next
              end
            end
          end
        rescue ::Timeout::Error
        end
      end

      # Creates a full ARP packet, mainly for use with inject_eth()
      def arp_packet(target_ip=nil, source_ip=nil)
        p               = PacketFu::ARPPacket.new
        p.arp_opcode    = 1
        p.arp_daddr_ip  = target_ip || datastore['RHOST']
        p.arp_saddr_ip  = source_ip || datastore['LHOST']
        my_eth          = self.arp_cache[Rex::Socket.source_address(target_ip)]
        p.arp_saddr_mac = my_eth || "00:00:00:00:00:00"
        return p
      end

      # Allow modules to reset their arp caches arbitrarily.
      def expire_arpcache
        self.arp_cache = {}
      end

      # For compatabilty with Msf::Exploit::Remote::Ip
      def rhost
        datastore['RHOST']
      end

      def check_pcaprub_loaded
        if not @pcaprub_loaded
          print_status("The Pcaprub module is not available: #{@pcaprub_error}")
          raise RuntimeError, "Pcaprub not available"
        elsif not @network_interface_loaded
          print_status("The NetworkInterface module is not available: #{@network_interface_error}")
          raise RuntimeError, "NetworkInterface not available"
        else
          true
        end
      end

      def lookupnet
        check_pcaprub_loaded
        dev  = datastore['INTERFACE'] || ::Pcap.lookupdev
        mask = datastore['NETMASK'] || 24
        begin
          my_net = IPAddr.new("#{Pcap.lookupnet(dev).first}/#{mask}")
        rescue RuntimeError => e
          @pcaprub_error = e
          print_status("Cannot stat device: #{@pcaprub_error}")
          raise RuntimeError, "Pcaprub error: #{@pcaprub_error}"
        end
        return my_net
      end

      def should_arp?(ip)
        @mydev  ||= datastore['INTERFACE'] || ::Pcap.lookupdev
        @mymask ||= datastore['NETMASK'] || 24
        @mynet  ||= lookupnet
        @mynet.include?(IPAddr.new(ip))
      end

      attr_accessor :capture, :arp_cache, :arp_capture, :dst_cache

      # Netifaces code

      def netifaces_implemented?
        @network_interface_loaded and
          NetworkInterface.respond_to?(:interfaces) and
          NetworkInterface.respond_to?(:addresses)
      end

      def list_interfaces
        check_pcaprub_loaded
        NetworkInterface.interfaces
      end

      def is_interface?(dev)
        check_pcaprub_loaded
        if RUBY_PLATFORM == "i386-mingw32"
          if dev =~ /\\Device\\NPF_\{[A-F0-9]{8}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{4}-[A-F0-9]{12}\}/
            return NetworkInterface.interfaces.include?(dev)
          elsif dev.to_s =~ /^[0-9]{1,2}$/
            if (dev.to_i <= NetworkInterface.interfaces.length) and (dev.to_i >= 0)
              return true
            else
              return false
            end
          else
            return false
          end
        else
          return NetworkInterface.interfaces.include?(dev)
        end
      end

      # This function is usefull only on windows where pcaprub use the GUID
      def get_interface_guid(dev)
        check_pcaprub_loaded
        if RUBY_PLATFORM == "i386-mingw32"
          if dev.to_s =~ /^[0-9]{1,2}$/
            if is_interface?(dev)
              NetworkInterface.interfaces[(dev.to_i) - 1]
            else
              return dev
            end
          else
            return dev
          end
        else #Non windows
          return dev
        end
      end

      def get_mac(dev)
        check_pcaprub_loaded
        dev   = get_interface_guid(dev)
        addrs = NetworkInterface.addresses(dev)
        raise RuntimeError, "Interface #{dev} does not exist" if !addrs
        raise RuntimeError, "Can not get mac address for interface #{dev}" if !addrs[NetworkInterface::AF_LINK][0]['addr']
        addrs[NetworkInterface::AF_LINK][0]['addr']
      end

      def get_ipv4_addr_count(dev)
        check_pcaprub_loaded
        dev   = get_interface_guid(dev)
        addrs = NetworkInterface.addresses(dev)
        raise RuntimeError, "Interface #{dev} does not exist" if !addrs
        addrs[NetworkInterface::AF_INET].length
      end

      def get_ipv4_addr(dev, num=0)
        check_pcaprub_loaded
        dev   = get_interface_guid(dev)
        addrs = NetworkInterface.addresses(dev)
        raise RuntimeError, "Interface #{dev} does not exist" if !addrs
        raise RuntimeError, "Interface #{dev} does not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
        raise RuntimeError, "Can not get the IPv4 address for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['addr']
        addrs[NetworkInterface::AF_INET][num]['addr']
      end

      def get_ipv4_netmask(dev, num=0)
        check_pcaprub_loaded
        dev   = get_interface_guid(dev)
        addrs = NetworkInterface.addresses(dev)
        raise RuntimeError, "Interface #{dev} does not exist" if !addrs
        raise RuntimeError, "Interface #{dev} does not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
        raise RuntimeError, "Can not get IPv4 netmask for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['netmask']
        addrs[NetworkInterface::AF_INET][num]['netmask']
      end

      def get_ipv4_broadcast(dev, num=0)
        check_pcaprub_loaded
        dev   = get_interface_guid(dev)
        addrs = NetworkInterface.addresses(dev)
        raise RuntimeError, "Interface #{dev} do not exists" if !addrs
        raise RuntimeError, "Interface #{dev} do not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
        raise RuntimeError, "Can not get IPv4 broadcast address for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['broadcast']
        addrs[NetworkInterface::AF_INET][num]['broadcast']
      end

      def get_ipv6_addr_count(dev)
        check_pcaprub_loaded
        dev = get_interface_guid(dev)
        raise RuntimeError, "IPv6 information is not available on this platform" unless ::NetworkInterface.const_defined?(:AF_INET6)
        addrs = NetworkInterface.addresses(dev)
        raise RuntimeError, "Interface #{dev} do not exists" if !addrs
        addrs[NetworkInterface::AF_INET6].length
      end

      # NOTE: IPv6 is not implemented on Windows
      def get_ipv6_addr(dev, num=0)
        check_pcaprub_loaded
        dev = get_interface_guid(dev)
        raise RuntimeError, "IPv6 information is not available on this platform" unless ::NetworkInterface.const_defined?(:AF_INET6)
        addrs = NetworkInterface.addresses(dev)
        raise RuntimeError, "Interface #{dev} do not exists" if !addrs
        raise RuntimeError, "Interface #{dev} do not have an ipv6 address at position #{num}" if addrs[NetworkInterface::AF_INET6].length < num + 1
        raise RuntimeError, "Can not get ipv6 address for interface #{dev}" if !addrs[NetworkInterface::AF_INET6][num]['addr']
        addrs[NetworkInterface::AF_INET6][num]['addr'].gsub(/%(.)*$/, '')
      end

      def get_ipv6_netmask(dev, num=0)
        check_pcaprub_loaded
        dev = get_interface_guid(dev)
        raise RuntimeError, "IPv6 information is not available on this platform" unless ::NetworkInterface.const_defined?(:AF_INET6)
        addrs = NetworkInterface.addresses(dev)
        raise RuntimeError, "Interface #{dev} do not exists" if !addrs
        raise RuntimeError, "Interface #{dev} do not have an ipv6 address at position #{num}" if addrs[NetworkInterface::AF_INET6].length < num + 1
        raise RuntimeError, "Can not get ipv6 netmask address for interface #{dev}" if !addrs[NetworkInterface::AF_INET6][num]['netmask']
        addrs[NetworkInterface::AF_INET6][num]['netmask']
      end

      # Protocol-specific encoding/decoding methods until more
      # application protos get into PacketFu proper

      # Intended to be used as the payload to an ICMP echo request's payload
      def capture_icmp_echo_pack(id=nil, seq=nil, payload=nil)
        id  ||= rand(0x10000)
        seq ||= rand(0x10000)
        [id, seq, payload.to_s].pack("nna*")
      end

      # Decodes and ICMP echo request or response.
      def capture_icmp_echo_unpack(data)
        data.unpack("nna*")
      end

    end

  end

end