Fully integrated Rex-socket-friendly DNS

Author: smashery

lib/msf/ui/console/command_dispatcher/dns.rb

@@ -14,6 +14,10 @@ class DNS
     ['-s', '--session'] => [true, 'Force the DNS request to occur over a particular channel (override routing rules)' ],
   )
 
+  @@remove_opts = Rex::Parser::Arguments.new(
+    ['-i'] => [true, 'Index to remove']
+  )
+
   def initialize(driver)
     super
   end
@@ -109,9 +113,8 @@ def add_dns(*args)
       end
       case opt
       when '--rule', '-r'
-        if val.nil?
-          raise ::ArgumentError.new('No rule specified')
-        end
+        raise ::ArgumentError.new('No rule specified') if val.nil?
+        raise ::ArgumentError.new("Invalid rule: #{val}") unless valid_rule(val)
 
         rules << val
       when '--session', '-s'
@@ -143,26 +146,50 @@ def add_dns(*args)
       end
     end
 
+    comm_obj = nil
+
     unless comm.nil?
       raise ::ArgumentError.new("Not a valid number: #{comm}") unless comm =~ /^\d+$/
       comm_int = comm.to_i
       raise ::ArgumentError.new("Session does not exist: #{comm}") unless driver.framework.sessions.include?(comm_int)
-
+      comm_obj = driver.framework.sessions[comm_int]
     end
 
     # Split each DNS server entry up into a separate entry
     servers.each do |server|
-      driver.framework.dns_resolver.add_nameserver(rules, server, comm_int)
+      driver.framework.dns_resolver.add_nameserver(rules, server, comm_obj)
     end
   end
 
+  #
+  # Is the given wildcard DNS entry valid?
+  def valid_rule(rule)
+    rule =~ /^(\*\.)?([a-z\d][a-z\d-]*[a-z\d]\.)+[a-z]+$/
+  end
+
+  #
+  # Remove all matching user-configured DNS entries
   def remove_dns(*args)
+    remove_ids = []
+    @@remove_opts.parse(args) do |opt, idx, val|
+      case opt
+      when '-i'
+        raise ::ArgumentError.new("Not a valid number: #{val}") unless val =~ /^\d+$/
+        remove_ids << val.to_i
+      end
+    end
+
+    driver.framework.dns_resolver.remove_ids(remove_ids)
   end
 
+  #
+  # Delete all user-configured DNS settings
   def purge_dns
     driver.framework.dns_resolver.purge
   end
 
+  #
+  # Display the user-configured DNS settings
   def print_dns
     results = driver.framework.dns_resolver.nameserver_entries
     columns = ['ID','Rule(s)', 'DNS Server(s)', 'Comm channel']
@@ -175,19 +202,21 @@ def print_dns
 
   private
 
+  #
+  # Get user-friendly text for displaying the session that this entry would go through
   def prettify_comm(comm, dns_server)
     if comm.nil?
       channel = Rex::Socket::SwitchBoard.best_comm(dns_server)
       if channel.nil?
-        comm_text = nil
+        nil
       else
-        comm_text = "Session #{channel.sid} (auto)"
+        "Session #{channel.sid} (route)"
       end
     else
-      if driver.framework.sessions.include?(comm)
-        comm_text = "Session #{comm}"
+      if comm.alive
+        "Session #{comm.sid}"
       else
-        comm_text = "Broken session (#{comm})"
+        "Closed session (#{comm.sid})"
       end
     end
   end

lib/rex/proto/dns/custom_nameserver_provider.rb

@@ -33,6 +33,16 @@ def add_nameserver(wildcard_rules, dns_server, comm)
       end
     end
 
+    #
+    # Remove entries with the given IDs
+    # Ignore entries that are not found
+    def remove_ids(ids)
+      ids.each do |id|
+        self.entries_with_rules.delete_if {|entry| entry[:id] == id}
+        self.entries_without_rules.delete_if {|entry| entry[:id] == id}
+      end
+    end
+
     #
     # The custom nameserver entries that have been configured
     # @return [Array<Array>] An array containing two elements: The entries with rules, and the entries without rules
@@ -45,25 +55,47 @@ def purge
     end
 
     def nameservers_for_packet(packet)
-      name = packet.question.qName
-      dns_servers = []
+      # Leaky abstraction: a packet could have multiple question entries,
+      # and each of these could have different nameservers, or travel via
+      # different comm channels. We can't allow DNS leaks, so for now, we
+      # will throw an error here.
+      results_from_all_questions = []
+      packet.question.each do |question|
+        name = question.qname.to_s
+        dns_servers = []
 
-      self.entries_with_rules.each do |entry|
-        entry[:wildcard_rules].each do |rule|
-          if matches(name, rule)
-            dns_servers.concat([entry[:dns_server], entry[:comm]])
-            break
+        self.entries_with_rules.each do |entry|
+          entry[:wildcard_rules].each do |rule|
+            socket_options = {}
+            socket_options['Comm'] = entry[:comm] unless entry[:comm].nil?
+            if matches(name, rule)
+              dns_servers.append([entry[:dns_server], socket_options])
+              break
+            end
+          end
+        end
+
+        # Only look at the rule-less entries if no rules were found (avoids DNS leaks)
+        if dns_servers.empty?
+          self.entries_without_rules.each do |entry|
+            socket_options = {}
+            socket_options['Comm'] = entry[:comm] unless entry[:comm].nil?
+            dns_servers.append([entry[:dns_server], socket_options])
           end
         end
-      end
 
-      # Only look at the rule-less entries if no rules were found (avoids DNS leaks)
-      if dns_servers.empty?
-        self.entries_without_rules.each do |entry|
-          dns_servers.concat([entry[:dns_server], entry[:comm]])
+        if dns_servers.empty?
+          # Fall back to default nameservers
+          dns_servers = super
         end
+        results_from_all_questions << dns_servers.uniq
+      end
+      results_from_all_questions.uniq!
+      if results_from_all_questions.size != 1
+        raise ResolverError.new('Inconsistent nameserver entries attempted to be sent in the one packet')
       end
-      dns_servers.uniq!
+
+      results_from_all_questions[0]
     end
 
     def self.extended(mod)
@@ -73,7 +105,11 @@ def self.extended(mod)
     private
 
     def matches(domain, pattern)
-      true
+      if pattern.start_with?('*.')
+        domain.downcase.end_with?(pattern[1..-1].downcase)
+      else
+        domain.casecmp?(pattern)
+      end
     end
 
     attr_accessor :entries_with_rules # Set of custom nameserver entries that specify a rule

lib/rex/proto/dns/resolver.rb

@@ -14,7 +14,7 @@ module DNS
   class Resolver < Net::DNS::Resolver
 
     Defaults = {
-      :config_file => "/dev/null", # default can lead to info leaks
+      :config_file => "/etc/resolv.conf",
       :log_file => "/dev/null", # formerly $stdout, should be tied in with our loggers
       :port => 53,
       :searchlist => [],
@@ -141,7 +141,8 @@ def send(argument, type = Dnsruby::Types::A, cls = Dnsruby::Classes::IN)
         packet = Rex::Proto::DNS::Packet.encode_drb(net_packet)
       end
 
-      if nameservers_for_packet(packet).size == 0
+      nameservers = nameservers_for_packet(packet)
+      if nameservers.size == 0
         raise ResolverError, "No nameservers specified!"
       end
 
@@ -210,6 +211,7 @@ def send_tcp(packet,packet_data,prox = @config[:proxies])
           socket = nil
           @config[:tcp_timeout].timeout do
             catch(:next_ns) do
+              suffix = ''
               begin
                 config = {
                   'PeerHost' => ns.to_s,
@@ -219,7 +221,12 @@ def send_tcp(packet,packet_data,prox = @config[:proxies])
                   'Comm' => @config[:comm]
                 }
                 config.update(socket_options)
+                unless config['Comm'].nil? || config['Comm'].alive?
+                  @logger.warn("Session #{config['Comm'].sid} not active, and cannot be used to resolve DNS")
+                  throw :next_ns
+                end
 
+                suffix = " over session #{@config['Comm'].sid}" unless @config['Comm'].nil?
                 if @config[:source_port] > 0
                   config['LocalPort'] = @config[:source_port]
                 end
@@ -228,11 +235,11 @@ def send_tcp(packet,packet_data,prox = @config[:proxies])
                 end
                 socket = Rex::Socket::Tcp.create(config)
               rescue
-                @logger.warn "TCP Socket could not be established to #{ns}:#{@config[:port]} #{@config[:proxies]}"
+                @logger.warn "TCP Socket could not be established to #{ns}:#{@config[:port]} #{@config[:proxies]}#{suffix}"
                 throw :next_ns
               end
               next unless socket #
-              @logger.info "Contacting nameserver #{ns} port #{@config[:port]}"
+              @logger.info "Contacting nameserver #{ns} port #{@config[:port]}#{suffix}"
               socket.write(length+packet_data)
               got_something = false
               loop do
@@ -241,15 +248,15 @@ def send_tcp(packet,packet_data,prox = @config[:proxies])
                 begin
                   ans = socket.recv(2)
                 rescue Errno::ECONNRESET
-                  @logger.warn "TCP Socket got Errno::ECONNRESET from #{ns}:#{@config[:port]} #{@config[:proxies]}"
+                  @logger.warn "TCP Socket got Errno::ECONNRESET from #{ns}:#{@config[:port]} #{@config[:proxies]}#{suffix}"
                   attempts -= 1
                   retry if attempts > 0
                 end
                 if ans.size == 0
                   if got_something
                     break #Proper exit from loop
                   else
-                    @logger.warn "Connection reset to nameserver #{ns}, trying next."
+                    @logger.warn "Connection reset to nameserver #{ns}#{suffix}, trying next."
                     throw :next_ns
                   end
                 end
@@ -259,7 +266,7 @@ def send_tcp(packet,packet_data,prox = @config[:proxies])
                 @logger.info "Receiving #{len} bytes..."
 
                 if len.nil? or len == 0
-                  @logger.warn "Receiving 0 length packet from nameserver #{ns}, trying next."
+                  @logger.warn "Receiving 0 length packet from nameserver #{ns}#{suffix}, trying next."
                   throw :next_ns
                 end
 
@@ -270,7 +277,7 @@ def send_tcp(packet,packet_data,prox = @config[:proxies])
                 end
 
                 unless buffer.size == len
-                  @logger.warn "Malformed packet from nameserver #{ns}, trying next."
+                  @logger.warn "Malformed packet from nameserver #{ns}#{suffix}, trying next."
                   throw :next_ns
                 end
                 if block_given?
@@ -282,7 +289,7 @@ def send_tcp(packet,packet_data,prox = @config[:proxies])
             end
           end
         rescue Timeout::Error
-          @logger.warn "Nameserver #{ns} not responding within TCP timeout, trying next one"
+          @logger.warn "Nameserver #{ns}#{suffix} not responding within TCP timeout, trying next one"
           next
         ensure
           socket.close if socket
@@ -313,6 +320,11 @@ def send_udp(packet,packet_data)
                 'Comm' => @config[:comm]
               }
               config.update(socket_options)
+              unless config['Comm'].nil? || config['Comm'].alive?
+                @logger.warn("Session #{config['Comm'].sid} not active, and cannot be used to resolve DNS")
+                throw :next_ns
+              end
+
               if @config[:source_port] > 0
                 config['LocalPort'] = @config[:source_port]
               end