Register nameserver with framework

Author: smashery

lib/msf/core/framework.rb

@@ -81,6 +81,7 @@ def initialize(options={})
     # Configure the SSL certificate generator
     require 'msf/core/cert_provider'
     Rex::Socket::Ssl.cert_provider = Msf::Ssl::CertProvider
+    initialize_dns_resolver
 
     subscriber = FrameworkEventSubscriber.new(self)
     events.add_exploit_subscriber(subscriber)
@@ -90,6 +91,16 @@ def initialize(options={})
     events.add_ui_subscriber(subscriber)
   end
 
+  def initialize_dns_resolver
+    self.dns_resolver = Rex::Proto::DNS::CachedResolver.new
+    self.dns_resolver.extend(Rex::Proto::DNS::CustomNameserverProvider)
+    Rex::Socket._install_global_resolver(self.dns_resolver)
+  end
+
+  def dns_resolver
+    self.dns_resolver
+  end
+
   def inspect
     "#<Framework (#{sessions.length} sessions, #{jobs.length} jobs, #{plugins.length} plugins#{db.active ? ", #{db.driver} database active" : ""})>"
   end
@@ -147,6 +158,10 @@ def version
     Version
   end
 
+  #
+  # DNS resolver for the framework
+  #
+  attr_reader   :dns_resolver
   #
   # Event management interface for registering event handler subscribers and
   # for interacting with the correlation engine.
@@ -278,6 +293,7 @@ def eicar_corrupted?
   #   @return [Hash]
   attr_accessor :options
 
+  attr_writer   :dns_resolver #:nodoc:
   attr_writer   :events # :nodoc:
   attr_writer   :modules # :nodoc:
   attr_writer   :datastore # :nodoc:

lib/msf/ui/console/command_dispatcher/dns.rb

@@ -1,6 +1,11 @@
 # -*- coding: binary -*-
 
-class Msf::Ui::Console::CommandDispatcher::DNS
+module Msf
+module Ui
+module Console
+module CommandDispatcher
+
+class DNS
 
   include Msf::Ui::Console::CommandDispatcher
 
@@ -83,9 +88,9 @@ def cmd_dns(*args)
       when "remove", "del"
         remove_dns(*args)
       when "purge"
-        purge_dns(*args)
+        purge_dns
       when "print"
-        print_dns(*args)
+        print_dns
       when "help"
         cmd_dns_help
       end
@@ -133,19 +138,81 @@ def add_dns(*args)
     end
 
     servers.each do |host|
-      unless host =~ Resolv::IPv4::Regex || 
-             host =~ Resolv::IPv6::Regex
+      unless Rex::Socket.is_ip_addr?(host)
         raise ::ArgumentError.new("Invalid DNS server: #{host}")
       end
     end
+
+    unless comm.nil?
+      raise ::ArgumentError.new("Not a valid number: #{comm}") unless comm =~ /^\d+$/
+      comm_int = comm.to_i
+      raise ::ArgumentError.new("Session does not exist: #{comm}") unless driver.framework.sessions.include?(comm_int)
+
+    end
+
+    # Split each DNS server entry up into a separate entry
+    servers.each do |server|
+      driver.framework.dns_resolver.add_nameserver(rules, server, comm_int)
+    end
   end
 
   def remove_dns(*args)
   end
 
-  def purge_dns(*args)
+  def purge_dns
+    driver.framework.dns_resolver.purge
   end
 
-  def print_dns(*args)
+  def print_dns
+    results = driver.framework.dns_resolver.nameserver_entries
+    columns = ['ID','Rule(s)', 'DNS Server(s)', 'Comm channel']
+    print_dns_set('Custom nameserver rules', columns, results[0].map {|hash| [hash[:id], hash[:wildcard_rules].join(','), hash[:dns_server], prettify_comm(hash[:comm], hash[:dns_server])]})
+
+    # Default nameservers don't include a rule
+    columns = ['ID', 'DNS Server(s)', 'Comm channel']
+    print_dns_set('Default nameservers', columns, results[1].map {|hash| [hash[:id], hash[:dns_server], prettify_comm(hash[:comm], hash[:dns_server])]})
   end
+
+  private
+
+  def prettify_comm(comm, dns_server)
+    if comm.nil?
+      channel = Rex::Socket::SwitchBoard.best_comm(dns_server)
+      if channel.nil?
+        comm_text = nil
+      else
+        comm_text = "Session #{channel.sid} (auto)"
+      end
+    else
+      if driver.framework.sessions.include?(comm)
+        comm_text = "Session #{comm}"
+      else
+        comm_text = "Broken session (#{comm})"
+      end
+    end
+  end
+
+  def print_dns_set(heading, columns, result_set)
+    tbl = Table.new(
+        Table::Style::Default,
+        'Header'  => heading,
+        'Prefix'  => "\n",
+        'Postfix' => "\n",
+        'Columns' => columns
+        )
+    result_set.each do |row|
+      tbl << row
+    end
+
+    print(tbl.to_s) if tbl.rows.length > 0
+  end
+
+  def resolver
+    self.driver.framework.dns_resolver
+  end
+end
+
+end
+end
 end
+end

lib/rex/proto/dns/custom_nameserver_provider.rb

@@ -0,0 +1,85 @@
+module Rex
+module Proto
+module DNS
+
+  ##
+  # Provides a DNS resolver the ability to use different nameservers
+  # for different requests, based on the domain being queried.
+  ##
+  module CustomNameserverProvider
+
+    def init
+      self.entries_with_rules = []
+      self.entries_without_rules = []
+      self.next_id = 0
+    end
+
+    # Add a custom nameserver entry to the custom provider
+    # @param [wildcard_rules] Array<String> The wildcard rules to match a DNS request against
+    # @param [dns_server] Array<String> The list of IP addresses that would be used for this custom rule
+    # @param comm [Integer] The communication channel to be used for these DNS requests
+    def add_nameserver(wildcard_rules, dns_server, comm)
+      entry = {
+        :wildcard_rules => wildcard_rules,
+        :dns_server => dns_server,
+        :comm => comm,
+        :id => self.next_id
+      }
+      self.next_id += 1
+      if wildcard_rules.empty?
+        entries_without_rules << entry
+      else
+        entries_with_rules << entry
+      end
+    end
+
+    #
+    # The custom nameserver entries that have been configured
+    # @return [Array<Array>] An array containing two elements: The entries with rules, and the entries without rules
+    def nameserver_entries
+      [entries_with_rules, entries_without_rules]
+    end
+
+    def purge
+      init
+    end
+
+    def nameservers_for_packet(packet)
+      name = packet.question.qName
+      dns_servers = []
+
+      self.entries_with_rules.each do |entry|
+        entry[:wildcard_rules].each do |rule|
+          if matches(name, rule)
+            dns_servers.concat([entry[:dns_server], entry[:comm]])
+            break
+          end
+        end
+      end
+
+      # Only look at the rule-less entries if no rules were found (avoids DNS leaks)
+      if dns_servers.empty?
+        self.entries_without_rules.each do |entry|
+          dns_servers.concat([entry[:dns_server], entry[:comm]])
+        end
+      end
+      dns_servers.uniq!
+    end
+
+    def self.extended(mod)
+      mod.init
+    end
+
+    private
+
+    def matches(domain, pattern)
+      true
+    end
+
+    attr_accessor :entries_with_rules # Set of custom nameserver entries that specify a rule
+    attr_accessor :entries_without_rules # Set of custom nameserver entries that do not include a rule
+    attr_accessor :next_id # The next ID to have been allocated to an entry
+  end
+end
+end
+end

lib/rex/proto/dns/resolver.rb

@@ -110,6 +110,15 @@ def proxies=(prox, timeout_added = 250)
       end
     end
 
+    #
+    # Find the nameservers to use for a given DNS request
+    # @param dns_message [Dnsruby::Message] The DNS message to be sent
+    #
+    # @return [Array<Array>] A list of nameservers, each with Rex::Socket options
+    def nameservers_for_packet(dns_message)
+      @config[:nameservers].map {|ns| [ns, {}]}
+    end
+
     #
     # Send DNS request over appropriate transport and process response
     #
@@ -119,10 +128,6 @@ def proxies=(prox, timeout_added = 250)
     #
     # @return [Dnsruby::Message] DNS response
     def send(argument, type = Dnsruby::Types::A, cls = Dnsruby::Classes::IN)
-      if @config[:nameservers].size == 0
-        raise ResolverError, "No nameservers specified!"
-      end
-
       method = self.use_tcp? ? :send_tcp : :send_udp
 
       case argument
@@ -136,6 +141,10 @@ def send(argument, type = Dnsruby::Types::A, cls = Dnsruby::Classes::IN)
         packet = Rex::Proto::DNS::Packet.encode_drb(net_packet)
       end
 
+      if nameservers_for_packet(packet).size == 0
+        raise ResolverError, "No nameservers specified!"
+      end
+
       # Store packet_data for performance improvements,
       # so methods don't keep on calling Packet#encode
       packet_data = packet.encode
@@ -195,7 +204,8 @@ def send(argument, type = Dnsruby::Types::A, cls = Dnsruby::Classes::IN)
     def send_tcp(packet,packet_data,prox = @config[:proxies])
       ans = nil
       length = [packet_data.size].pack("n")
-      @config[:nameservers].each do |ns|
+      nameservers = nameservers_for_packet(packet)
+      nameservers.each do |ns, socket_options|
         begin
           socket = nil
           @config[:tcp_timeout].timeout do
@@ -208,6 +218,8 @@ def send_tcp(packet,packet_data,prox = @config[:proxies])
                   'Context' => @config[:context],
                   'Comm' => @config[:comm]
                 }
+                config.update(socket_options)
+
                 if @config[:source_port] > 0
                   config['LocalPort'] = @config[:source_port]
                 end
@@ -289,7 +301,8 @@ def send_tcp(packet,packet_data,prox = @config[:proxies])
     def send_udp(packet,packet_data)
       ans = nil
       response = ""
-      @config[:nameservers].each do |ns|
+      nameservers = nameservers_for_packet(packet)
+      nameservers.each do |ns, socket_options|
         begin
           @config[:udp_timeout].timeout do
             begin
@@ -299,6 +312,7 @@ def send_udp(packet,packet_data)
                 'Context' => @config[:context],
                 'Comm' => @config[:comm]
               }
+              config.update(socket_options)
               if @config[:source_port] > 0
                 config['LocalPort'] = @config[:source_port]
               end