Land rapid7#7774, Fix pivoting of UDP sockets in scanners

Author: wchen-r7

lib/msf/core/auxiliary/udp_scanner.rb

@@ -43,16 +43,41 @@ def run_batch_size
     datastore['BATCHSIZE'].to_i
   end
 
+  def udp_sock(ip, port)
+    @udp_socks_mutex.synchronize do
+      key = "#{ip}:#{port}"
+      unless @udp_socks.key?(key)
+        @udp_socks[key] =
+          Rex::Socket::Udp.create({
+            'LocalHost' => datastore['CHOST'] || nil,
+            'LocalPort' => datastore['CPORT'] || 0,
+            'PeerHost'  => ip,
+            'PeerPort'  => port,
+            'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
+          })
+        add_socket(@udp_socks[key])
+      end
+      return @udp_socks[key]
+    end
+  end
+
+  def cleanup_udp_socks
+    @udp_socks_mutex.synchronize do
+      @udp_socks.each do |key, sock|
+        @udp_socks.delete(key)
+        remove_socket(sock)
+        sock.close
+      end
+    end
+  end
+
   # Start scanning a batch of IP addresses
   def run_batch(batch)
-    @udp_sock = Rex::Socket::Udp.create({
-      'LocalHost' => datastore['CHOST'] || nil,
-      'LocalPort' => datastore['CPORT'] || 0,
-      'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
-    })
-    add_socket(@udp_sock)
+    @udp_socks = {}
+    @udp_socks_mutex = Mutex.new
 
     @udp_send_count = 0
+    @interval_mutex = Mutex.new
 
     # Provide a hook for pre-scanning setup
     scanner_prescan(batch)
@@ -95,9 +120,10 @@ def scanner_spoof_send(data, ip, port, srcip, num_packets=1)
   def scanner_send(data, ip, port)
 
     resend_count = 0
+    sock = nil
     begin
-
-      @udp_sock.sendto(data, ip, port, 0)
+      sock = udp_sock(ip, port)
+      sock.send(data, 0)
 
     rescue ::Errno::ENOBUFS
       resend_count += 1
@@ -112,15 +138,16 @@ def scanner_send(data, ip, port)
 
       retry
 
-    rescue ::Rex::ConnectionError
+    rescue ::Rex::ConnectionError, ::Errno::ECONNREFUSED
       # This fires for host unreachable, net unreachable, and broadcast sends
       # We can safely ignore all of these for UDP sends
     end
 
-    @udp_send_count += 1
-
-    if @udp_send_count % datastore['ScannerRecvInterval'] == 0
-      scanner_recv(0.1)
+    @interval_mutex.synchronize do
+      @udp_send_count += 1
+      if @udp_send_count % datastore['ScannerRecvInterval'] == 0
+        scanner_recv(0.1)
+      end
     end
 
     true
@@ -129,29 +156,38 @@ def scanner_send(data, ip, port)
   # Process incoming packets and dispatch to the module
   # Ensure a response flood doesn't trap us in a loop
   # Ignore packets outside of our project's scope
-  def scanner_recv(timeout=0.1)
+  def scanner_recv(timeout = 0.1)
     queue = []
-    while (res = @udp_sock.recvfrom(65535, timeout))
+    start = Time.now
+    while Time.now - start < timeout do
+      readable, _, _ = ::IO.select(@udp_socks.values, nil, nil, timeout)
+      if readable
+        for sock in readable
+          res = sock.recvfrom(65535, timeout)
 
-      # Ignore invalid responses
-      break if not res[1]
+          # Ignore invalid responses
+          break if not res[1]
 
-      # Ignore empty responses
-      next if not (res[0] and res[0].length > 0)
+          # Ignore empty responses
+          next if not (res[0] and res[0].length > 0)
 
-      # Trim the IPv6-compat prefix off if needed
-      shost = res[1].sub(/^::ffff:/, '')
+          # Trim the IPv6-compat prefix off if needed
+          shost = res[1].sub(/^::ffff:/, '')
 
-      # Ignore the response if we have a boundary
-      next unless inside_workspace_boundary?(shost)
+          # Ignore the response if we have a boundary
+          next unless inside_workspace_boundary?(shost)
 
-      queue << [res[0], shost, res[2]]
+          queue << [res[0], shost, res[2]]
 
-      if queue.length > datastore['ScannerRecvQueueLimit']
-        break
+          if queue.length > datastore['ScannerRecvQueueLimit']
+            break
+          end
+        end
       end
     end
 
+    cleanup_udp_socks
+
     queue.each do |q|
       scanner_process(*q)
     end

lib/rex/post/meterpreter/channels/datagram.rb

@@ -33,12 +33,21 @@ def type?
       'udp'
     end
 
-    def recvfrom_nonblock(length,flags = nil)
-      return [super(length, flags)[0], super(length, flags)[0]]
+    def recvfrom_nonblock(length, flags = 0)
+      data = super(length, flags)[0]
+      sockaddr = super(length, flags)[0]
+      [data, sockaddr]
     end
 
-    def send(buf, flags, saddr)
-      channel.send(buf, flags, saddr)
+    #
+    # This should work just like a UDPSocket.send method
+    #
+    # send(mesg, flags, host, port) => numbytes_sent click to toggle source
+    # send(mesg, flags, sockaddr_to) => numbytes_sent
+    # send(mesg, flags) => numbytes_sent
+    #
+    def send(buf, flags, a = nil, b = nil)
+      channel.send(buf, flags, a, b)
     end
   end
 
@@ -53,17 +62,12 @@ def dio_write_handler(packet, data)
     )
 
     if peerhost && peerport
-      # Maxlen here is 65507, to ensure we dont overflow, we need to write twice
-      # If the other side has a full 64k, handle by splitting up the datagram and
-      # writing multiple times along with the sockaddr. Consumers calling recvfrom
-      # repeatedly will buffer up all the pieces.
-      while data.length > 65507
-        rsock.syswrite(data[0..65506])
-        rsock.syswrite(Rex::Socket.to_sockaddr(peerhost,peerport))
-        data = data - data[0..65506]
-      end
-      rsock.syswrite(data)
-      rsock.syswrite(Rex::Socket.to_sockaddr(peerhost,peerport))
+      # A datagram can be maximum 65507 bytes, truncate longer messages
+      rsock.syswrite(data[0..65506])
+
+      # We write the data and sockaddr data to the local socket, the pop it
+      # back in recvfrom_nonblock.
+      rsock.syswrite(Rex::Socket.to_sockaddr(peerhost, peerport))
       return true
     else
       return false

lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/udp_channel.rb

@@ -77,24 +77,41 @@ def initialize(client, cid, type, flags)
   end
 
   #
-  # This function is called by Rex::Socket::Udp.sendto and writes data to a specified
-  # remote peer host/port via the remote end of the channel.
+  # This function is called by Rex::Socket::Udp.sendto and writes data to a
+  # specified remote peer host/port via the remote end of the channel.
   #
-  def send(buf, flags, saddr)
-    _af, peerhost, peerport = Rex::Socket.from_sockaddr(saddr)
+  # This should work just like a UDPSocket.send method
+  #
+  # send(mesg, flags, host, port) => numbytes_sent click to toggle source
+  # send(mesg, flags, sockaddr_to) => numbytes_sent
+  # send(mesg, flags) => numbytes_sent
+  #
+  def send(buf, flags, a = nil, b = nil)
+    host = nil
+    port = nil
 
-    addends = [
-      {
-        'type'  => TLV_TYPE_PEER_HOST,
-        'value' => peerhost
-      },
-      {
-        'type'  => TLV_TYPE_PEER_PORT,
-        'value' => peerport
-      }
-    ]
+    if a && b.nil?
+      _, host, port = Rex::Socket.from_sockaddr(a)
+    elsif a && b
+      host = a
+      port = b
+    end
+
+    addends = nil
+    if host && port
+      addends = [
+        {
+          'type'  => TLV_TYPE_PEER_HOST,
+          'value' => host
+        },
+        {
+          'type'  => TLV_TYPE_PEER_PORT,
+          'value' => port
+        }
+      ]
+    end
 
-    return _write(buf, buf.length, addends)
+    _write(buf, buf.length, addends)
   end
 
 end

modules/auxiliary/scanner/misc/rosewill_rxs3211_passwords.rb

@@ -8,7 +8,7 @@
 
 class MetasploitModule < Msf::Auxiliary
 
-  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::Udp
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::Scanner
 
@@ -42,8 +42,6 @@ def run_host(ip)
     password = nil
 
     begin
-      # Create an unbound UDP socket if no CHOST is specified, otherwise
-      # create a UDP socket bound to CHOST (in order to avail of pivoting)
       udp_sock = Rex::Socket::Udp.create( {
         'LocalHost' => datastore['CHOST'] || nil,
         'PeerHost'  => ip,