Configurable fix for rapid7#4305

jhart-r7 · jhart-r7 · commit 7f425fc3aba6 · 2014-12-04T13:17:34.000-08:00
Rename UDP_SECRET to just SECRET, as it is used for more than just UDP

Rename and properly document GATEWAY option

Introduce an option to configure what UDP port will be probed
diff --git a/lib/msf/core/exploit/capture.rb b/lib/msf/core/exploit/capture.rb
@@ -37,8 +37,16 @@ def initialize(info = {})
 
         register_advanced_options(
           [
-            OptInt.new('UDP_SECRET', [true, 'The 32-bit cookie for UDP probe requests.', 1297303091]),
-            OptAddress.new('GATEWAY', [false, 'The gateway IP address. This will be used rather than a random remote address for the UDP probe, if set.']),
+            OptInt.new('SECRET', [true, 'A 32-bit cookie for probe requests.', 'MSF!'.unpack('N')]),
+            OptAddress.new('GATEWAY_PROBE_HOST',
+                           [
+                             true,
+                             'Send a TTL=1 random UDP datagram to this host to discover the default gateway\'s MAC',
+                             'www.metasploit.com'])
+            OptPort.new('GATEWAY_PROBE_PORT',
+                        [
+                          false,
+                          'The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset)'])
           ], Msf::Exploit::Capture
         )
 
@@ -116,7 +124,7 @@ def open_pcap(opts={})
           self.capture = ::Pcap.open_live(dev, len, true, tim)
           if do_arp
             self.arp_capture = ::Pcap.open_live(dev, 512, true, tim)
-            preamble         = datastore['UDP_SECRET'].to_i
+            preamble         = datastore['SECRET'].to_i
             arp_filter       = "arp[6:2] = 2 or (udp[8:4] = #{preamble})"
             self.arp_capture.setfilter(arp_filter)
           end
@@ -303,19 +311,18 @@ def lookup_eth(addr=nil, iface=nil)
       end
 
       def probe_gateway(addr)
-        dst_host = (datastore['GATEWAY'] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s)
-        dst_port = rand(30000)+1024
-        preamble = [datastore['UDP_SECRET']].pack("N")
+        dst_host = datastore['GATEWAY_PROBE_HOST']
+        dst_port = datastore['GATEWAY_PROBE_PORT'] == 0 ? rand(30000) + 1024 : datastore['GATEWAY_PROBE_PORT']
+        preamble = [datastore['SECRET']].pack("N")
         secret   = "#{preamble}#{Rex::Text.rand_text(rand(0xff)+1)}"
 
         begin
           UDPSocket.open do |sock|
             sock.setsockopt(::Socket::IPPROTO_IP, ::Socket::IP_TTL, 1)
             sock.send(secret, 0, dst_host, dst_port)
           end
-          #UDPSocket.open.send(secret, 0, dst_host, dst_port)
         rescue Errno::ENETUNREACH
-          # This happens on networks with no gatway. We'll need to use a
+          # This happens on networks with no gateway. We'll need to use a
           # fake source hardware address.
           self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
         end
