Updates to NAT-PMP, lands rapid7#4041

HD Moore · HD Moore · commit 935a23296dd8 · 2014-10-20T11:26:26.000-05:00
diff --git a/lib/msf/core/auxiliary/natpmp.rb b/lib/msf/core/auxiliary/natpmp.rb
@@ -18,10 +18,20 @@ def initialize(info = {})
     register_options(
       [
         Opt::RPORT(Rex::Proto::NATPMP::DefaultPort),
-        Opt::CHOST
+        Opt::CHOST,
+        OptInt.new('LIFETIME', [true, "Time in ms to keep this port forwarded (set to 0 to destroy a mapping)", 3600000]),
+        OptEnum.new('PROTOCOL', [true, "Protocol to forward", 'TCP', %w(TCP UDP)])
       ],
       self.class
     )
   end
+
+  def lifetime
+    @lifetime ||= datastore['LIFETIME']
+  end
+
+  def protocol
+    @protocol ||= datastore['PROTOCOL']
+  end
 end
 end
diff --git a/lib/rex/proto/natpmp/packet.rb b/lib/rex/proto/natpmp/packet.rb
@@ -3,8 +3,6 @@
 #
 # NAT-PMP protocol support
 #
-# by Jon Hart <jhart@spoofed.org>
-#
 ##
 
 module Rex
@@ -16,13 +14,42 @@ def external_address_request
     [ 0, 0 ].pack('nn')
   end
 
+  def get_external_address(udp_sock, host, port, timeout=1)
+    vprint_status("#{host}:#{port} - Probing NAT-PMP for external address")
+    udp_sock.sendto(external_address_request, host, port, 0)
+    external_address = nil
+    while (r = udp_sock.recvfrom(12, timeout) and r[1])
+      (ver, op, result, epoch, external_address) = parse_external_address_response(r[0])
+      if external_address
+        vprint_good("#{host}:#{port} - NAT-PMP external address is #{external_address}")
+        break
+      end
+    end
+    external_address
+  end
+
   # Parse a NAT-PMP external address response +resp+.
   # Returns the decoded parts of the response as an array.
   def parse_external_address_response(resp)
     (ver, op, result, epoch, addr) = resp.unpack("CCnNN")
     [ ver, op, result, epoch, Rex::Socket::addr_itoa(addr) ]
   end
 
+  def map_port(udp_sock, host, port, int_port, ext_port, protocol, lifetime, timeout=1)
+    vprint_status("#{host}:#{port} - Sending NAT-PMP mapping request")
+    # build the mapping request
+    req = map_port_request(int_port, ext_port,
+      Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), datastore['LIFETIME'])
+    # send it
+    udp_sock.sendto(req, host, datastore['RPORT'], 0)
+    # handle the reply
+    while (r = udp_sock.recvfrom(16, timeout) and r[1])
+      (_, _, result, _, _, actual_ext_port, _) = parse_map_port_response(r[0])
+      return (result == 0 ? actual_ext_port : nil)
+    end
+    nil
+  end
+
   # Return a NAT-PMP request to map remote port +rport+/+protocol+ to local port +lport+ for +lifetime+ ms
   def map_port_request(lport, rport, protocol, lifetime)
     [ Rex::Proto::NATPMP::Version, # version
@@ -39,6 +66,7 @@ def map_port_request(lport, rport, protocol, lifetime)
   def parse_map_port_response(resp)
     resp.unpack("CCnNnnN")
   end
+
 end
 
 end
diff --git a/modules/auxiliary/admin/natpmp/natpmp_map.rb b/modules/auxiliary/admin/natpmp/natpmp_map.rb
@@ -22,15 +22,48 @@ def initialize
 
     register_options(
       [
-        OptPort.new('EXTERNAL_PORT', [true, 'The external port to foward from']),
-        OptPort.new('INTERNAL_PORT', [true, 'The internal port to forward to']),
-        OptInt.new('LIFETIME', [true, "Time in ms to keep this port forwarded", 3600000]),
-        OptEnum.new('PROTOCOL', [true, "Protocol to forward", 'TCP', %w(TCP UDP)]),
+        OptString.new('EXTERNAL_PORTS', [true, 'The external ports to foward from (0 to let the target choose)', 0]),
+        OptString.new('INTERNAL_PORTS', [true, 'The internal ports to forward to', '22,135-139,80,443,445'])
       ],
       self.class
     )
   end
 
+  def build_ports(ports_string)
+    # We don't use Rex::Socket.portspec_crack because we need to allow 0 and preserve order
+    ports = []
+    ports_string.split(/[ ,]/).map { |s| s.strip }.compact.each do |port_part|
+      if /^(?<port>\d+)$/ =~ port_part
+        ports << port.to_i
+      elsif /^(?<low>\d+)\s*-\s*(?<high>\d+)$/ =~ port_part
+        ports |= (low..high).to_a.map(&:to_i)
+      else
+        fail ArgumentError, "Invalid port specification #{port_part}"
+      end
+    end
+    ports
+  end
+
+  def setup
+    super
+    @external_ports = build_ports(datastore['EXTERNAL_PORTS'])
+    @internal_ports = build_ports(datastore['INTERNAL_PORTS'])
+
+    if @external_ports.size > @internal_ports.size
+      fail ArgumentError, "Too many external ports specified (#{@external_ports.size}); " +
+        "must be one port (0) or #{@internal_ports.size} ports"
+    end
+
+    if @external_ports.size < @internal_ports.size
+      if @external_ports != [0]
+        fail ArgumentError, "Incorrect number of external ports specified (#{@external_ports.size}); " +
+          "must be one port (0) or #{@internal_ports.size} ports"
+      else
+        @external_ports = [0] * @internal_ports.size
+      end
+    end
+  end
+
   def run_host(host)
     begin
 
@@ -40,25 +73,42 @@ def run_host(host)
       })
       add_socket(udp_sock)
 
-      # get the external address first
-      vprint_status "#{host} - NATPMP - Probing for external address"
-      udp_sock.sendto(external_address_request, host, datastore['RPORT'], 0)
-      external_address = nil
-      while (r = udp_sock.recvfrom(12, 1) and r[1])
-        (ver, op, result, epoch, external_address) = parse_external_address_response(r[0])
-      end
+      external_address = get_external_address(udp_sock, host, datastore['RPORT']) || host
+
+      @external_ports.each_index do |i|
+        external_port = @external_ports[i]
+        internal_port = @internal_ports[i]
 
-      vprint_status "#{host} - NATPMP - Sending mapping request"
-      # build the mapping request
-      req = map_port_request(
-          datastore['INTERNAL_PORT'], datastore['EXTERNAL_PORT'],
-          Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), datastore['LIFETIME']
-      )
-      # send it
-      udp_sock.sendto(req, host, datastore['RPORT'], 0)
-      # handle the reply
-      while (r = udp_sock.recvfrom(16, 1) and r[1])
-        handle_reply(Rex::Socket.source_address(host), host, external_address, r)
+        actual_ext_port = map_port(udp_sock, host, datastore['RPORT'], internal_port, external_port, Rex::Proto::NATPMP.const_get(protocol), lifetime)
+        map_target = Rex::Socket.source_address(host)
+        requested_forwarding = "#{external_address}:#{external_port}/#{protocol}" +
+                              " -> " +
+                              "#{map_target}:#{internal_port}/#{protocol}"
+        if actual_ext_port
+          map_target = datastore['CHOST'] ? datastore['CHOST'] : Rex::Socket.source_address(host)
+          actual_forwarding = "#{external_address}:#{actual_ext_port}/#{protocol}" +
+                                " -> " +
+                                "#{map_target}:#{internal_port}/#{protocol}"
+          if external_port == 0
+            print_good("#{actual_forwarding} forwarded")
+          else
+            if (external_port != 0 && external_port != actual_ext_port)
+              print_good("#{requested_forwarding} could not be forwarded, but #{actual_forwarding} could")
+            else
+              print_good("#{requested_forwarding} forwarded")
+            end
+          end
+        else
+          print_error("#{requested_forwarding} could not be forwarded")
+        end
+
+        report_service(
+          :host   => host,
+          :port   => datastore['RPORT'],
+          :proto  => 'udp',
+          :name  => 'natpmp',
+          :state => Msf::ServiceState::Open
+        )
       end
     rescue ::Interrupt
       raise $!
@@ -69,43 +119,4 @@ def run_host(host)
     end
   end
 
-  def handle_reply(map_target, host, external_address, pkt)
-    return if not pkt[1]
-
-    if(pkt[1] =~ /^::ffff:/)
-      pkt[1] = pkt[1].sub(/^::ffff:/, '')
-    end
-
-    (ver, op, result, epoch, internal_port, external_port, lifetime) = parse_map_port_response(pkt[0])
-
-    if (result == 0)
-      if (datastore['EXTERNAL_PORT'] != external_port)
-        print_status(	"#{external_address} " +
-                "#{datastore['EXTERNAL_PORT']}/#{datastore['PROTOCOL']} -> #{map_target} " +
-                "#{internal_port}/#{datastore['PROTOCOL']} couldn't be forwarded")
-      end
-      print_status(	"#{external_address} " +
-              "#{external_port}/#{datastore['PROTOCOL']} -> #{map_target} " +
-              "#{internal_port}/#{datastore['PROTOCOL']} forwarded")
-    end
-
-    # report NAT-PMP as being open
-    report_service(
-      :host   => host,
-      :port   => pkt[2],
-      :proto  => 'udp',
-      :name  => 'natpmp',
-      :state => Msf::ServiceState::Open
-    )
-
-    # report the external port as being open
-    if inside_workspace_boundary?(external_address)
-      report_service(
-        :host   => external_address,
-        :port   => external_port,
-        :proto  => datastore['PROTOCOL'].to_s.downcase,
-        :state => Msf::ServiceState::Open
-      )
-    end
-  end
 end
diff --git a/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb b/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb
@@ -23,8 +23,7 @@ def initialize
 
     register_options(
       [
-        OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "1-1000"]),
-        OptEnum.new('PROTOCOL', [true, "Protocol to scan", 'TCP', %w(TCP UDP)]),
+        OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "1-1000"])
       ], self.class)
   end
 
@@ -36,34 +35,24 @@ def run_host(host)
       )
       add_socket(udp_sock)
       peer = "#{host}:#{datastore['RPORT']}"
-      vprint_status("#{peer} Scanning #{datastore['PROTOCOL']} ports #{datastore['PORTS']} using NATPMP")
-
-      # first, send a request to get the external address
-      udp_sock.sendto(external_address_request, host, datastore['RPORT'], 0)
-      external_address = nil
-      while (r = udp_sock.recvfrom(12, 0.25) and r[1])
-        (ver,op,result,epoch,external_address) = parse_external_address_response(r[0])
-      end
+      vprint_status("#{peer} Scanning #{protocol} ports #{datastore['PORTS']} using NATPMP")
 
+      external_address = get_external_address(udp_sock, host, datastore['RPORT'])
       if (external_address)
         print_good("#{peer} responded with external address of #{external_address}")
       else
         vprint_status("#{peer} didn't respond with an external address")
         return
       end
 
-      Rex::Socket.portspec_crack(datastore['PORTS']).each do |port|
-        # send one request to clear the mapping if *we've* created it before
-        clear_req = map_port_request(port, port, Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), 0)
-        udp_sock.sendto(clear_req, host, datastore['RPORT'], 0)
-        while (r = udp_sock.recvfrom(16, 1.0) and r[1])
-        end
+      # clear all mappings
+      map_port(udp_sock, host, datastore['RPORT'], 0, 0, Rex::Proto::NATPMP.const_get(protocol), 0)
 
-        # now try the real mapping
+      Rex::Socket.portspec_crack(datastore['PORTS']).each do |port|
         map_req = map_port_request(port, port, Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), 1)
         udp_sock.sendto(map_req, host, datastore['RPORT'], 0)
         while (r = udp_sock.recvfrom(16, 1.0) and r[1])
-          handle_reply(host, external_address, r)
+          break if handle_reply(host, external_address, r)
         end
       end
 
@@ -94,6 +83,14 @@ def handle_reply(host, external_addr, pkt)
       if (int != ext)
         state = Msf::ServiceState::Open
         print_good("#{peer} #{external_addr} - #{int}/#{protocol} #{state} because of successful mapping with unmatched ports")
+        if inside_workspace_boundary?(external_addr)
+          report_service(
+            :host   => external_addr,
+            :port   => int,
+            :proto  => protocol,
+            :state => state
+          )
+        end
       else
         state = Msf::ServiceState::Closed
         print_status("#{peer} #{external_addr} - #{int}/#{protocol} #{state} because of successful mapping with matched ports") if (datastore['DEBUG'])
@@ -103,21 +100,13 @@ def handle_reply(host, external_addr, pkt)
       print_status("#{peer} #{external_addr} - #{int}/#{protocol} #{state} because of code #{result} response") if (datastore['DEBUG'])
     end
 
-    if inside_workspace_boundary?(external_addr)
-      report_service(
-        :host   => external_addr,
-        :port   => int,
-        :proto  => protocol,
-        :state => state
-      )
-    end
-
     report_service(
       :host 	=> host,
       :port 	=> pkt[2],
       :name 	=> 'natpmp',
       :proto 	=> 'udp',
       :state	=> Msf::ServiceState::Open
     )
+    true
   end
 end
