Land rapid7#4317 and rapid7#4306, fix netmask tomfoolery

Author: Tod Beardsley

lib/msf/core/exploit/capture.rb

@@ -37,9 +37,16 @@ def initialize(info = {})
 
         register_advanced_options(
           [
-            OptInt.new('UDP_SECRET', [true, 'The 32-bit cookie for UDP probe requests.', 1297303091]),
-            OptAddress.new('GATEWAY', [false, 'The gateway IP address. This will be used rather than a random remote address for the UDP probe, if set.']),
-            OptInt.new('NETMASK', [false, 'The local network mask. This is used to decide if an address is in the local network.', 24]),
+            OptInt.new('SECRET', [true, 'A 32-bit cookie for probe requests.', 'MSF!'.unpack('N').first]),
+            OptAddress.new('GATEWAY_PROBE_HOST',
+                           [
+                             true,
+                             'Send a TTL=1 random UDP datagram to this host to discover the default gateway\'s MAC',
+                             'www.metasploit.com']),
+            OptPort.new('GATEWAY_PROBE_PORT',
+                        [
+                          false,
+                          'The port on GATEWAY_PROBE_HOST to send a random UDP probe to (random if 0 or unset)'])
           ], Msf::Exploit::Capture
         )
 
@@ -117,7 +124,7 @@ def open_pcap(opts={})
           self.capture = ::Pcap.open_live(dev, len, true, tim)
           if do_arp
             self.arp_capture = ::Pcap.open_live(dev, 512, true, tim)
-            preamble         = datastore['UDP_SECRET'].to_i
+            preamble         = datastore['SECRET'].to_i
             arp_filter       = "arp[6:2] = 2 or (udp[8:4] = #{preamble})"
             self.arp_capture.setfilter(arp_filter)
           end
@@ -304,15 +311,18 @@ def lookup_eth(addr=nil, iface=nil)
       end
 
       def probe_gateway(addr)
-        dst_host = (datastore['GATEWAY'] || IPAddr.new((rand(16777216) + 2969567232), Socket::AF_INET).to_s)
-        dst_port = rand(30000)+1024
-        preamble = [datastore['UDP_SECRET']].pack("N")
+        dst_host = datastore['GATEWAY_PROBE_HOST']
+        dst_port = datastore['GATEWAY_PROBE_PORT'] == 0 ? rand(30000) + 1024 : datastore['GATEWAY_PROBE_PORT']
+        preamble = [datastore['SECRET']].pack("N")
         secret   = "#{preamble}#{Rex::Text.rand_text(rand(0xff)+1)}"
 
         begin
-          UDPSocket.open.send(secret, 0, dst_host, dst_port)
+          UDPSocket.open do |sock|
+            sock.setsockopt(::Socket::IPPROTO_IP, ::Socket::IP_TTL, 1)
+            sock.send(secret, 0, dst_host, dst_port)
+          end
         rescue Errno::ENETUNREACH
-          # This happens on networks with no gatway. We'll need to use a
+          # This happens on networks with no gateway. We'll need to use a
           # fake source hardware address.
           self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
         end
@@ -402,9 +412,11 @@ def check_pcaprub_loaded
       def lookupnet
         check_pcaprub_loaded
         dev  = datastore['INTERFACE'] || ::Pcap.lookupdev
-        mask = datastore['NETMASK'] || 24
         begin
-          my_net = IPAddr.new("#{Pcap.lookupnet(dev).first}/#{mask}")
+          my_ip, my_mask = Pcap.lookupnet(dev)
+          # convert the netmask obtained from the relevant interface to CIDR
+          cidr_mask = my_mask.to_s(2).count('1')
+          my_net = IPAddr.new("#{my_ip}/#{cidr_mask}")
         rescue RuntimeError => e
           @pcaprub_error = e
           print_status("Cannot stat device: #{@pcaprub_error}")
@@ -414,10 +426,7 @@ def lookupnet
       end
 
       def should_arp?(ip)
-        @mydev  ||= datastore['INTERFACE'] || ::Pcap.lookupdev
-        @mymask ||= datastore['NETMASK'] || 24
-        @mynet  ||= lookupnet
-        @mynet.include?(IPAddr.new(ip))
+        lookupnet.include?(IPAddr.new(ip))
       end
 
       attr_accessor :capture, :arp_cache, :arp_capture, :dst_cache

modules/auxiliary/scanner/discovery/arp_sweep.rb

@@ -30,7 +30,7 @@ def initialize
       OptInt.new('TIMEOUT', [true, 'The number of seconds to wait for new data', 5]),
     ], self.class)
 
-    deregister_options('SNAPLEN', 'FILTER', 'PCAPFILE', 'UDP_SECRET', 'GATEWAY', 'NETMASK')
+    deregister_options('SNAPLEN', 'FILTER', 'PCAPFILE', 'SECRET', 'GATEWAY_PROBE_HOST', 'GATEWAY_PROBE_PORT')
   end
 
   def run_batch_size

modules/auxiliary/server/icmp_exfil.rb

@@ -57,7 +57,7 @@ def initialize
       OptAddress.new('LOCALIP', [false, 'The IP address of the local interface'])
     ], self.class)
 
-    deregister_options('SNAPLEN','FILTER','PCAPFILE','RHOST','UDP_SECRET','GATEWAY','NETMASK', 'TIMEOUT')
+    deregister_options('SNAPLEN','FILTER','PCAPFILE','RHOST','SECRET','GATEWAY_PROBE_HOST', 'GATEWAY_PROBE_PORT', 'TIMEOUT')
   end
 
   def run

modules/auxiliary/spoof/arp/arp_poisoning.rb

@@ -47,7 +47,7 @@ def initialize
       OptBool.new(  'BROADCAST',    	[true, 'If set, the module will send replies on the broadcast address witout consideration of DHOSTS', false])
     ], self.class)
 
-    deregister_options('SNAPLEN', 'FILTER', 'PCAPFILE','RHOST','UDP_SECRET','GATEWAY','NETMASK')
+    deregister_options('SNAPLEN', 'FILTER', 'PCAPFILE','RHOST','SECRET','GATEWAY_PROBE_HOST','GATEWAY_PROBE_PORT')
   end
 
   def run

modules/auxiliary/spoof/replay/pcap_replay.rb

@@ -27,7 +27,7 @@ def initialize
       OptInt.new('PKT_DELAY', [true, "the delay in millisecond between each packet",0]),
     ], self.class)
 
-    deregister_options('SNAPLEN','FILTER','PCAPFILE','RHOST','TIMEOUT','UDP_SECRET','GATEWAY','NETMASK')
+    deregister_options('SNAPLEN','FILTER','PCAPFILE','RHOST','TIMEOUT','SECRET','GATEWAY_PROBE_HOST','GATEWAY_PROBE_PORT')
   end
 
   def run

modules/exploits/windows/misc/wireshark_packet_dect.rb

@@ -65,7 +65,7 @@ def initialize(info = {})
 
     ], self.class)
 
-    deregister_options('FILTER','PCAPFILE','RHOST','SNAPLEN','TIMEOUT','UDP_SECRET','NETMASK','GATEWAY')
+    deregister_options('FILTER','PCAPFILE','RHOST','SNAPLEN','TIMEOUT','SECRET','GATEWAY_PROBE_HOST','GATEWAY_PROBE_PORT')
   end
 
   def junk