Land rapid7#3687, reworks the nat-pmp portscanner

HD Moore · HD Moore · commit ba1f7c3bf6a3 · 2014-08-26T14:34:46.000-05:00
diff --git a/lib/msf/core/auxiliary/mixins.rb b/lib/msf/core/auxiliary/mixins.rb
@@ -20,6 +20,7 @@
 require 'msf/core/auxiliary/rservices'
 require 'msf/core/auxiliary/cisco'
 require 'msf/core/auxiliary/nmap'
+require 'msf/core/auxiliary/natpmp'
 require 'msf/core/auxiliary/iax2'
 require 'msf/core/auxiliary/ntp'
 require 'msf/core/auxiliary/pii'
diff --git a/lib/msf/core/auxiliary/natpmp.rb b/lib/msf/core/auxiliary/natpmp.rb
@@ -0,0 +1,27 @@
+# -*- coding: binary -*-
+require 'rex/proto/natpmp'
+
+module Msf
+
+###
+#
+# This module provides methods for working with NAT-PMP
+#
+###
+module Auxiliary::NATPMP
+
+  include Auxiliary::Scanner
+  include Rex::Proto::NATPMP
+
+  def initialize(info = {})
+    super
+    register_options(
+      [
+        Opt::RPORT(Rex::Proto::NATPMP::DefaultPort),
+        Opt::CHOST
+      ],
+      self.class
+    )
+  end
+end
+end
diff --git a/lib/rex/proto/natpmp/packet.rb b/lib/rex/proto/natpmp/packet.rb
@@ -12,20 +12,20 @@ module Proto
 module NATPMP
 
   # Return a NAT-PMP request to get the external address.
-  def self.external_address_request
+  def external_address_request
     [ 0, 0 ].pack('nn')
   end
 
   # Parse a NAT-PMP external address response +resp+.
   # Returns the decoded parts of the response as an array.
-  def self.parse_external_address_response(resp)
-    (ver, op, result, epoch, addr) = resp.unpack("CCvVN")
+  def parse_external_address_response(resp)
+    (ver, op, result, epoch, addr) = resp.unpack("CCnNN")
     [ ver, op, result, epoch, Rex::Socket::addr_itoa(addr) ]
   end
 
   # Return a NAT-PMP request to map remote port +rport+/+protocol+ to local port +lport+ for +lifetime+ ms
-  def self.map_port_request(lport, rport, protocol, lifetime)
-    [   Rex::Proto::NATPMP::Version, # version
+  def map_port_request(lport, rport, protocol, lifetime)
+    [ Rex::Proto::NATPMP::Version, # version
       protocol, # opcode, which is now the protocol we are asking to forward
       0, # reserved
       lport,
@@ -36,8 +36,8 @@ def self.map_port_request(lport, rport, protocol, lifetime)
 
   # Parse a NAT-PMP mapping response +resp+.
   # Returns the decoded parts as an array.
-  def self.parse_map_port_response(resp)
-    resp.unpack("CCvVnnN")
+  def parse_map_port_response(resp)
+    resp.unpack("CCnNnnN")
   end
 end
 
diff --git a/modules/auxiliary/admin/natpmp/natpmp_map.rb b/modules/auxiliary/admin/natpmp/natpmp_map.rb
@@ -4,12 +4,13 @@
 ##
 
 require 'msf/core'
-require 'rex/proto/natpmp'
 
 class Metasploit3 < Msf::Auxiliary
 
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::NATPMP
+  include Rex::Proto::NATPMP
 
   def initialize
     super(
@@ -21,12 +22,10 @@ def initialize
 
     register_options(
       [
-        Opt::LPORT,
-        Opt::RPORT,
-        OptInt.new('NATPMPPORT', [true, "NAT-PMP port to use", Rex::Proto::NATPMP::DefaultPort]),
+        OptPort.new('EXTERNAL_PORT', [true, 'The external port to foward from']),
+        OptPort.new('INTERNAL_PORT', [true, 'The internal port to forward to']),
         OptInt.new('LIFETIME', [true, "Time in ms to keep this port forwarded", 3600000]),
         OptEnum.new('PROTOCOL', [true, "Protocol to forward", 'TCP', %w(TCP UDP)]),
-        Opt::CHOST
       ],
       self.class
     )
@@ -43,21 +42,20 @@ def run_host(host)
 
       # get the external address first
       vprint_status "#{host} - NATPMP - Probing for external address"
-      req = Rex::Proto::NATPMP.external_address_request
-      udp_sock.sendto(req, host, datastore['NATPMPPORT'], 0)
+      udp_sock.sendto(external_address_request, host, datastore['RPORT'], 0)
       external_address = nil
       while (r = udp_sock.recvfrom(12, 1) and r[1])
-        (ver, op, result, epoch, external_address) = Rex::Proto::NATPMP.parse_external_address_response(r[0])
+        (ver, op, result, epoch, external_address) = parse_external_address_response(r[0])
       end
 
       vprint_status "#{host} - NATPMP - Sending mapping request"
       # build the mapping request
-      req = Rex::Proto::NATPMP.map_port_request(
-          datastore['LPORT'].to_i, datastore['RPORT'].to_i,
+      req = map_port_request(
+          datastore['INTERNAL_PORT'], datastore['EXTERNAL_PORT'],
           Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), datastore['LIFETIME']
       )
       # send it
-      udp_sock.sendto(req, host, datastore['NATPMPPORT'], 0)
+      udp_sock.sendto(req, host, datastore['RPORT'], 0)
       # handle the reply
       while (r = udp_sock.recvfrom(16, 1) and r[1])
         handle_reply(Rex::Socket.source_address(host), host, external_address, r)
@@ -78,12 +76,12 @@ def handle_reply(map_target, host, external_address, pkt)
       pkt[1] = pkt[1].sub(/^::ffff:/, '')
     end
 
-    (ver, op, result, epoch, internal_port, external_port, lifetime) = Rex::Proto::NATPMP.parse_map_port_response(pkt[0])
+    (ver, op, result, epoch, internal_port, external_port, lifetime) = parse_map_port_response(pkt[0])
 
     if (result == 0)
-      if (datastore['RPORT'].to_i != external_port)
+      if (datastore['EXTERNAL_PORT'] != external_port)
         print_status(	"#{external_address} " +
-                "#{datastore['RPORT']}/#{datastore['PROTOCOL']} -> #{map_target} " +
+                "#{datastore['EXTERNAL_PORT']}/#{datastore['PROTOCOL']} -> #{map_target} " +
                 "#{internal_port}/#{datastore['PROTOCOL']} couldn't be forwarded")
       end
       print_status(	"#{external_address} " +
diff --git a/modules/auxiliary/gather/natpmp_external_address.rb b/modules/auxiliary/gather/natpmp_external_address.rb
@@ -4,12 +4,14 @@
 ##
 
 require 'msf/core'
-require 'rex/proto/natpmp'
 
 class Metasploit3 < Msf::Auxiliary
 
   include Msf::Auxiliary::Report
-  include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::Udp
+  include Msf::Auxiliary::UDPScanner
+  include Msf::Auxiliary::NATPMP
+  include Rex::Proto::NATPMP
 
   def initialize
     super(
@@ -19,68 +21,43 @@ def initialize
       'License'     => MSF_LICENSE
     )
 
-    register_options(
-      [
-        Opt::RPORT(Rex::Proto::NATPMP::DefaultPort),
-        Opt::CHOST
-      ],
-      self.class
-    )
   end
 
-  def run_host(host)
-    begin
-      udp_sock = Rex::Socket::Udp.create({
-        'LocalHost' => datastore['CHOST'] || nil,
-        'Context'   => {'Msf' => framework, 'MsfExploit' => self}
-      })
-      add_socket(udp_sock)
-      vprint_status "#{host}:#{datastore['RPORT']} - NATPMP - Probing for external address"
-
-      udp_sock.sendto(Rex::Proto::NATPMP.external_address_request, host, datastore['RPORT'].to_i, 0)
-      while (r = udp_sock.recvfrom(12, 1.0) and r[1])
-        handle_reply(host, r)
-      end
-    rescue ::Interrupt
-      raise $!
-    rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
-      nil
-    rescue ::Exception => e
-      print_error("#{host}:#{datastore['RPORT']} Unknown error: #{e.class} #{e}")
-    end
+  def scan_host(ip)
+    scanner_send(@probe, ip, datastore['RPORT'])
   end
 
-  def handle_reply(host, pkt)
-    return if not pkt[1]
-
-    if(pkt[1] =~ /^::ffff:/)
-      pkt[1] = pkt[1].sub(/^::ffff:/, '')
-    end
+  def scanner_prescan(batch)
+    @probe = external_address_request
+  end
 
-    (ver, op, result, epoch, external_address) = Rex::Proto::NATPMP.parse_external_address_response(pkt[0])
+  def scanner_process(data, shost, sport)
+    (ver, op, result, epoch, external_address) = parse_external_address_response(data)
 
-    if (result == 0)
-      print_status("#{host} -- external address #{external_address}")
+    peer = "#{shost}:#{sport}"
+    if (ver == 0 && op == 128 && result == 0)
+      print_good("#{peer} -- external address #{external_address}")
+      # report its external address as alive
+      if inside_workspace_boundary?(external_address)
+        report_host(
+          :host   => external_address,
+          :state => Msf::HostState::Alive
+        )
+      end
+    else
+      print_error("#{peer} -- unexpected version/opcode/result/address: #{ver}/#{op}/#{result}/#{external_address}")
     end
 
     # report the host we scanned as alive
     report_host(
-      :host   => host,
+      :host   => shost,
       :state => Msf::HostState::Alive
     )
 
-    # also report its external address as alive
-    if inside_workspace_boundary?(external_address)
-      report_host(
-        :host   => external_address,
-        :state => Msf::HostState::Alive
-      )
-    end
-
     # report NAT-PMP as being open
     report_service(
-      :host   => host,
-      :port   => pkt[2],
+      :host   => shost,
+      :port   => sport,
       :proto  => 'udp',
       :name   => 'natpmp',
       :state  => Msf::ServiceState::Open
diff --git a/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb b/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb
@@ -5,12 +5,13 @@
 
 
 require 'msf/core'
-require 'rex/proto/natpmp'
 
 class Metasploit3 < Msf::Auxiliary
 
   include Msf::Auxiliary::Report
   include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::NATPMP
+  include Rex::Proto::NATPMP
 
   def initialize
     super(
@@ -22,10 +23,8 @@ def initialize
 
     register_options(
       [
-        Opt::RPORT(Rex::Proto::NATPMP::DefaultPort),
         OptString.new('PORTS', [true, "Ports to scan (e.g. 22-25,80,110-900)", "1-1000"]),
         OptEnum.new('PROTOCOL', [true, "Protocol to scan", 'TCP', %w(TCP UDP)]),
-        Opt::CHOST
       ], self.class)
   end
 
@@ -36,32 +35,33 @@ def run_host(host)
         'Context'   => {'Msf' => framework, 'MsfExploit' => self} }
       )
       add_socket(udp_sock)
-      vprint_status "Scanning #{datastore['PROTOCOL']} ports #{datastore['PORTS']} on #{host} using NATPMP"
+      peer = "#{host}:#{datastore['RPORT']}"
+      vprint_status("#{peer} Scanning #{datastore['PROTOCOL']} ports #{datastore['PORTS']} using NATPMP")
 
       # first, send a request to get the external address
-      udp_sock.sendto(Rex::Proto::NATPMP.external_address_request, host, datastore['RPORT'].to_i, 0)
+      udp_sock.sendto(external_address_request, host, datastore['RPORT'], 0)
       external_address = nil
       while (r = udp_sock.recvfrom(12, 0.25) and r[1])
-        (ver,op,result,epoch,external_address) = Rex::Proto::NATPMP.parse_external_address_response(r[0])
+        (ver,op,result,epoch,external_address) = parse_external_address_response(r[0])
       end
 
       if (external_address)
-        print_good("External address of #{host} is #{external_address}")
+        print_good("#{peer} responded with external address of #{external_address}")
       else
-        print_error("Didn't get a response for #{host}'s external address")
+        vprint_status("#{peer} didn't respond with an external address")
         return
       end
 
       Rex::Socket.portspec_crack(datastore['PORTS']).each do |port|
         # send one request to clear the mapping if *we've* created it before
-        clear_req = Rex::Proto::NATPMP.map_port_request(port, port, Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), 0)
-        udp_sock.sendto(clear_req, host, datastore['RPORT'].to_i, 0)
+        clear_req = map_port_request(port, port, Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), 0)
+        udp_sock.sendto(clear_req, host, datastore['RPORT'], 0)
         while (r = udp_sock.recvfrom(16, 1.0) and r[1])
         end
 
         # now try the real mapping
-        map_req = Rex::Proto::NATPMP.map_port_request(port, port, Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), 1)
-        udp_sock.sendto(map_req, host, datastore['RPORT'].to_i, 0)
+        map_req = map_port_request(port, port, Rex::Proto::NATPMP.const_get(datastore['PROTOCOL']), 1)
+        udp_sock.sendto(map_req, host, datastore['RPORT'], 0)
         while (r = udp_sock.recvfrom(16, 1.0) and r[1])
           handle_reply(host, external_address, r)
         end
@@ -85,21 +85,22 @@ def handle_reply(host, external_addr, pkt)
     host = pkt[1]
     protocol = datastore['PROTOCOL'].to_s.downcase
 
-    (ver, op, result, epoch, int, ext, lifetime) = Rex::Proto::NATPMP.parse_map_port_response(pkt[0])
+    (ver, op, result, epoch, int, ext, lifetime) = parse_map_port_response(pkt[0])
+    peer = "#{host}:#{datastore['RPORT']}"
     if (result == 0)
       # we always ask to map an external port to the same port on us.  If
       # we get a successful reponse back but the port we requested be forwarded
       # is different, that means that someone else already has it open
       if (int != ext)
         state = Msf::ServiceState::Open
-        print_status("#{external_addr} - #{int}/#{protocol} #{state} because of successful mapping with unmatched ports")
+        print_good("#{peer} #{external_addr} - #{int}/#{protocol} #{state} because of successful mapping with unmatched ports")
       else
         state = Msf::ServiceState::Closed
-        print_status("#{external_addr} - #{int}/#{protocol} #{state} because of successful mapping with matched ports") if (datastore['DEBUG'])
+        print_status("#{peer} #{external_addr} - #{int}/#{protocol} #{state} because of successful mapping with matched ports") if (datastore['DEBUG'])
       end
     else
       state = Msf::ServiceState::Closed
-      print_status("#{external_addr} - #{int}/#{protocol} #{state} because of code #{result} response") if (datastore['DEBUG'])
+      print_status("#{peer} #{external_addr} - #{int}/#{protocol} #{state} because of code #{result} response") if (datastore['DEBUG'])
     end
 
     if inside_workspace_boundary?(external_addr)
diff --git a/spec/lib/rex/proto/natpmp/packet_spec.rb b/spec/lib/rex/proto/natpmp/packet_spec.rb
@@ -0,0 +1,48 @@
+# -*- coding: binary -*-
+require 'spec_helper'
+
+require 'rex/proto/natpmp/packet'
+describe Rex::Proto::NATPMP do
+  subject do
+    mod = Module.new
+    mod.extend described_class
+    mod
+  end
+
+  describe '#parse_external_address_response' do
+    it 'should properly parse non-error responses' do
+      data = "\x00\x80\x00\x00\x00\x33\x50\x53\xc0\xa8\x01\x02"
+      subject.parse_external_address_response(data)
+      ver, opcode, result, epoch, addr = subject.parse_external_address_response(data)
+      expect(ver).to eq(0)
+      expect(opcode).to eq(128)
+      expect(result).to eq(0)
+      expect(epoch).to eq(3362899)
+      expect(addr).to eq('192.168.1.2')
+    end
+    it 'should properly parse error responses' do
+      data = "\x00\x80\x00\x03\x00\x00\x70\x90\x00\x00\x00\x00"
+      subject.parse_external_address_response(data)
+      ver, opcode, result, epoch, addr = subject.parse_external_address_response(data)
+      expect(ver).to eq(0)
+      expect(opcode).to eq(128)
+      expect(result).to eq(3)
+      expect(epoch).to eq(28816)
+      expect(addr).to eq('0.0.0.0')
+    end
+  end
+
+  describe '#parse_map_port_response' do
+    it 'should properly parse responses' do
+      data = "\x00\x82\x00\x00\x00\x33\x6f\xd8\x11\x5c\x15\xb3\x00\x36\xee\x80"
+      ver, opcode, result, epoch, internal, external, lifetime = subject.parse_map_port_response(data)
+      expect(ver).to eq(0)
+      expect(opcode).to eq(130)
+      expect(result).to eq(0)
+      expect(epoch).to eq(3370968)
+      expect(internal).to eq(4444)
+      expect(external).to eq(5555)
+      expect(lifetime).to eq(3600000)
+    end
+  end
+end
