Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

ipv6.rb 8.4KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320
  1. # -*- coding: binary -*-
  2. module Msf
  3. ###
  4. #
  5. # This module provides common tools for IPv6
  6. #
  7. ###
  8. module Exploit::Remote::Ipv6
  9. #
  10. # Initializes an instance of an exploit module that captures traffic
  11. #
  12. def initialize(info = {})
  13. super
  14. register_options(
  15. [
  16. OptString.new('INTERFACE', [false, 'The name of the interface']),
  17. OptString.new("SMAC", [ false, "The source MAC address"]),
  18. OptAddress.new("SHOST", [ false, "The source IPv6 address" ] ),
  19. OptInt.new("TIMEOUT", [ true, "Timeout when waiting for host response.", 5])
  20. ], Msf::Exploit::Remote::Ipv6
  21. )
  22. begin
  23. require 'pcaprub'
  24. @pcaprub_loaded = true
  25. rescue ::Exception => e
  26. @pcaprub_loaded = false
  27. @pcaprub_error = e
  28. end
  29. end
  30. #
  31. # Shortcut method for resolving our local interface name
  32. #
  33. def ipv6_interface(opts={})
  34. opts['INTERFACE'] || datastore['INTERFACE'] || ::Pcap.lookupdev
  35. end
  36. #
  37. # Shortcut method for determining our link-local address
  38. #
  39. def ipv6_link_address(opts={})
  40. Rex::Socket.ipv6_link_address(ipv6_interface(opts))
  41. end
  42. #
  43. # Shortcut method for determining our MAC address
  44. #
  45. def ipv6_mac(opts={})
  46. Rex::Socket.ipv6_mac(ipv6_interface(opts))
  47. end
  48. #
  49. # Opens a pcaprub capture interface to inject packets, and sniff ICMPv6 packets
  50. #
  51. def open_icmp_pcap(opts = {})
  52. check_pcaprub_loaded
  53. dev = ipv6_interface(opts)
  54. len = 65535
  55. tim = 0
  56. @ipv6_icmp6_capture = ::Pcap.open_live(dev, len, true, tim)
  57. @ipv6_icmp6_capture.setfilter("icmp6")
  58. end
  59. #
  60. # Close the capture interface
  61. #
  62. def close_icmp_pcap()
  63. check_pcaprub_loaded
  64. return if not @ipv6_icmp6_capture
  65. @ipv6_icmp6_capture = nil
  66. end
  67. #
  68. # Send out a ICMPv6 neighbor solicitation, and
  69. # return the associated MAC address
  70. #
  71. def solicit_ipv6_mac(dhost, opts = {})
  72. check_pcaprub_loaded
  73. dhost_intf = dhost + '%' + ipv6_interface(opts)
  74. smac = opts['SMAC'] || datastore['SMAC'] || ipv6_mac
  75. shost = opts['SHOST'] || datastore['SHOST'] || Rex::Socket.source_address(dhost_intf)
  76. timeout = opts['TIMEOUT'] || datastore['TIMEOUT'] || 3
  77. open_icmp_pcap()
  78. p2 = PacketFu::IPv6Packet.new
  79. p2.eth_saddr = smac
  80. p2.eth_daddr = ipv6_soll_mcast_mac(dhost)
  81. p2.ipv6_saddr = shost
  82. p2.ipv6_daddr = ipv6_soll_mcast_addr6(dhost)
  83. p2.ipv6_hop = 255
  84. p2.ipv6_next = 0x3a
  85. p2.payload = ipv6_neighbor_solicitation(
  86. IPAddr.new(dhost).to_i,
  87. p2.eth_src
  88. )
  89. p2.ipv6_len = p2.payload.size
  90. ipv6_checksum!(p2)
  91. @ipv6_icmp6_capture.inject(p2.to_s)
  92. # Wait for a response
  93. max_epoch = ::Time.now.to_i + timeout
  94. while(::Time.now.to_i < max_epoch)
  95. pkt_bytes = @ipv6_icmp6_capture.next()
  96. next if not pkt_bytes
  97. pkt = PacketFu::Packet.parse(pkt_bytes) rescue nil
  98. next unless pkt
  99. next unless pkt.is_ipv6?
  100. next unless pkt.ipv6_next == 0x3a
  101. next unless pkt.payload
  102. next if pkt.payload.empty?
  103. next unless pkt.payload[0,1] == "\x88" # Neighbor advertisement
  104. if(IPAddr.new(pkt.ipv6_daddr).to_i == IPAddr.new(shost).to_i and
  105. IPAddr.new(pkt.ipv6_saddr).to_i == IPAddr.new(dhost).to_i)
  106. ipv6opts = pkt.payload[24,pkt.payload.size]
  107. next unless ipv6opts
  108. parsed_opts = ipv6_parse_options(ipv6opts)
  109. parsed_opts.each do |opt|
  110. if opt[0] == 2
  111. addr = PacketFu::EthHeader.str2mac(opt.last)
  112. close_icmp_pcap()
  113. return(addr)
  114. end
  115. end
  116. close_icmp_pcap
  117. return(pkt.eth_saddr)
  118. end
  119. end
  120. close_icmp_pcap
  121. return nil
  122. end
  123. #
  124. # Send a ICMPv6 Echo Request, and wait for the
  125. # associated ICMPv6 Echo Response
  126. #
  127. def ping6(dhost, opts={})
  128. check_pcaprub_loaded
  129. dhost_intf = dhost + '%' + ipv6_interface(opts)
  130. smac = opts['SMAC'] || datastore['SMAC'] || ipv6_mac
  131. shost = opts['SHOST'] || datastore['SHOST'] || Rex::Socket.source_address(dhost_intf)
  132. dmac = opts['DMAC'] || solicit_ipv6_mac(dhost)
  133. timeout = opts['TIMEOUT'] || datastore['TIMEOUT']
  134. wait = opts['WAIT']
  135. if(wait.eql?(nil))
  136. wait = true
  137. end
  138. dmac.eql?(nil) and return false
  139. open_icmp_pcap()
  140. # Create ICMPv6 Request
  141. p = PacketFu::IPv6Packet.new
  142. p.eth_saddr = smac
  143. p.eth_daddr = dmac
  144. p.ipv6_saddr = shost
  145. p.ipv6_daddr = dhost
  146. p.ipv6_next = 0x3a
  147. icmp_id = rand(65000)
  148. icmp_seq = 1
  149. icmp_payload = Rex::Text.rand_text(8)
  150. p.payload = ipv6_icmpv6_echo_request(icmp_id,icmp_seq,icmp_payload)
  151. p.ipv6_len = p.payload.to_s.size
  152. ipv6_checksum!(p)
  153. @ipv6_icmp6_capture.inject(p.to_s)
  154. if(wait.eql?(true))
  155. print_status("Waiting for ping reply...")
  156. print_line("")
  157. # Wait for a response
  158. max_epoch = ::Time.now.to_i + timeout
  159. while(::Time.now.to_i < max_epoch)
  160. pkt = @ipv6_icmp6_capture.next()
  161. next if not pkt
  162. response_pkt = PacketFu::Packet.parse(pkt) rescue nil
  163. next unless response_pkt
  164. next unless response_pkt.is_ipv6?
  165. next unless response_pkt.payload
  166. next if response_pkt.payload.empty?
  167. next unless response_pkt.payload[0,1] == "\x81" # Echo reply
  168. if( response_pkt.ipv6_daddr == p.ipv6_saddr and
  169. response_pkt.ipv6_saddr == p.ipv6_daddr and
  170. response_pkt.ipv6_daddr == p.ipv6_saddr and
  171. response_pkt.payload[4,2] == p.payload[4,2] and # Id
  172. response_pkt.payload[6,2] == p.payload[6,2] # Seq
  173. )
  174. close_icmp_pcap()
  175. return(true)
  176. end
  177. end # End while
  178. end
  179. close_icmp_pcap()
  180. return(false)
  181. end
  182. #
  183. # Helper methods that haven't made it upstream yet. Mostly packet data
  184. # packers, also a checksum calculator.
  185. #
  186. def ipv6_icmpv6_echo_request(id,seq,data)
  187. type = 0x80
  188. code = 0
  189. checksum = 0
  190. id ||= rand(0x10000)
  191. seq ||= rand(0x10000)
  192. [type,code,checksum,id,seq,data].pack("CCnnna*")
  193. end
  194. # Simple tlv parser
  195. def ipv6_parse_options(data)
  196. pos = 0
  197. opts = []
  198. while pos < data.size
  199. type, len = data[pos,2].unpack("CC")
  200. this_opt = [type,len]
  201. this_opt << data[pos+2, (pos-2 + (len * 8))]
  202. opts << this_opt
  203. pos += this_opt.pack("CCa*").size
  204. end
  205. opts
  206. end
  207. # From Jon Hart's Racket::L3::Misc#linklocaladdr(), which
  208. # is from Daniele Bellucci
  209. def ipv6_linklocaladdr(mac)
  210. mac = mac.split(":")
  211. mac[0] = (mac[0].to_i(16) ^ (1 << 1)).to_s(16)
  212. ["fe80", "", mac[0,2].join, mac[2,2].join("ff:fe"), mac[4,2].join].join(":")
  213. end
  214. # From Jon Hart's Racket::L3::Misc#soll_mcast_addr6(),
  215. # which is from DDniele Belluci
  216. def ipv6_soll_mcast_addr6(addr)
  217. h = addr.split(':')[-2, 2]
  218. m = []
  219. m << 'ff'
  220. m << (h[0].to_i(16) & 0xff).to_s(16)
  221. m << ((h[1].to_i(16) & (0xff << 8)) >> 8).to_s(16)
  222. m << (h[1].to_i(16) & 0xff).to_s(16)
  223. 'ff02::1:' + [m[0,2].join, m[2,2].join].join(':')
  224. end
  225. # From Jon Hart's Racket::L3::Misc#soll_mcast_mac()
  226. def ipv6_soll_mcast_mac(addr)
  227. h = addr.split(':')[-2, 2]
  228. m = []
  229. m << 'ff'
  230. m << (h[0].to_i(16) & 0xff).to_s(16)
  231. m << ((h[1].to_i(16) & (0xff << 8)) >> 8).to_s(16)
  232. m << (h[1].to_i(16) & 0xff).to_s(16)
  233. '33:33:' + m.join(':')
  234. end
  235. # Usual ghetto strategy from PacketFu
  236. def ipv6_checksum!(pkt)
  237. check_data = pkt.headers.last[:ipv6_src].to_s.unpack("n8")
  238. check_data << pkt.headers.last[:ipv6_dst].to_s.unpack("n8")
  239. check_data << pkt.ipv6_len
  240. check_data << [0,58]
  241. check_payload = pkt.payload.size % 2 == 0 ? pkt.payload : pkt.payload + "\x00"
  242. check_data << check_payload.unpack("n*")
  243. check_data.flatten!
  244. checksum = check_data.inject(0) {|sum,x| sum += x}
  245. checksum = checksum % 0xffff
  246. checksum = 0xffff - checksum
  247. checksum == 0 ? 0xffff : checksum
  248. pkt.payload[2,2] = [checksum].pack("n")
  249. pkt
  250. end
  251. # Takes a neighbor and smac as arguments, The Neighbor
  252. # value must be an int, while the smac must be a string.
  253. # Very rudimentary and temporary.
  254. def ipv6_neighbor_solicitation(neigh,smac)
  255. target = neigh.to_s(16).scan(/../).map {|x| x.to_i(16)}.pack("C*")
  256. type = 135
  257. code = 0
  258. checksum = 0
  259. reserved = 0
  260. opt_type = 1
  261. opt_len = 1
  262. [type, code, checksum, reserved,
  263. target, opt_type, opt_len, smac
  264. ].pack("CCnNa16CCa6")
  265. end
  266. def check_pcaprub_loaded
  267. unless @pcaprub_loaded
  268. print_status("The Pcaprub module is not available: #{@pcaprub_error}")
  269. raise RuntimeError, "Pcaprub not available"
  270. else
  271. true
  272. end
  273. end
  274. end
  275. end