Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposed fix for #4305 #4317

Merged
merged 6 commits into from Dec 4, 2014
Merged

Proposed fix for #4305 #4317

merged 6 commits into from Dec 4, 2014

Conversation

jhart-r7
Copy link
Contributor

@jhart-r7 jhart-r7 commented Dec 4, 2014

Instead of sending a probe to a random host in 177/8 to attempt to see what the source and destination MACs are (and, in turn, what the Capture module should use when using capture_sendto), this PR makes this process send a random UDP probe to www.metasploit.com but with a TTL of 1, thereby ensuring that it shouldn't make it past the first hop, if at all. It also makes the probe host and port configurable, and cleans up the "secret".

Note that this is a diff against master but has the fix for #4306 from #4311 merged in. Once #4311 is landed this should update.

Defect and Fix Validation

Note that these steps can be used to both confirm that the defect is fixed but also to demonstrate the defect in the first place by running against a parent revision:

  • use exploits/multi/ids/snort_dce_rpc, set an RHOST for a live host in the same broadcast domain. Run. Confirm that no UDP traffic is sent to 177/8 and that the only traffic caused by this module is an ARP lookup for the RHOST followed by a single 139/TCP packet, and that the source MAC is from the system running msf and that the destination MAC is RHOST's.
  • `use exploits/multi/ids/snort_dce_rpc, set anRHOST`` for a live host NOT in the same broadcast domain. Run. Confirm that no UDP traffic is sent to 177/8. Confirm that a random UDP datagram is sent to www.metasploit.com with a TTL of 1, and that the source MAC is from the system running msf and that the destination MAC is the default gateway's.
  • Redo test #1 and Add osvdb ref #2 but with an explicitly set INTERFACE on a system with multiple interfaces. Overkill?

@jhart-r7
Test fix for rapid7#4305
f22d719
@jhart-r7
Configurable fix for rapid7#4305
7f425fc 
Rename UDP_SECRET to just SECRET, as it is used for more than just UDP

Rename and properly document GATEWAY option

Introduce an option to configure what UDP port will be probed
@jhart-r7
Merge branch '4306' into 4305
b35eee3
@jhart-r7
Update GATEWAY to GATEWAY_PROBE_HOST, add GATEWAY_PROBE_PORT
52851d5
@todb-r7 todb-r7 added the bug label Dec 4, 2014
@todb-r7 todb-r7 self-assigned this Dec 4, 2014
@todb-r7
Copy link

todb-r7 commented Dec 4, 2014

Oops:

todb@mazikeen:~/git/rapid7/metasploit-framework$ ./msfconsole -L
/home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/mixins.rb:69:in `require': /home/todb/git/rapid7/metasploit-framework/lib/msf/core/exploit/capture.rb:46: syntax error, unexpected tCONSTANT, expecting ']' (SyntaxError)
            OptPort.new('GATEWAY_PROBE_PORT',
                   ^

One sec @jhart-r7

@todb-r7
Copy link

todb-r7 commented Dec 4, 2014

Hmm that's no bueno:

msf > use exploits/multi/ids/snort_dce_rpc
msf exploit(snort_dce_rpc) > set RHOST 10.x.x.x
RHOST => 10.x.x.x
msf exploit(snort_dce_rpc) > show missing

Module options (exploit/multi/ids/snort_dce_rpc):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

msf exploit(snort_dce_rpc) > exploit

[-] Exploit failed: The following options failed to validate: SECRET.
msf exploit(snort_dce_rpc) >

Wonder what's wrong with SECRET...

@jhart-r7
Copy link
Contributor Author

jhart-r7 commented Dec 4, 2014

Sorry for that, @todb-r7. I made the changes in 52851d5 with only a reload. They have been fixed.

@todb-r7
Copy link

todb-r7 commented Dec 4, 2014

ah you got it @jhart-r7

@todb-r7
Copy link

todb-r7 commented Dec 4, 2014

Looks good, verified with tcpdump command tcpdump -nXXvvi wlan0 host 208.118.227.10 or host 208.118.237.137 or net 177.0.0.0/8

@todb-r7 todb-r7 merged commit 743e9fc into rapid7:master Dec 4, 2014
todb-r7 pushed a commit that referenced this pull request Dec 4, 2014
Land #4317 and #4306, fix netmask tomfoolery
9f42dbd
@jhart-r7 jhart-r7 deleted the 4305 branch December 5, 2014 00:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@todb-r7 todb-r7

Labels
bug library module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jhart-r7 @todb-r7 @wchen-r7