Class: Rex::Proto::DHCP::Server

Inherits:

Object

• Object
• Rex::Proto::DHCP::Server

Includes:

Socket

Defined in:

lib/rex/proto/dhcp/server.rb

Overview

DHCP Server class not completely configurable - written specifically for a PXE server

• scriptjunkie

extended to support testing/exploiting CVE-2011-0997

• apconole@yahoo.com

Instance Attribute Summary

• #broadcasta ⇒ Object

  Returns the value of attribute broadcasta.

• #context ⇒ Object

  Returns the value of attribute context.

• #current_ip ⇒ Object

  Returns the value of attribute current_ip.

• #dnsserv ⇒ Object

  Returns the value of attribute dnsserv.

• #end_ip ⇒ Object

  Returns the value of attribute end_ip.

• #give_hostname ⇒ Object

  Returns the value of attribute give_hostname.

• #ipstring ⇒ Object

  Returns the value of attribute ipstring.

• #leasetime ⇒ Object

  Returns the value of attribute leasetime.

• #listen_host ⇒ Object

  Returns the value of attribute listen_host.

• #listen_port ⇒ Object

  Returns the value of attribute listen_port.

• #myfilename ⇒ Object

  Returns the value of attribute myfilename.

• #netmaskn ⇒ Object

  Returns the value of attribute netmaskn.

• #pxeconfigfile ⇒ Object

  Returns the value of attribute pxeconfigfile.

• #pxepathprefix ⇒ Object

  Returns the value of attribute pxepathprefix.

• #pxereboottime ⇒ Object

  Returns the value of attribute pxereboottime.

• #relayip ⇒ Object

  Returns the value of attribute relayip.

• #router ⇒ Object

  Returns the value of attribute router.

• #served ⇒ Object

  Returns the value of attribute served.

• #served_hostname ⇒ Object

  Returns the value of attribute served_hostname.

• #served_over ⇒ Object

  Returns the value of attribute served_over.

• #serveOnce ⇒ Object

  Returns the value of attribute serveOnce.

• #servePXE ⇒ Object

  Returns the value of attribute servePXE.

• #sock ⇒ Object

  Returns the value of attribute sock.

• #start_ip ⇒ Object

  Returns the value of attribute start_ip.

• #thread ⇒ Object

  Returns the value of attribute thread.

Attributes included from Socket

#ipv, #localhost, #localport, #peerhost, #peerport

Instance Method Summary

• #initialize(hash, context = {}) ⇒ Server constructor

  A new instance of Server.

• #send_packet(ip, pkt) ⇒ Object

  Send a single packet to the specified host.

• #set_option(opts) ⇒ Object

  Set an option.

• #start ⇒ Object

  Start the DHCP server.

• #stop ⇒ Object

  Stop the DHCP server.

Methods included from Socket

addr_atoc, addr_atoi, addr_aton, addr_ctoa, addr_itoa, addr_iton, addr_ntoa, addr_ntoi, bit2netmask, cidr_crack, create, create_ip, create_param, create_tcp, create_tcp_server, create_udp, dotted_ip?, #fd, from_sockaddr, getaddress, gethostbyname, #getlocalname, #getpeername, #getsockname, #initsock, ipv6_link_address, ipv6_mac, is_internal?, is_ipv4?, is_ipv6?, net2bitmask, portlist_to_portspec, portspec_crack, portspec_to_portlist, resolv_nbo, resolv_nbo_i, resolv_to_dotted, source_address, support_ipv6?, tcp_socket_pair, to_sockaddr, #type?, udp_socket_pair

Constructor Details

#initialize(hash, context = {}) ⇒ Server

Returns a new instance of Server.

# File 'lib/rex/proto/dhcp/server.rb', line 24

def initialize(hash, context = {})
	self.listen_host = '0.0.0.0' # clients don't already have addresses. Needs to be 0.0.0.0
	self.listen_port = 67 # mandatory (bootps)
	self.context = context
	self.sock = nil

	@shutting_down = false

	self.myfilename = hash['FILENAME'] || ""
	self.myfilename << ("\x00" * (128 - self.myfilename.length))

	source = hash['SRVHOST'] || Rex::Socket.source_address
	self.ipstring = Rex::Socket.addr_aton(source)

	ipstart = hash['DHCPIPSTART']
	if ipstart
		self.start_ip = Rex::Socket.addr_atoi(ipstart)
	else
		# Use the first 3 octects of the server's IP to construct the
		# default range of x.x.x.32-254
		self.start_ip = "#{self.ipstring[0..2]}\x20".unpack("N").first
	end
	self.current_ip = start_ip

	ipend = hash['DHCPIPEND']
	if ipend
		self.end_ip = Rex::Socket.addr_atoi(ipend)
	else
		# Use the first 3 octects of the server's IP to construct the
		# default range of x.x.x.32-254
		self.end_ip = "#{self.ipstring[0..2]}\xfe".unpack("N").first
	end

	# netmask
	netmask = hash['NETMASK'] || "255.255.255.0"
	self.netmaskn = Rex::Socket.addr_aton(netmask)

	# router
	router = hash['ROUTER'] || source
	self.router = Rex::Socket.addr_aton(router)

	# dns
	dnsserv = hash['DNSSERVER'] || source
	self.dnsserv = Rex::Socket.addr_aton(dnsserv)

	# broadcast
	if hash['BROADCAST']
		self.broadcasta = Rex::Socket.addr_aton(hash['BROADCAST'])
	else
		self.broadcasta = Rex::Socket.addr_itoa( self.start_ip | (Rex::Socket.addr_ntoi(self.netmaskn) ^ 0xffffffff) )
	end

	self.served = {}
	if (hash['SERVEONCE'])
		self.serveOnce = true
	else
		self.serveOnce = false
	end
	
	if (hash['PXE'])
		self.servePXE = true
	else
		self.servePXE = false
	end

	# Always assume we don't give out hostnames ...
	self.give_hostname = false
	self.served_over = 0
	if (hash['HOSTNAME'])
		self.give_hostname = true
		self.served_hostname = hash['HOSTNAME']
		if ( hash['HOSTSTART'] )
			self.served_over = hash['HOSTSTART'].to_i
		end
	end
	
	self.leasetime = 600
	self.relayip = "\x00\x00\x00\x00" # relay ip - not currently suported
	self.pxeconfigfile = "update2"
	self.pxepathprefix = ""
	self.pxereboottime = 2000
end

Instance Attribute Details

#broadcasta ⇒ Object

Returns the value of attribute broadcasta.

# File 'lib/rex/proto/dhcp/server.rb', line 160

def broadcasta
  @broadcasta
end

#context ⇒ Object

Returns the value of attribute context.

# File 'lib/rex/proto/dhcp/server.rb', line 158

def context
  @context
end

#current_ip ⇒ Object

Returns the value of attribute current_ip.

# File 'lib/rex/proto/dhcp/server.rb', line 160

def current_ip
  @current_ip
end

#dnsserv ⇒ Object

Returns the value of attribute dnsserv.

# File 'lib/rex/proto/dhcp/server.rb', line 158

def dnsserv
  @dnsserv
end

#end_ip ⇒ Object

Returns the value of attribute end_ip.

# File 'lib/rex/proto/dhcp/server.rb', line 160

def end_ip
  @end_ip
end

#give_hostname ⇒ Object

Returns the value of attribute give_hostname.

# File 'lib/rex/proto/dhcp/server.rb', line 162

def give_hostname
  @give_hostname
end

#ipstring ⇒ Object

Returns the value of attribute ipstring.

# File 'lib/rex/proto/dhcp/server.rb', line 159

def ipstring
  @ipstring
end

#leasetime ⇒ Object

Returns the value of attribute leasetime.

# File 'lib/rex/proto/dhcp/server.rb', line 158

def leasetime
  @leasetime
end

#listen_host ⇒ Object

Returns the value of attribute listen_host.

# File 'lib/rex/proto/dhcp/server.rb', line 158

def listen_host
  @listen_host
end

#listen_port ⇒ Object

Returns the value of attribute listen_port.

# File 'lib/rex/proto/dhcp/server.rb', line 158

def listen_port
  @listen_port
end

#myfilename ⇒ Object

Returns the value of attribute myfilename.

# File 'lib/rex/proto/dhcp/server.rb', line 159

def myfilename
  @myfilename
end

#netmaskn ⇒ Object

Returns the value of attribute netmaskn.

# File 'lib/rex/proto/dhcp/server.rb', line 160

def netmaskn
  @netmaskn
end

#pxeconfigfile ⇒ Object

Returns the value of attribute pxeconfigfile.

# File 'lib/rex/proto/dhcp/server.rb', line 161

def pxeconfigfile
  @pxeconfigfile
end

#pxepathprefix ⇒ Object

Returns the value of attribute pxepathprefix.

# File 'lib/rex/proto/dhcp/server.rb', line 161

def pxepathprefix
  @pxepathprefix
end

#pxereboottime ⇒ Object

Returns the value of attribute pxereboottime.

# File 'lib/rex/proto/dhcp/server.rb', line 161

def pxereboottime
  @pxereboottime
end

#relayip ⇒ Object

Returns the value of attribute relayip.

# File 'lib/rex/proto/dhcp/server.rb', line 158

def relayip
  @relayip
end

#router ⇒ Object

Returns the value of attribute router.

# File 'lib/rex/proto/dhcp/server.rb', line 158

def router
  @router
end

#served ⇒ Object

Returns the value of attribute served.

# File 'lib/rex/proto/dhcp/server.rb', line 159

def served
  @served
end

#served_hostname ⇒ Object

Returns the value of attribute served_hostname.

# File 'lib/rex/proto/dhcp/server.rb', line 162

def served_hostname
  @served_hostname
end

#served_over ⇒ Object

Returns the value of attribute served_over.

# File 'lib/rex/proto/dhcp/server.rb', line 162

def served_over
  @served_over
end

#serveOnce ⇒ Object

Returns the value of attribute serveOnce.

# File 'lib/rex/proto/dhcp/server.rb', line 159

def serveOnce
  @serveOnce
end

#servePXE ⇒ Object

Returns the value of attribute servePXE.

# File 'lib/rex/proto/dhcp/server.rb', line 161

def servePXE
  @servePXE
end

#sock ⇒ Object

Returns the value of attribute sock.

# File 'lib/rex/proto/dhcp/server.rb', line 159

def sock
  @sock
end

#start_ip ⇒ Object

Returns the value of attribute start_ip.

# File 'lib/rex/proto/dhcp/server.rb', line 160

def start_ip
  @start_ip
end

#thread ⇒ Object

Returns the value of attribute thread.

# File 'lib/rex/proto/dhcp/server.rb', line 159

def thread
  @thread
end

Instance Method Details

#send_packet(ip, pkt) ⇒ Object

Send a single packet to the specified host

# File 'lib/rex/proto/dhcp/server.rb', line 147

def send_packet(ip, pkt)
	port = 68 # bootpc
	if ip
		self.sock.sendto( pkt, ip, port )
	else
		if not self.sock.sendto( pkt, '255.255.255.255', port )
			self.sock.sendto( pkt, self.broadcasta, port )
		end
	end
end

#set_option(opts) ⇒ Object

Set an option

# File 'lib/rex/proto/dhcp/server.rb', line 130

def set_option(opts)
	allowed_options = [
		:serveOnce, :servePXE, :relayip, :leasetime, :dnsserv,
		:pxeconfigfile, :pxepathprefix, :pxereboottime, :router,
		:give_hostname, :served_hostname, :served_over
	]

	opts.each_pair { |k,v|
		next if not v
		if allowed_options.include?(k)
			self.instance_variable_set("@#{k}", v)
		end
	}
end

#start ⇒ Object

Start the DHCP server

# File 'lib/rex/proto/dhcp/server.rb', line 109

def start
	self.sock = Rex::Socket::Udp.create(
		'LocalHost' => listen_host,
		'LocalPort' => listen_port,
		'Context'   => context
	)

	self.thread = Rex::ThreadFactory.spawn("DHCPServerMonitor", false) {
		monitor_socket
	}
end

#stop ⇒ Object

Stop the DHCP server

# File 'lib/rex/proto/dhcp/server.rb', line 122

def stop
	@shutting_down = true
	self.thread.kill
	self.sock.close rescue nil
end