Class: Rex::Proto::DHCP::Server

Inherits:

Object

• Object
• Rex::Proto::DHCP::Server

Includes:

Socket

Defined in:

lib/rex/proto/dhcp/server.rb

Overview

DHCP Server class not completely configurable - written specifically for a PXE server

• scriptjunkie

extended to support testing/exploiting CVE-2011-0997

• apconole@yahoo.com

Constant Summary

Constants included from Socket

Socket::MATCH_IPV4, Socket::MATCH_IPV4_PRIVATE, Socket::MATCH_IPV6

Instance Attribute Summary

• #broadcasta ⇒ Object

  Returns the value of attribute broadcasta.

• #context ⇒ Object

  Returns the value of attribute context.

• #current_ip ⇒ Object

  Returns the value of attribute current_ip.

• #dnsserv ⇒ Object

  Returns the value of attribute dnsserv.

• #end_ip ⇒ Object

  Returns the value of attribute end_ip.

• #give_hostname ⇒ Object

  Returns the value of attribute give_hostname.

• #ipstring ⇒ Object

  Returns the value of attribute ipstring.

• #leasetime ⇒ Object

  Returns the value of attribute leasetime.

• #listen_host ⇒ Object

  Returns the value of attribute listen_host.

• #listen_port ⇒ Object

  Returns the value of attribute listen_port.

• #myfilename ⇒ Object

  Returns the value of attribute myfilename.

• #netmaskn ⇒ Object

  Returns the value of attribute netmaskn.

• #pxealtconfigfile ⇒ Object

  Returns the value of attribute pxealtconfigfile.

• #pxeconfigfile ⇒ Object

  Returns the value of attribute pxeconfigfile.

• #pxepathprefix ⇒ Object

  Returns the value of attribute pxepathprefix.

• #pxereboottime ⇒ Object

  Returns the value of attribute pxereboottime.

• #relayip ⇒ Object

  Returns the value of attribute relayip.

• #reporter ⇒ Object

  Returns the value of attribute reporter.

• #router ⇒ Object

  Returns the value of attribute router.

• #served ⇒ Object

  Returns the value of attribute served.

• #served_hostname ⇒ Object

  Returns the value of attribute served_hostname.

• #served_over ⇒ Object

  Returns the value of attribute served_over.

• #serveOnce ⇒ Object

  Returns the value of attribute serveOnce.

• #serveOnlyPXE ⇒ Object

  Returns the value of attribute serveOnlyPXE.

• #servePXE ⇒ Object

  Returns the value of attribute servePXE.

• #sock ⇒ Object

  Returns the value of attribute sock.

• #start_ip ⇒ Object

  Returns the value of attribute start_ip.

• #thread ⇒ Object

  Returns the value of attribute thread.

Attributes included from Socket

#ipv, #localhost, #localport, #peerhost, #peerport

Instance Method Summary

• #initialize(hash, context = {}) ⇒ Server constructor

  A new instance of Server.

• #report(&block) ⇒ Object
• #send_packet(ip, pkt) ⇒ Object

  Send a single packet to the specified host.

• #set_option(opts) ⇒ Object

  Set an option.

• #start ⇒ Object

  Start the DHCP server.

• #stop ⇒ Object

  Stop the DHCP server.

Methods included from Socket

addr_atoc, addr_atoi, addr_atoi_list, addr_aton, addr_ctoa, addr_itoa, addr_iton, addr_ntoa, addr_ntoi, bit2netmask, cidr_crack, compress_address, create, create_ip, create_param, create_tcp, create_tcp_server, create_udp, dotted_ip?, eth_aton, eth_ntoa, #fd, from_sockaddr, getaddress, getaddresses, gethostbyname, #getlocalname, #getpeername, #getsockname, #initsock, ipv6_link_address, ipv6_mac, is_internal?, is_ipv4?, is_ipv6?, net2bitmask, portlist_to_portspec, portspec_crack, portspec_to_portlist, resolv_nbo, resolv_nbo_i, resolv_nbo_i_list, resolv_nbo_list, resolv_to_dotted, source_address, support_ipv6?, tcp_socket_pair, to_sockaddr, #type?, udp_socket_pair

Constructor Details

#initialize(hash, context = {}) ⇒ Server

Returns a new instance of Server.

# File 'lib/rex/proto/dhcp/server.rb', line 24

def initialize(hash, context = {})
  self.listen_host = '0.0.0.0' # clients don't already have addresses. Needs to be 0.0.0.0
  self.listen_port = 67 # mandatory (bootps)
  self.context = context
  self.sock = nil

  self.myfilename = hash['FILENAME'] || ""
  self.myfilename << ("\x00" * (128 - self.myfilename.length))

  source = hash['SRVHOST'] || Rex::Socket.source_address
  self.ipstring = Rex::Socket.addr_aton(source)

  ipstart = hash['DHCPIPSTART']
  if ipstart
    self.start_ip = Rex::Socket.addr_atoi(ipstart)
  else
    # Use the first 3 octects of the server's IP to construct the
    # default range of x.x.x.32-254
    self.start_ip = "#{self.ipstring[0..2]}\x20".unpack("N").first
  end
  self.current_ip = start_ip

  ipend = hash['DHCPIPEND']
  if ipend
    self.end_ip = Rex::Socket.addr_atoi(ipend)
  else
    # Use the first 3 octects of the server's IP to construct the
    # default range of x.x.x.32-254
    self.end_ip = "#{self.ipstring[0..2]}\xfe".unpack("N").first
  end

  # netmask
  netmask = hash['NETMASK'] || "255.255.255.0"
  self.netmaskn = Rex::Socket.addr_aton(netmask)

  # router
  router = hash['ROUTER'] || source
  self.router = Rex::Socket.addr_aton(router)

  # dns
  dnsserv = hash['DNSSERVER'] || source
  self.dnsserv = Rex::Socket.addr_aton(dnsserv)

  # broadcast
  if hash['BROADCAST']
    self.broadcasta = Rex::Socket.addr_aton(hash['BROADCAST'])
  else
    self.broadcasta = Rex::Socket.addr_itoa( self.start_ip | (Rex::Socket.addr_ntoi(self.netmaskn) ^ 0xffffffff) )
  end

  self.served = {}
  self.serveOnce = hash.include?('SERVEONCE')

  self.servePXE = (hash.include?('PXE') or hash.include?('FILENAME') or hash.include?('PXEONLY'))
  self.serveOnlyPXE = hash.include?('PXEONLY')

  # Always assume we don't give out hostnames ...
  self.give_hostname = false
  self.served_over = 0
  if (hash['HOSTNAME'])
    self.give_hostname = true
    self.served_hostname = hash['HOSTNAME']
    if ( hash['HOSTSTART'] )
      self.served_over = hash['HOSTSTART'].to_i
    end
  end

  self.leasetime = 600
  self.relayip = "\x00\x00\x00\x00" # relay ip - not currently suported
  self.pxeconfigfile = "update2"
  self.pxealtconfigfile = "update0"
  self.pxepathprefix = ""
  self.pxereboottime = 2000
end

Instance Attribute Details

#broadcasta ⇒ Object

Returns the value of attribute broadcasta.

# File 'lib/rex/proto/dhcp/server.rb', line 155

def broadcasta
  @broadcasta
end

#context ⇒ Object

Returns the value of attribute context.

# File 'lib/rex/proto/dhcp/server.rb', line 153

def context
  @context
end

#current_ip ⇒ Object

Returns the value of attribute current_ip.

# File 'lib/rex/proto/dhcp/server.rb', line 155

def current_ip
  @current_ip
end

#dnsserv ⇒ Object

Returns the value of attribute dnsserv.

# File 'lib/rex/proto/dhcp/server.rb', line 153

def dnsserv
  @dnsserv
end

#end_ip ⇒ Object

Returns the value of attribute end_ip.

# File 'lib/rex/proto/dhcp/server.rb', line 155

def end_ip
  @end_ip
end

#give_hostname ⇒ Object

Returns the value of attribute give_hostname.

# File 'lib/rex/proto/dhcp/server.rb', line 157

def give_hostname
  @give_hostname
end

#ipstring ⇒ Object

Returns the value of attribute ipstring.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def ipstring
  @ipstring
end

#leasetime ⇒ Object

Returns the value of attribute leasetime.

# File 'lib/rex/proto/dhcp/server.rb', line 153

def leasetime
  @leasetime
end

#listen_host ⇒ Object

Returns the value of attribute listen_host.

# File 'lib/rex/proto/dhcp/server.rb', line 153

def listen_host
  @listen_host
end

#listen_port ⇒ Object

Returns the value of attribute listen_port.

# File 'lib/rex/proto/dhcp/server.rb', line 153

def listen_port
  @listen_port
end

#myfilename ⇒ Object

Returns the value of attribute myfilename.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def myfilename
  @myfilename
end

#netmaskn ⇒ Object

Returns the value of attribute netmaskn.

# File 'lib/rex/proto/dhcp/server.rb', line 155

def netmaskn
  @netmaskn
end

#pxealtconfigfile ⇒ Object

Returns the value of attribute pxealtconfigfile.

# File 'lib/rex/proto/dhcp/server.rb', line 156

def pxealtconfigfile
  @pxealtconfigfile
end

#pxeconfigfile ⇒ Object

Returns the value of attribute pxeconfigfile.

# File 'lib/rex/proto/dhcp/server.rb', line 156

def pxeconfigfile
  @pxeconfigfile
end

#pxepathprefix ⇒ Object

Returns the value of attribute pxepathprefix.

# File 'lib/rex/proto/dhcp/server.rb', line 156

def pxepathprefix
  @pxepathprefix
end

#pxereboottime ⇒ Object

Returns the value of attribute pxereboottime.

# File 'lib/rex/proto/dhcp/server.rb', line 156

def pxereboottime
  @pxereboottime
end

#relayip ⇒ Object

Returns the value of attribute relayip.

# File 'lib/rex/proto/dhcp/server.rb', line 153

def relayip
  @relayip
end

#reporter ⇒ Object

Returns the value of attribute reporter.

# File 'lib/rex/proto/dhcp/server.rb', line 157

def reporter
  @reporter
end

#router ⇒ Object

Returns the value of attribute router.

# File 'lib/rex/proto/dhcp/server.rb', line 153

def router
  @router
end

#served ⇒ Object

Returns the value of attribute served.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def served
  @served
end

#served_hostname ⇒ Object

Returns the value of attribute served_hostname.

# File 'lib/rex/proto/dhcp/server.rb', line 157

def served_hostname
  @served_hostname
end

#served_over ⇒ Object

Returns the value of attribute served_over.

# File 'lib/rex/proto/dhcp/server.rb', line 157

def served_over
  @served_over
end

#serveOnce ⇒ Object

Returns the value of attribute serveOnce.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def serveOnce
  @serveOnce
end

#serveOnlyPXE ⇒ Object

Returns the value of attribute serveOnlyPXE.

# File 'lib/rex/proto/dhcp/server.rb', line 156

def serveOnlyPXE
  @serveOnlyPXE
end

#servePXE ⇒ Object

Returns the value of attribute servePXE.

# File 'lib/rex/proto/dhcp/server.rb', line 156

def servePXE
  @servePXE
end

#sock ⇒ Object

Returns the value of attribute sock.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def sock
  @sock
end

#start_ip ⇒ Object

Returns the value of attribute start_ip.

# File 'lib/rex/proto/dhcp/server.rb', line 155

def start_ip
  @start_ip
end

#thread ⇒ Object

Returns the value of attribute thread.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def thread
  @thread
end

Instance Method Details

#report(&block) ⇒ Object

# File 'lib/rex/proto/dhcp/server.rb', line 99

def report(&block)
  self.reporter = block
end

#send_packet(ip, pkt) ⇒ Object

Send a single packet to the specified host

# File 'lib/rex/proto/dhcp/server.rb', line 142

def send_packet(ip, pkt)
  port = 68 # bootpc
  if ip
    self.sock.sendto( pkt, ip, port )
  else
    if not self.sock.sendto( pkt, '255.255.255.255', port )
      self.sock.sendto( pkt, self.broadcasta, port )
    end
  end
end

#set_option(opts) ⇒ Object

Set an option

# File 'lib/rex/proto/dhcp/server.rb', line 125

def set_option(opts)
  allowed_options = [
    :serveOnce, :pxealtconfigfile, :servePXE, :relayip, :leasetime, :dnsserv,
    :pxeconfigfile, :pxepathprefix, :pxereboottime, :router,
    :give_hostname, :served_hostname, :served_over, :serveOnlyPXE
  ]

  opts.each_pair { |k,v|
    next if not v
    if allowed_options.include?(k)
      self.instance_variable_set("@#{k}", v)
    end
  }
end

#start ⇒ Object

Start the DHCP server

# File 'lib/rex/proto/dhcp/server.rb', line 104

def start
  self.sock = Rex::Socket::Udp.create(
    'LocalHost' => listen_host,
    'LocalPort' => listen_port,
    'Context'   => context
  )

  self.thread = Rex::ThreadFactory.spawn("DHCPServerMonitor", false) {
    monitor_socket
  }
end

#stop ⇒ Object

Stop the DHCP server

# File 'lib/rex/proto/dhcp/server.rb', line 117

def stop
  self.thread.kill
  self.served = {}
  self.sock.close rescue nil
end