Class: Rex::Proto::DHCP::Server

Inherits:

Object

• Object
• Rex::Proto::DHCP::Server

Includes:

Socket

Defined in:

lib/rex/proto/dhcp/server.rb

Overview

DHCP Server class not completely configurable - written specifically for a PXE server

• scriptjunkie

extended to support testing/exploiting CVE-2011-0997

• apconole@yahoo.com

Constant Summary

Constants included from Socket

Socket::MATCH_IPV4, Socket::MATCH_IPV4_PRIVATE, Socket::MATCH_IPV6

Instance Attribute Summary

• #broadcasta ⇒ Object

  Returns the value of attribute broadcasta.

• #context ⇒ Object

  Returns the value of attribute context.

• #current_ip ⇒ Object

  Returns the value of attribute current_ip.

• #dnsserv ⇒ Object

  Returns the value of attribute dnsserv.

• #end_ip ⇒ Object

  Returns the value of attribute end_ip.

• #give_hostname ⇒ Object

  Returns the value of attribute give_hostname.

• #ipstring ⇒ Object

  Returns the value of attribute ipstring.

• #leasetime ⇒ Object

  Returns the value of attribute leasetime.

• #listen_host ⇒ Object

  Returns the value of attribute listen_host.

• #listen_port ⇒ Object

  Returns the value of attribute listen_port.

• #myfilename ⇒ Object

  Returns the value of attribute myfilename.

• #netmaskn ⇒ Object

  Returns the value of attribute netmaskn.

• #pxealtconfigfile ⇒ Object

  Returns the value of attribute pxealtconfigfile.

• #pxeconfigfile ⇒ Object

  Returns the value of attribute pxeconfigfile.

• #pxepathprefix ⇒ Object

  Returns the value of attribute pxepathprefix.

• #pxereboottime ⇒ Object

  Returns the value of attribute pxereboottime.

• #relayip ⇒ Object

  Returns the value of attribute relayip.

• #reporter ⇒ Object

  Returns the value of attribute reporter.

• #router ⇒ Object

  Returns the value of attribute router.

• #served ⇒ Object

  Returns the value of attribute served.

• #served_hostname ⇒ Object

  Returns the value of attribute served_hostname.

• #served_over ⇒ Object

  Returns the value of attribute served_over.

• #serveOnce ⇒ Object

  Returns the value of attribute serveOnce.

• #serveOnlyPXE ⇒ Object

  Returns the value of attribute serveOnlyPXE.

• #servePXE ⇒ Object

  Returns the value of attribute servePXE.

• #sock ⇒ Object

  Returns the value of attribute sock.

• #start_ip ⇒ Object

  Returns the value of attribute start_ip.

• #thread ⇒ Object

  Returns the value of attribute thread.

Attributes included from Socket

#ipv, #localhost, #localport, #peerhost, #peerport

Instance Method Summary

• #initialize(hash, context = {}) ⇒ Server constructor

  A new instance of Server.

• #report(&block) ⇒ Object
• #send_packet(ip, pkt) ⇒ Object

  Send a single packet to the specified host.

• #set_option(opts) ⇒ Object

  Set an option.

• #start ⇒ Object

  Start the DHCP server.

• #stop ⇒ Object

  Stop the DHCP server.

Methods included from Socket

addr_atoc, addr_atoi, addr_atoi_list, addr_aton, addr_ctoa, addr_itoa, addr_iton, addr_ntoa, addr_ntoi, bit2netmask, cidr_crack, compress_address, create, create_ip, create_param, create_tcp, create_tcp_server, create_udp, dotted_ip?, #fd, from_sockaddr, getaddress, getaddresses, gethostbyname, #getlocalname, #getpeername, #getsockname, #initsock, ipv6_link_address, ipv6_mac, is_internal?, is_ipv4?, is_ipv6?, net2bitmask, portlist_to_portspec, portspec_crack, portspec_to_portlist, resolv_nbo, resolv_nbo_i, resolv_nbo_i_list, resolv_nbo_list, resolv_to_dotted, source_address, support_ipv6?, tcp_socket_pair, to_sockaddr, #type?, udp_socket_pair

Constructor Details

#initialize(hash, context = {}) ⇒ Server

Returns a new instance of Server.

# File 'lib/rex/proto/dhcp/server.rb', line 25

def initialize(hash, context = {})
	self.listen_host = '0.0.0.0' # clients don't already have addresses. Needs to be 0.0.0.0
	self.listen_port = 67 # mandatory (bootps)
	self.context = context
	self.sock = nil

	self.myfilename = hash['FILENAME'] || ""
	self.myfilename << ("\x00" * (128 - self.myfilename.length))

	source = hash['SRVHOST'] || Rex::Socket.source_address
	self.ipstring = Rex::Socket.addr_aton(source)

	ipstart = hash['DHCPIPSTART']
	if ipstart
		self.start_ip = Rex::Socket.addr_atoi(ipstart)
	else
		# Use the first 3 octects of the server's IP to construct the
		# default range of x.x.x.32-254
		self.start_ip = "#{self.ipstring[0..2]}\x20".unpack("N").first
	end
	self.current_ip = start_ip

	ipend = hash['DHCPIPEND']
	if ipend
		self.end_ip = Rex::Socket.addr_atoi(ipend)
	else
		# Use the first 3 octects of the server's IP to construct the
		# default range of x.x.x.32-254
		self.end_ip = "#{self.ipstring[0..2]}\xfe".unpack("N").first
	end

	# netmask
	netmask = hash['NETMASK'] || "255.255.255.0"
	self.netmaskn = Rex::Socket.addr_aton(netmask)

	# router
	router = hash['ROUTER'] || source
	self.router = Rex::Socket.addr_aton(router)

	# dns
	dnsserv = hash['DNSSERVER'] || source
	self.dnsserv = Rex::Socket.addr_aton(dnsserv)

	# broadcast
	if hash['BROADCAST']
		self.broadcasta = Rex::Socket.addr_aton(hash['BROADCAST'])
	else
		self.broadcasta = Rex::Socket.addr_itoa( self.start_ip | (Rex::Socket.addr_ntoi(self.netmaskn) ^ 0xffffffff) )
	end

	self.served = {}
	self.serveOnce = hash.include?('SERVEONCE')

	self.servePXE = (hash.include?('PXE') or hash.include?('FILENAME') or hash.include?('PXEONLY'))
	self.serveOnlyPXE = hash.include?('PXEONLY')

	# Always assume we don't give out hostnames ...
	self.give_hostname = false
	self.served_over = 0
	if (hash['HOSTNAME'])
		self.give_hostname = true
		self.served_hostname = hash['HOSTNAME']
		if ( hash['HOSTSTART'] )
			self.served_over = hash['HOSTSTART'].to_i
		end
	end

	self.leasetime = 600
	self.relayip = "\x00\x00\x00\x00" # relay ip - not currently suported
	self.pxeconfigfile = "update2"
	self.pxealtconfigfile = "update0"
	self.pxepathprefix = ""
	self.pxereboottime = 2000
end

Instance Attribute Details

#broadcasta ⇒ Object

Returns the value of attribute broadcasta.

# File 'lib/rex/proto/dhcp/server.rb', line 156

def broadcasta
  @broadcasta
end

#context ⇒ Object

Returns the value of attribute context.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def context
  @context
end

#current_ip ⇒ Object

Returns the value of attribute current_ip.

# File 'lib/rex/proto/dhcp/server.rb', line 156

def current_ip
  @current_ip
end

#dnsserv ⇒ Object

Returns the value of attribute dnsserv.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def dnsserv
  @dnsserv
end

#end_ip ⇒ Object

Returns the value of attribute end_ip.

# File 'lib/rex/proto/dhcp/server.rb', line 156

def end_ip
  @end_ip
end

#give_hostname ⇒ Object

Returns the value of attribute give_hostname.

# File 'lib/rex/proto/dhcp/server.rb', line 158

def give_hostname
  @give_hostname
end

#ipstring ⇒ Object

Returns the value of attribute ipstring.

# File 'lib/rex/proto/dhcp/server.rb', line 155

def ipstring
  @ipstring
end

#leasetime ⇒ Object

Returns the value of attribute leasetime.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def leasetime
  @leasetime
end

#listen_host ⇒ Object

Returns the value of attribute listen_host.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def listen_host
  @listen_host
end

#listen_port ⇒ Object

Returns the value of attribute listen_port.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def listen_port
  @listen_port
end

#myfilename ⇒ Object

Returns the value of attribute myfilename.

# File 'lib/rex/proto/dhcp/server.rb', line 155

def myfilename
  @myfilename
end

#netmaskn ⇒ Object

Returns the value of attribute netmaskn.

# File 'lib/rex/proto/dhcp/server.rb', line 156

def netmaskn
  @netmaskn
end

#pxealtconfigfile ⇒ Object

Returns the value of attribute pxealtconfigfile.

# File 'lib/rex/proto/dhcp/server.rb', line 157

def pxealtconfigfile
  @pxealtconfigfile
end

#pxeconfigfile ⇒ Object

Returns the value of attribute pxeconfigfile.

# File 'lib/rex/proto/dhcp/server.rb', line 157

def pxeconfigfile
  @pxeconfigfile
end

#pxepathprefix ⇒ Object

Returns the value of attribute pxepathprefix.

# File 'lib/rex/proto/dhcp/server.rb', line 157

def pxepathprefix
  @pxepathprefix
end

#pxereboottime ⇒ Object

Returns the value of attribute pxereboottime.

# File 'lib/rex/proto/dhcp/server.rb', line 157

def pxereboottime
  @pxereboottime
end

#relayip ⇒ Object

Returns the value of attribute relayip.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def relayip
  @relayip
end

#reporter ⇒ Object

Returns the value of attribute reporter.

# File 'lib/rex/proto/dhcp/server.rb', line 158

def reporter
  @reporter
end

#router ⇒ Object

Returns the value of attribute router.

# File 'lib/rex/proto/dhcp/server.rb', line 154

def router
  @router
end

#served ⇒ Object

Returns the value of attribute served.

# File 'lib/rex/proto/dhcp/server.rb', line 155

def served
  @served
end

#served_hostname ⇒ Object

Returns the value of attribute served_hostname.

# File 'lib/rex/proto/dhcp/server.rb', line 158

def served_hostname
  @served_hostname
end

#served_over ⇒ Object

Returns the value of attribute served_over.

# File 'lib/rex/proto/dhcp/server.rb', line 158

def served_over
  @served_over
end

#serveOnce ⇒ Object

Returns the value of attribute serveOnce.

# File 'lib/rex/proto/dhcp/server.rb', line 155

def serveOnce
  @serveOnce
end

#serveOnlyPXE ⇒ Object

Returns the value of attribute serveOnlyPXE.

# File 'lib/rex/proto/dhcp/server.rb', line 157

def serveOnlyPXE
  @serveOnlyPXE
end

#servePXE ⇒ Object

Returns the value of attribute servePXE.

# File 'lib/rex/proto/dhcp/server.rb', line 157

def servePXE
  @servePXE
end

#sock ⇒ Object

Returns the value of attribute sock.

# File 'lib/rex/proto/dhcp/server.rb', line 155

def sock
  @sock
end

#start_ip ⇒ Object

Returns the value of attribute start_ip.

# File 'lib/rex/proto/dhcp/server.rb', line 156

def start_ip
  @start_ip
end

#thread ⇒ Object

Returns the value of attribute thread.

# File 'lib/rex/proto/dhcp/server.rb', line 155

def thread
  @thread
end

Instance Method Details

#report(&block) ⇒ Object

# File 'lib/rex/proto/dhcp/server.rb', line 100

def report(&block)
	self.reporter = block
end

#send_packet(ip, pkt) ⇒ Object

Send a single packet to the specified host

# File 'lib/rex/proto/dhcp/server.rb', line 143

def send_packet(ip, pkt)
	port = 68 # bootpc
	if ip
		self.sock.sendto( pkt, ip, port )
	else
		if not self.sock.sendto( pkt, '255.255.255.255', port )
			self.sock.sendto( pkt, self.broadcasta, port )
		end
	end
end

#set_option(opts) ⇒ Object

Set an option

# File 'lib/rex/proto/dhcp/server.rb', line 126

def set_option(opts)
	allowed_options = [
		:serveOnce, :pxealtconfigfile, :servePXE, :relayip, :leasetime, :dnsserv,
		:pxeconfigfile, :pxepathprefix, :pxereboottime, :router,
		:give_hostname, :served_hostname, :served_over, :serveOnlyPXE
	]

	opts.each_pair { |k,v|
		next if not v
		if allowed_options.include?(k)
			self.instance_variable_set("@#{k}", v)
		end
	}
end

#start ⇒ Object

Start the DHCP server

# File 'lib/rex/proto/dhcp/server.rb', line 105

def start
	self.sock = Rex::Socket::Udp.create(
		'LocalHost' => listen_host,
		'LocalPort' => listen_port,
		'Context'   => context
	)

	self.thread = Rex::ThreadFactory.spawn("DHCPServerMonitor", false) {
		monitor_socket
	}
end

#stop ⇒ Object

Stop the DHCP server

# File 'lib/rex/proto/dhcp/server.rb', line 118

def stop
	self.thread.kill
	self.served = {}
	self.sock.close rescue nil
end