2006-03-29 23:46:06 +02:00
|
|
|
module Msf
|
2013-09-30 20:47:53 +02:00
|
|
|
###
|
|
|
|
|
#
|
2023-01-30 02:25:46 +01:00
|
|
|
# This class hooks all sockets created by a running exploit
|
|
|
|
|
# and prevents data from being sent that matches a known IPS
|
|
|
|
|
# signature.
|
2013-09-30 20:47:53 +02:00
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
|
2023-01-30 02:25:46 +01:00
|
|
|
class Plugin::IPSFilter < Msf::Plugin
|
|
|
|
|
|
|
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# This class implements a socket communication logger
|
|
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
class IPSSocketEventHandler
|
|
|
|
|
include Rex::Socket::Comm::Events
|
|
|
|
|
|
|
|
|
|
def on_before_socket_create(comm, param); end
|
2013-09-30 20:47:53 +02:00
|
|
|
|
2023-01-30 02:25:46 +01:00
|
|
|
def on_socket_created(_comm, sock, param)
|
|
|
|
|
# Sockets created by the exploit have MsfExploit set and MsfPayload not set
|
2023-01-30 03:05:34 +01:00
|
|
|
if (param.context['MsfExploit'] && !param.context['MsfPayload'])
|
2023-01-30 02:25:46 +01:00
|
|
|
sock.extend(IPSFilter::SocketTracer)
|
|
|
|
|
sock.context = param.context
|
|
|
|
|
end
|
2013-09-30 20:47:53 +02:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2023-01-30 02:25:46 +01:00
|
|
|
def initialize(framework, opts)
|
|
|
|
|
super
|
|
|
|
|
@ips_eh = IPSSocketEventHandler.new
|
|
|
|
|
Rex::Socket::Comm::Local.register_event_handler(@ips_eh)
|
|
|
|
|
end
|
2013-09-30 20:47:53 +02:00
|
|
|
|
2023-01-30 02:25:46 +01:00
|
|
|
def cleanup
|
|
|
|
|
Rex::Socket::Comm::Local.deregister_event_handler(@ips_eh)
|
|
|
|
|
end
|
2013-09-30 20:47:53 +02:00
|
|
|
|
2023-01-30 02:25:46 +01:00
|
|
|
def name
|
|
|
|
|
'ips_filter'
|
|
|
|
|
end
|
2013-09-30 20:47:53 +02:00
|
|
|
|
2023-01-30 02:25:46 +01:00
|
|
|
def desc
|
|
|
|
|
'Scans all outgoing data to see if it matches a known IPS signature'
|
|
|
|
|
end
|
2013-09-30 20:47:53 +02:00
|
|
|
|
|
|
|
|
end
|
2006-03-29 23:46:06 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# This module extends the captured socket instance
|
|
|
|
|
module IPSFilter
|
2023-01-30 02:25:46 +01:00
|
|
|
module SocketTracer
|
|
|
|
|
attr_accessor :context
|
|
|
|
|
|
|
|
|
|
# Hook the write method
|
|
|
|
|
def write(buf, opts = {})
|
|
|
|
|
if ips_match(buf)
|
|
|
|
|
print_error 'Outbound write blocked due to possible signature match'
|
|
|
|
|
return 0
|
|
|
|
|
end
|
|
|
|
|
super(buf, opts)
|
2013-09-30 20:47:53 +02:00
|
|
|
end
|
|
|
|
|
|
2023-01-30 02:25:46 +01:00
|
|
|
# Hook the read method
|
|
|
|
|
def read(length = nil, opts = {})
|
|
|
|
|
r = super(length, opts)
|
|
|
|
|
if ips_match(r)
|
|
|
|
|
print_error 'Incoming read may match a known signature'
|
|
|
|
|
end
|
|
|
|
|
return r
|
2013-09-30 20:47:53 +02:00
|
|
|
end
|
|
|
|
|
|
2023-01-30 02:25:46 +01:00
|
|
|
def ips_match(data)
|
2023-01-30 03:07:16 +01:00
|
|
|
# lp = localport
|
|
|
|
|
# rp = peerport
|
2013-09-30 20:47:53 +02:00
|
|
|
|
2023-01-30 02:25:46 +01:00
|
|
|
SIGS.each do |s|
|
2013-09-30 20:47:53 +02:00
|
|
|
r = Regexp.new(s[1])
|
2023-01-30 02:25:46 +01:00
|
|
|
if data.match(r)
|
2013-09-30 20:47:53 +02:00
|
|
|
print_error "Matched IPS signature #{s[0]}"
|
|
|
|
|
return true
|
|
|
|
|
end
|
2023-01-30 03:07:16 +01:00
|
|
|
rescue ::Exception
|
2013-09-30 20:47:53 +02:00
|
|
|
print_error "Compiled error: #{s[1]}"
|
|
|
|
|
end
|
2023-01-30 02:25:46 +01:00
|
|
|
|
|
|
|
|
return false
|
2013-09-30 20:47:53 +02:00
|
|
|
end
|
|
|
|
|
|
2023-01-30 02:25:46 +01:00
|
|
|
# Extend this as needed :-)
|
|
|
|
|
SIGS =
|
2023-01-30 03:05:34 +01:00
|
|
|
[
|
|
|
|
|
['DCOM.C', ".*\\\x5c\x00\\\x5c\x00\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00.*\xcc\xe0\xfd\x7f.*"],
|
|
|
|
|
['BLASTER', ".*\\\x5c\x00\\\x5c\x00\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00.*\xcc\xe0\xfd\x7f.*"],
|
|
|
|
|
['REMACT', ".*\xb8\x4a\x9f\x4d\x1c\\}\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
|
|
|
|
|
['x86 NOP SLED', "\x90\x90"],
|
|
|
|
|
].freeze
|
2013-09-30 20:47:53 +02:00
|
|
|
end
|
2009-01-04 08:34:52 +01:00
|
|
|
end
|
