Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# WARNING: Metasploit no longer maintains or accepts meterpreter scripts.
3
# If you'd like to improve this script, please try to port it as a post
4
# module instead. Thank you.
5
##
6

7

8
#
9
# Meterpreter script for setting up a route from within a
10
# Meterpreter session, without having to background the
11
# current session.
12

13
# Default options
14
session = client
15
subnet = nil
16
netmask = "255.255.255.0"
17
print_only = false
18
remove_route = false
19
remove_all_routes = false
20

21
# Options parsing
22
@@exec_opts = Rex::Parser::Arguments.new(
23
  "-h" => [false, "Help and usage"],
24
  "-s" => [true, "Subnet (IPv4, for example, 10.10.10.0)"],
25
  "-n" => [true, "Netmask (IPv4, for example, 255.255.255.0"],
26
  "-p" => [false, "Print active routing table. All other options are ignored"],
27
  "-d" => [false, "Delete the named route instead of adding it"],
28
  "-D" => [false, "Delete all routes (does not require a subnet)"]
29
)
30

31
# Defines usage
32
def usage()
33
  print_status "Usage:   run autoroute [-r] -s subnet -n netmask"
34
  print_status "Examples:"
35
  print_status "  run autoroute -s 10.1.1.0 -n 255.255.255.0  # Add a route to 10.10.10.1/255.255.255.0"
36
  print_status "  run autoroute -s 10.10.10.1                 # Netmask defaults to 255.255.255.0"
37
  print_status "  run autoroute -s 10.10.10.1/24              # CIDR notation is also okay"
38
  print_status "  run autoroute -p                            # Print active routing table"
39
  print_status "  run autoroute -d -s 10.10.10.1              # Deletes the 10.10.10.1/255.255.255.0 route"
40
  print_status "Use the \"route\" and \"ipconfig\" Meterpreter commands to learn about available routes"
41
  print_error "Deprecation warning: This script has been replaced by the post/multi/manage/autoroute module"
42
end
43

44

45
@@exec_opts.parse(args) { |opt, idx, val|
46
  v = val.to_s.strip
47
  case opt
48
  when "-h"
49
    usage
50
    raise Rex::Script::Completed
51
  when "-s"
52
    if v =~ /[0-9\x2e]+\x2f[0-9]{1,2}/
53
      subnet,cidr = v.split("\x2f")
54
      netmask = Rex::Socket.addr_ctoa(cidr.to_i)
55
    else
56
      subnet = v
57
    end
58
  when "-n"
59
    if (0..32) === v.to_i
60
      netmask = Rex::Socket.addr_ctoa(v.to_i)
61
    else
62
      netmask = v
63
    end
64
  when "-p"
65
    print_only = true
66
  when "-d"
67
    remove_route = true
68
  when "-D"
69
    remove_all_routes = true
70
  end
71
}
72

73
def delete_all_routes
74
  if Rex::Socket::SwitchBoard.routes.size > 0
75
    routes = []
76
    Rex::Socket::SwitchBoard.each do |route|
77
      routes << {:subnet => route.subnet, :netmask => route.netmask}
78
    end
79
    routes.each {|route_opts| delete_route(route_opts)}
80

81
    print_status "Deleted all routes"
82
  else
83
    print_status "No routes have been added yet"
84
  end
85
  raise Rex::Script::Completed
86
end
87

88
# Identical functionality to command_dispatcher/core.rb, and
89
# nearly identical code
90
def print_routes
91
  if Rex::Socket::SwitchBoard.routes.size > 0
92
    tbl =	Msf::Ui::Console::Table.new(
93
      Msf::Ui::Console::Table::Style::Default,
94
      'Header'  => "Active Routing Table",
95
      'Prefix'  => "\n",
96
      'Postfix' => "\n",
97
      'Columns' =>
98
        [
99
          'Subnet',
100
          'Netmask',
101
          'Gateway',
102
        ],
103
      'ColProps' =>
104
        {
105
          'Subnet'  => { 'Width' => 17 },
106
          'Netmask' => { 'Width' => 17 },
107
        })
108
    ret = []
109

110
    Rex::Socket::SwitchBoard.each { |route|
111
      if (route.comm.kind_of?(Msf::Session))
112
        gw = "Session #{route.comm.sid}"
113
      else
114
        gw = route.comm.name.split(/::/)[-1]
115
      end
116
      tbl << [ route.subnet, route.netmask, gw ]
117
    }
118
      print tbl.to_s
119
  else
120
    print_status "No routes have been added yet"
121
  end
122
  raise Rex::Script::Completed
123
end
124

125
# Yet another IP validator. I'm sure there's some Rex
126
# function that can just do this.
127
def check_ip(ip=nil)
128
  return false if(ip.nil? || ip.strip.empty?)
129
  begin
130
    rw = Rex::Socket::RangeWalker.new(ip.strip)
131
    (rw.valid? && rw.length == 1) ? true : false
132
  rescue
133
    false
134
  end
135
end
136

137
# Adds a route to the framework instance
138
def add_route(opts={})
139
  subnet = opts[:subnet]
140
  netmask = opts[:netmask] || "255.255.255.0" # Default class C
141
  Rex::Socket::SwitchBoard.add_route(subnet, netmask, session)
142
end
143

144
# Removes a route to the framework instance
145
def delete_route(opts={})
146
  subnet = opts[:subnet]
147
  netmask = opts[:netmask] || "255.255.255.0" # Default class C
148
  Rex::Socket::SwitchBoard.remove_route(subnet, netmask, session)
149
end
150

151
# Validates the command options
152
def validate_cmd(subnet=nil,netmask=nil)
153
  if subnet.nil?
154
    print_error "Missing -s (subnet) option"
155
    return false
156
  end
157

158
  unless(check_ip(subnet))
159
    print_error "Subnet invalid (must be IPv4)"
160
    usage
161
    return false
162
  end
163

164
  if(netmask and !(Rex::Socket.addr_atoc(netmask)))
165
    print_error "Netmask invalid (must define contiguous IP addressing)"
166
    usage
167
    return false
168
  end
169

170
  if(netmask and !check_ip(netmask))
171
    print_error "Netmask invalid"
172
    return usage
173
  end
174
  true
175
end
176

177
if print_only
178
  print_routes()
179
  raise Rex::Script::Completed
180
end
181

182
if remove_all_routes
183
  delete_all_routes()
184
  raise Rex::Script::Completed
185
end
186

187
raise Rex::Script::Completed unless validate_cmd(subnet,netmask)
188

189
if remove_route
190
  print_status("Deleting route to %s/%s..." % [subnet,netmask])
191
  route_result = delete_route(:subnet => subnet, :netmask => netmask)
192
else
193
  print_status("Adding a route to %s/%s..." % [subnet,netmask])
194
  route_result = add_route(:subnet => subnet, :netmask => netmask)
195
end
196

197
if route_result
198
  print_good "%s route to %s/%s via %s" % [
199
    (remove_route ? "Deleted" : "Added"),
200
    subnet,netmask,client.sock.peerhost
201
  ]
202
else
203
  print_error "Could not %s route" % [(remove_route ? "delete" : "add")]
204
end
205

206
if Rex::Socket::SwitchBoard.routes.size > 0
207
  print_status "Use the -p option to list all active routes"
208
end
209

210

211