librex 0.0.20 → 0.0.21

data/lib/rex/proto/dcerpc/packet.rb.ut.rb

@@ -0,0 +1,56 @@
+#!/usr/bin/env ruby
+
+$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..'))
+
+require 'rex/test'
+require 'rex/proto/dcerpc/packet'
+
+class Rex::Proto::DCERPC::Packet::UnitTest < Test::Unit::TestCase
+
+	Klass = Rex::Proto::DCERPC::Packet
+
+	def test_parse
+		
+		actual = Klass.make_bind('367abb81-9844-35f1-ad32-98f038001003', '2.0')
+		expected = ["\005\000\v\003\020\000\000\000H\000\000\000\000\000\000\000\320\026\320\026\000\000\000\000\001\000\000\000\000\000\001\000\201\273z6D\230\3615\2552\230\3608\000\020\003\002\000\000\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000", 0]
+		assert_equal(expected, actual, 'bind')
+
+		srand(0)
+		actual = Klass.make_bind_fake_multi('367abb81-9844-35f1-ad32-98f038001003', '2.0')
+		expected = [ "\005\000\v\003\020\000\000\0004\003\000\000\000\000\000\000\320\026\320\026\000\000\000\000\022\000\000\000\000\000\001\000u\300C\373\303g\t\323\025\362$WF\330X\214\002\000\001\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\001\000\001\000\346'W\256XQ\245\031MH\t\224s\320\363\305\000\000\002\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\002\000\001\000c\330\261\363\035\223\223\216\247 \301\t\271\177 \037\002\000\000\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\003\000\001\000\227\243\376\313r\267\034\"\200\200\2445\205&\350\364\001\000\003\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\004\000\001\000\204i*\272\037x\001A\347\2519#fw\v\256\002\000\003\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\005\000\001\000\200\216c5\214y\252T\313D\006\304/\177\364\203\004\000\000\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\006\000\001\000\264\350N\217\224\343\272\027\317\215uU01E\251\003\000\000\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\a\000\001\000_\305^\000q\262$\2420]\203b*\315p\347\005\000\001\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\010\000\001\000\177\000\212r+\272\177\027\273\202yb>\243\336{\003\000\002\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\t\000\001\000\256\343\224\3212\233\016):\301$\nV+h\v\002\000\003\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\n\000\001\000P \266\200&\023\256*s\270\274\350M\036\030}\002\000\003\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\v\000\001\000^\342k\rp(H\023_H\232\302\370\264C\354\005\000\002\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\f\000\001\000`\004\303\355\213\374V\315ymK\270\020\230\235\225\001\000\000\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\r\000\001\000\274yvu\275S\241h\240\344\373\373yF\325\037\005\000\003\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\016\000\001\000\201\273z6D\230\3615\2552\230\3608\000\020\003\002\000\000\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\017\000\001\000\270\230O)\022(\266\317\v\246o]\371\201\337v\004\000\000\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\020\000\001\000}\030C\322\357\003\352\314\346#\326\376\275\305\327+\000\000\003\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000\021\000\001\000h\324\212\266\353\245}\234o\350\002\e\323\331\2275\003\000\002\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000", 14]
+		assert_equal(expected, actual, 'bind fake multi')
+
+		actual = Klass.make_alter_context('367abb81-9844-35f1-ad32-98f038001003', '2.0')
+		expected = "\005\000\016\003\020\000\000\000H\000\000\000\000\000\000\000\320\026\320\026\000\000\000\000\001\000\000\000\000\000\001\000\201\273z6D\230\3615\2552\230\3608\000\020\003\002\000\000\000\004]\210\212\353\034\311\021\237\350\010\000+\020H`\002\000\000\000"
+		assert_equal(expected, actual, 'alter context')
+	
+		actual = Klass.make_request(1337, '', 1024, 7331)
+		expected = ["\005\000\000\003\020\000\000\000\030\000\000\000\000\000\000\000\000\000\000\000\243\0349\005"]
+		assert_equal(expected, actual, 'make_request with no stub')
+		
+		actual = Klass.make_request(1337, 'ABCD', 1024, 7331)
+		expected = ["\005\000\000\003\020\000\000\000\034\000\000\000\000\000\000\000\004\000\000\000\243\0349\005ABCD"]
+		assert_equal(expected, actual, 'make_request with stub')
+		
+		actual = Klass.make_request(1337, 'ABCD', 3, 7331)
+		expected = ["\005\000\000\001\020\000\000\000\e\000\000\000\000\000\000\000\003\000\000\000\243\0349\005ABC", "\005\000\000\002\020\000\000\000\031\000\000\000\000\000\000\000\001\000\000\000\243\0349\005D"]
+		assert_equal(expected, actual, 'make_request with 2 frags')
+		
+		actual = Klass.make_request(1337, 'ABCD', 1, 7331)	
+		expected = ["\005\000\000\001\020\000\000\000\031\000\000\000\000\000\000\000\001\000\000\000\243\0349\005A", "\005\000\000\000\020\000\000\000\031\000\000\000\000\000\000\000\001\000\000\000\243\0349\005B", "\005\000\000\000\020\000\000\000\031\000\000\000\000\000\000\000\001\000\000\000\243\0349\005C", "\005\000\000\002\020\000\000\000\031\000\000\000\000\000\000\000\001\000\000\000\243\0349\005D"]
+		assert_equal(expected, actual, 'make_request with 4 frags')
+		
+		
+		actual = Klass.make_request(1337, '', 1024, 7331, '367abb81-9844-35f1-ad32-98f038001003')
+		expected = ["\005\000\000\x83\020\000\000\000\030\000\000\000\000\000\000\000\000\000\000\000\243\0349\005\201\273z6D\230\3615\2552\230\3608\000\020\003"]
+		assert_equal(expected, actual, 'make_request with no stub, with object_id')
+		
+		actual = Klass.make_request(1337, 'ABCD', 1024, 7331, '367abb81-9844-35f1-ad32-98f038001003')
+		expected = ["\005\000\000\x83\020\000\000\000\034\000\000\000\000\000\000\000\004\000\000\000\243\0349\005\201\273z6D\230\3615\2552\230\3608\000\020\003ABCD"]
+		assert_equal(expected, actual, 'make_request with stub, with object_id')
+		
+		actual = Klass.make_request(1337, 'ABCD', 1, 7331, '367abb81-9844-35f1-ad32-98f038001003')
+		expected = ["\005\000\000\x81\020\000\000\000\031\000\000\000\000\000\000\000\001\000\000\000\243\0349\005\201\273z6D\230\3615\2552\230\3608\000\020\003A", "\005\000\000\x80\020\000\000\000\031\000\000\000\000\000\000\000\001\000\000\000\243\0349\005\201\273z6D\230\3615\2552\230\3608\000\020\003B", "\005\000\000\x80\020\000\000\000\031\000\000\000\000\000\000\000\001\000\000\000\243\0349\005\201\273z6D\230\3615\2552\230\3608\000\020\003C", "\005\000\000\x82\020\000\000\000\031\000\000\000\000\000\000\000\001\000\000\000\243\0349\005\201\273z6D\230\3615\2552\230\3608\000\020\003D"]
+		assert_equal(expected, actual, 'make_request with 4 frags')
+	end
+end

data/lib/rex/proto/dcerpc/response.rb

@@ -0,0 +1,187 @@
+require 'rex/proto/dcerpc/uuid'
+require 'rex/proto/dcerpc/exceptions'
+
+module Rex
+module Proto
+module DCERPC
+class Response
+
+	attr_accessor :frag_len, :auth_len, :type, :vers_major, :vers_minor
+	attr_accessor :flags, :data_rep, :call_id, :max_frag_xmit, :max_frag_recv
+	attr_accessor :assoc_group, :sec_addr_len, :sec_addr, :num_results
+	attr_accessor :nack_reason, :xfer_syntax_uuid, :xfer_syntax_vers
+	attr_accessor :ack_reason, :ack_result, :ack_xfer_syntax_uuid, :ack_xfer_syntax_vers
+	attr_accessor :alloc_hint, :context_id, :cancel_cnt, :status, :stub_data
+	attr_accessor :raw
+
+	# Create a new DCERPC::Response object
+	# This can be initialized in two ways:
+	# 1) Call .new() with the first 10 bytes of packet, then call parse on the rest
+	# 2) Call .new() with the full packet contents
+	def initialize(data)
+
+		self.ack_result = []
+		self.ack_reason = []
+		self.ack_xfer_syntax_uuid = []
+		self.ack_xfer_syntax_vers = []
+
+		if (! data or data.length < 10)
+			raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
+		end
+
+		if (data.length == 10)
+			self.frag_len = data[8,2].unpack('v')[0]
+			self.raw = data
+		end
+
+		if (data.length > 10)
+			self.raw = data
+			self.parse
+		end
+	end
+
+	# Parse the contents of a DCERPC response packet and fill out all the fields
+	def parse(body = '')
+		self.raw = self.raw + body
+		self.type = self.raw[2,1].unpack('C')[0]
+
+		uuid = Rex::Proto::DCERPC::UUID
+		data = self.raw
+
+
+		if(not data)
+			raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
+		end
+
+		# BIND_ACK == 12, ALTER_CONTEXT_RESP == 15
+		if (self.type == 12 or self.type == 15)
+
+			# Decode most of the DCERPC header
+			self.vers_major,
+			self.vers_minor,
+			trash,
+			self.flags,
+			self.data_rep,
+			self.frag_len,
+			self.auth_len,
+			self.call_id,
+			self.max_frag_xmit,
+			self.max_frag_recv,
+			self.assoc_group,
+			self.sec_addr_len = data.unpack('CCCCNvvVvvVv')
+
+
+			if(not self.frag_len or data.length < self.frag_len)
+				raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
+			end
+
+			# Keep an offset into the packet handy
+			x = 0
+
+			# XXX This is still somewhat broken (4 digit ports)
+			self.sec_addr = data[26, self.sec_addr_len]
+
+			# Move the pointer into the packet forward
+			x += 26 + self.sec_addr_len
+
+			# Align the pointer on a dword boundary
+			while (x % 4 != 0)
+				x += 1
+			end
+
+			# Figure out how many results we have (multiple-context binds)
+			self.num_results = data[ x, 4 ].unpack('V')[0]
+
+			# Move the pointer to the ack_result[0] offset
+			x += 4
+
+			# Initialize the ack_result index
+			ack = 0
+
+			# Scan through all results and add them to the result arrays
+			while ack < self.num_results
+				self.ack_result[ack] = data[ x + 0, 2 ].unpack('v')[0]
+				self.ack_reason[ack] = data[ x + 2, 2 ].unpack('v')[0]
+				self.ack_xfer_syntax_uuid[ack] = uuid.uuid_unpack(data[ x + 4, 16 ])
+				self.ack_xfer_syntax_vers[ack] = data[ x + 20, 4 ].unpack('V')[0]
+				x += 24
+				ack += 1
+			end
+
+			# End of BIND_ACK || ALTER_CONTEXT_RESP
+		end
+
+		# BIND_NACK == 13
+		if (self.type == 13)
+
+			# Decode most of the DCERPC header
+			self.vers_major,
+			self.vers_minor,
+			trash,
+			self.flags,
+			self.data_rep,
+			self.frag_len,
+			self.auth_len,
+			self.call_id,
+			self.nack_reason = data.unpack('CCCCNvvVv')
+		end
+
+		# RESPONSE == 2
+		if (self.type == 2)
+
+			# Decode the DCERPC response header
+			self.vers_major,
+			self.vers_minor,
+			trash,
+			self.flags,
+			self.data_rep,
+			self.frag_len,
+			self.auth_len,
+			self.call_id,
+			self.alloc_hint,
+			self.context_id,
+			self.cancel_cnt = data.unpack('CCCCNvvVVvC')
+
+			# Error out if the whole header was not read
+			if !(self.alloc_hint and self.context_id and self.cancel_cnt)
+				raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
+			end
+
+			# Put the application data into self.stub_data
+			self.stub_data = data[data.length - self.alloc_hint, 0xffff]
+			# End of RESPONSE
+		end
+
+		# FAULT == 3
+		if (self.type == 3)
+
+			# Decode the DCERPC response header
+			self.vers_major,
+			self.vers_minor,
+			trash,
+			self.flags,
+			self.data_rep,
+			self.frag_len,
+			self.auth_len,
+			self.call_id,
+			self.alloc_hint,
+			self.context_id,
+			self.cancel_cnt,
+			trash,
+			self.status = data.unpack('CCCCNvvVVvCCV')
+
+			# Put the application data into self.stub_data
+			self.stub_data = data[data.length - self.alloc_hint, 0xffff]
+			# End of FAULT
+		end
+
+	end
+
+protected
+#	attr_accessor :raw
+
+end
+end
+end
+end
+

data/lib/rex/proto/dcerpc/response.rb.ut.rb

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+
+$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..'))
+
+require 'rex/test'
+require 'rex/proto/dcerpc/response'
+	
+class Rex::Proto::DCERPC::Response::UnitTest < Test::Unit::TestCase
+
+	Klass = Rex::Proto::DCERPC::Response
+
+	def test_parse
+
+	end
+end

data/lib/rex/proto/dcerpc/uuid.rb

@@ -0,0 +1,84 @@
+module Rex
+module Proto
+module DCERPC
+class UUID
+
+
+	@@known_uuids =
+	{
+		'MGMT'      => [ 'afa8bd80-7d8a-11c9-bef4-08002b102989', '2.0' ],
+		'REMACT'    => [ '4d9f4ab8-7d1c-11cf-861e-0020af6e7c57', '0.0' ],
+		'SYSACT'    => [ '000001a0-0000-0000-c000-000000000046', '0.0' ],
+		'LSA_DS'    => [ '3919286a-b10c-11d0-9ba8-00c04fd92ef5', '0.0' ],
+		'SAMR'      => [ '12345778-1234-abcd-ef00-0123456789ac', '1.0' ],
+		'MSMQ'      => [ 'fdb3a030-065f-11d1-bb9b-00a024ea5525', '1.0' ],
+		'EVENTLOG'  => [ '82273fdc-e32a-18c3-3f78-827929dc23ea', '0.0' ],
+		'SVCCTL'    => [ '367abb81-9844-35f1-ad32-98f038001003', '2.0' ],
+		'SRVSVC'    => [ '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0' ],
+		'PNP'       => [ '8d9f4e40-a03d-11ce-8f69-08003e30051b', '1.0' ]
+	}
+
+	# Convert a UUID in binary format to the string representation	
+	def self.uuid_unpack(uuid_bin)
+		raise ArgumentError if uuid_bin.length != 16
+		sprintf("%.8x-%.4x-%.4x-%.4x-%s",
+			uuid_bin[ 0, 4].unpack('V')[0],
+			uuid_bin[ 4, 2].unpack('v')[0],
+			uuid_bin[ 6, 2].unpack('v')[0],
+			uuid_bin[ 8, 2].unpack('n')[0],
+			uuid_bin[10, 6].unpack('H*')[0]
+		)	
+	end
+
+	# Validate a text based UUID
+	def self.is? (uuid_str)
+		raise ArgumentError if !uuid_str
+		if uuid_str.match(/^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$/)
+			return true
+		else
+			return false
+		end
+	end
+
+	# Convert a UUID in string format to the binary representation
+	def self.uuid_pack (uuid_str)
+		raise ArgumentError if !self.is?(uuid_str)
+		parts = uuid_str.split('-')
+		[ parts[0].hex, parts[1].hex, parts[2].hex, parts[3].hex ].pack('Vvvn') + [ parts[4] ].pack('H*')
+	end
+	
+	# Provide the common TransferSyntax UUID in packed format
+	def self.xfer_syntax_uuid ()
+		self.uuid_pack('8a885d04-1ceb-11c9-9fe8-08002b104860')
+	end
+	
+	# Provide the common TransferSyntax version number
+	def self.xfer_syntax_vers ()
+		'2.0'
+	end
+	
+	# Determine the UUID string for the DCERPC service with this name	
+	def self.uuid_by_name (name) 
+		if @@known_uuids.key?(name)
+			@@known_uuids[name][0]
+		end
+	end
+	
+	# Determine the common version number for the DCERPC service with this name
+	def self.vers_by_name (name)
+		if @@known_uuids.key?(name)
+			@@known_uuids[name][1]
+		end
+	end
+	
+	# Convert a string or number in float format to two unique numbers 2.0 => [2, 0]
+	def self.vers_to_nums (vers) 
+		vers_maj = vers.to_i
+		vers_min = ((vers.to_f - vers.to_i) * 10).to_i
+		return vers_maj, vers_min
+	end
+	
+end
+end
+end
+end

data/lib/rex/proto/dcerpc/uuid.rb.ut.rb

@@ -0,0 +1,46 @@
+#!/usr/bin/env ruby
+
+$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..'))
+
+require 'rex/test'
+require 'rex/exceptions'
+require 'rex/proto/dcerpc/uuid'
+
+class Rex::Proto::DCERPC::UUID::UnitTest < Test::Unit::TestCase
+
+	Klass = Rex::Proto::DCERPC::UUID
+
+	def test_is_uuid
+		assert(Klass.is?('afa8bd80-7d8a-11c9-bef4-08002b102989'), 'valid')
+		assert(!Klass.is?('afa8bd80-7d8a-11c9-bef4-08002b10298'), 'too short')
+		assert(!Klass.is?('afa8bd80-7d8a-11c9-bef4-08002b10298Z'), 'invalid character')
+		assert(!Klass.is?('afa8bd80-7d8a-11c9-bef4a08002b10298a'), 'missing dash')
+		assert(!Klass.is?('afa8bd80-7d8a-11c9-bef-a08002b10298a'), 'dash in wrong place')
+		assert_raise(Rex::ArgumentError, 'pack - too short') { Klass.is?(nil) }
+	end
+
+	def test_lookup
+		assert_equal(Klass.uuid_by_name('MGMT'), 'afa8bd80-7d8a-11c9-bef4-08002b102989', 'uuid_by_name')
+		assert_equal(Klass.vers_by_name('MGMT'), '2.0', 'vers_by_name')
+		assert(!Klass.uuid_by_name('NO_SUCH_UUID'), 'uuid_by_name - invalid')
+		assert(!Klass.vers_by_name('NO_SUCH_UUID'), 'vers_by_name - invalid')
+	end
+
+	def test_packing
+		uuid = '367abb81-9844-35f1-ad32-98f038001003'
+		assert_equal(Klass.uuid_pack(uuid), "\201\273z6D\230\3615\2552\230\3608\000\020\003", 'pack')
+		assert_equal(Klass.uuid_unpack("\201\273z6D\230\3615\2552\230\3608\000\020\003"), uuid, 'unpack')
+		assert_raise(Rex::ArgumentError, 'pack - too short') { Klass.uuid_pack('foo') }
+		assert_raise(Rex::ArgumentError, 'unpack - too short') { Klass.uuid_unpack('foo') }
+	end
+
+	def test_xfer
+		assert_equal(Klass.xfer_syntax_uuid(), "\004]\210\212\353\034\311\021\237\350\010\000+\020H`", 'xfer_syntax_uuid')
+		assert_equal(Klass.xfer_syntax_vers(), '2.0', 'xfer_syntax_vers')
+	end
+
+	def test_vers
+		assert_equal(Klass.vers_to_nums('2.0'), [2, 0], 'vers_to_nums')
+		assert_equal(Klass.vers_to_nums('2'), [2, 0], 'vers_to_nums (short)')
+	end
+end

data/lib/rex/proto/dhcp.rb

@@ -0,0 +1,7 @@
+# $Id: dhcp.rb 12196 2011-04-01 00:51:33Z egypt $
+#
+# DHCP Server support written by scriptjunkie
+#
+
+require 'rex/proto/dhcp/constants'
+require 'rex/proto/dhcp/server'

data/lib/rex/proto/dhcp/constants.rb

@@ -0,0 +1,33 @@
+# $Id: constants.rb 12196 2011-04-01 00:51:33Z egypt $
+require 'rex/proto/dhcp'
+
+module Rex
+module Proto
+module DHCP
+
+Request = 1
+Response = 2
+
+DHCPDiscover = 1
+DHCPOffer = 2
+DHCPRequest = 3
+DHCPAck = 5
+
+DHCPMagic = "\x63\x82\x53\x63"
+
+OpDHCPServer = 0x36
+OpLeaseTime = 0x33
+OpSubnetMask = 1
+OpRouter = 3
+OpDns = 6
+OpEnd = 0xff
+
+PXEMagic = "\xF1\x00\x74\x7E"
+OpPXEMagic = 0xD0
+OpPXEConfigFile = 0xD1
+OpPXEPathPrefix = 0xD2
+OpPXERebootTime = 0xD3
+
+end
+end
+end

data/lib/rex/proto/dhcp/server.rb

@@ -0,0 +1,292 @@
+# $Id: server.rb 12196 2011-04-01 00:51:33Z egypt $
+
+require 'rex/socket'
+require 'rex/proto/dhcp'
+
+module Rex
+module Proto
+module DHCP
+
+##
+#
+# DHCP Server class
+# not completely configurable - written specifically for a PXE server
+# - scriptjunkie
+##
+
+class Server
+
+	include Rex::Socket
+
+	def initialize(hash, context = {})
+		self.listen_host = '0.0.0.0' # clients don't already have addresses. Needs to be 0.0.0.0
+		self.listen_port = 67 # mandatory (bootps)
+		self.context = context
+		self.sock = nil
+
+		@shutting_down = false
+
+		self.myfilename = hash['FILENAME'] || ""
+		self.myfilename << ("\x00" * (128 - self.myfilename.length))
+
+		source = hash['SRVHOST'] || Rex::Socket.source_address
+		self.ipstring = Rex::Socket.addr_aton(source)
+
+		ipstart = hash['DHCPIPSTART']
+		if ipstart
+			self.start_ip = Rex::Socket.addr_atoi(ipstart)
+		else
+			# Use the first 3 octects of the server's IP to construct the
+			# default range of x.x.x.32-254
+			self.start_ip = "#{self.ipstring[0..2]}\x20".unpack("N").first
+		end
+		self.current_ip = start_ip
+
+		ipend = hash['DHCPIPEND']
+		if ipend
+			self.end_ip = Rex::Socket.addr_atoi(ipend)
+		else
+			# Use the first 3 octects of the server's IP to construct the
+			# default range of x.x.x.32-254
+			self.end_ip = "#{self.ipstring[0..2]}\xfe".unpack("N").first
+		end
+
+		# netmask
+		netmask = hash['NETMASK'] || "255.255.255.0"
+		self.netmaskn = Rex::Socket.addr_aton(netmask)
+
+		# router
+		router = hash['ROUTER'] || source
+		self.router = Rex::Socket.addr_aton(router)
+
+		# dns
+		dnsserv = hash['DNSSERVER'] || source
+		self.dnsserv = Rex::Socket.addr_aton(dnsserv)
+
+		# broadcast
+		if hash['BROADCAST']
+			self.broadcasta = Rex::Socket.addr_aton(hash['BROADCAST'])
+		else
+			self.broadcasta = Rex::Socket.addr_itoa( self.start_ip | (Rex::Socket.addr_ntoi(self.netmaskn) ^ 0xffffffff) )
+		end
+
+		self.served = {}
+		if (hash['SERVEONCE'])
+			self.serveOnce = true
+		else
+			self.serveOnce = false
+		end
+		
+		if (hash['PXE'])
+			self.servePXE = true
+		else
+			self.servePXE = false
+		end
+		
+		self.leasetime = 600
+		self.relayip = "\x00\x00\x00\x00" # relay ip - not currently suported
+		self.pxeconfigfile = "update2"
+		self.pxepathprefix = ""
+		self.pxereboottime = 2000
+	end
+
+
+	# Start the DHCP server
+	def start
+		self.sock = Rex::Socket::Udp.create(
+			'LocalHost' => listen_host,
+			'LocalPort' => listen_port,
+			'Context'   => context
+		)
+
+		self.thread = Rex::ThreadFactory.spawn("DHCPServerMonitor", false) {
+			monitor_socket
+		}
+	end
+
+	# Stop the DHCP server
+	def stop
+		@shutting_down = true
+		self.thread.kill
+		self.sock.close rescue nil
+	end
+
+
+	# Set an option
+	def set_option(opts)
+		allowed_options = [
+			:serveOnce, :servePXE, :relayip, :leasetime, :dnsserv,
+			:pxeconfigfile, :pxepathprefix, :pxereboottime, :router
+		]
+
+		opts.each_pair { |k,v|
+			next if not v
+			if allowed_options.include?(k)
+				self.instance_variable_set("@#{k}", v)
+			end
+		}
+	end
+
+
+	# Send a single packet to the specified host
+	def send_packet(ip, pkt)
+		port = 68 # bootpc
+		if ip
+			self.sock.sendto( pkt, ip, port )
+		else
+			if not self.sock.sendto( pkt, '255.255.255.255', port )
+				self.sock.sendto( pkt, self.broadcasta, port )
+			end
+		end
+	end
+
+	attr_accessor :listen_host, :listen_port, :context, :leasetime, :relayip, :router, :dnsserv
+	attr_accessor :sock, :thread, :myfilename, :ipstring, :served, :serveOnce
+	attr_accessor :current_ip, :start_ip, :end_ip, :broadcasta, :netmaskn
+	attr_accessor :servePXE, :pxeconfigfile, :pxepathprefix, :pxereboottime
+
+protected
+
+
+	# See if there is anything to do.. If so, dispatch it.
+	def monitor_socket
+		while true
+			rds = [@sock]
+			wds = []
+			eds = [@sock]
+
+			r,w,e = ::IO.select(rds,wds,eds,1)
+
+			if (r != nil and r[0] == self.sock)
+				buf,host,port = self.sock.recvfrom(65535)
+				# Lame compatabilitiy :-/
+				from = [host, port]
+				dispatch_request(from, buf)
+			end
+
+		end
+	end
+
+	def dhcpoption(type, val = nil)
+		ret = ''
+		ret << [type].pack('C')
+
+		if val
+			ret << [val.length].pack('C') + val
+		end
+
+		ret
+	end
+
+	# Dispatch a packet that we received
+	def dispatch_request(from, buf)
+		type = buf.unpack('C').first
+		if (type != Request)
+			#dlog("Unknown DHCP request type: #{type}")
+			return
+		end
+
+		# parse out the members
+		hwtype = buf[1,1]
+		hwlen = buf[2,1].unpack("C").first
+		hops = buf[3,1]
+		txid = buf[4..7]
+		elapsed = buf[8..9]
+		flags = buf[10..11]
+		clientip = buf[12..15]
+		givenip = buf[16..19]
+		nextip = buf[20..23]
+		relayip = buf[24..27]
+		clienthwaddr = buf[28..(27+hwlen)]
+		servhostname = buf[44..107]
+		filename = buf[108..235]
+		magic = buf[236..239]
+
+		if (magic != DHCPMagic)
+			#dlog("Invalid DHCP request - bad magic.")
+			return
+		end
+
+		messageType = 0
+		pxeclient = false
+
+		# options parsing loop
+		spot = 240
+		while (spot < buf.length - 3)
+			optionType = buf[spot,1].unpack("C").first
+			break if optionType == 0xff
+
+			optionLen = buf[spot + 1,1].unpack("C").first
+			optionValue = buf[(spot + 2)..(spot + optionLen + 1)]
+			spot = spot + optionLen + 2
+			if optionType == 53
+				messageType = optionValue.unpack("C").first
+			elsif optionType == 150
+				pxeclient = true
+			end
+		end
+
+		if pxeclient == false && self.servePXE == true
+			#dlog ("No tftp server request; ignoring (probably not PXE client)")
+			return
+		end
+
+		# prepare response
+		pkt = [Response].pack('C')
+		pkt << buf[1..7] #hwtype, hwlen, hops, txid
+		pkt << "\x00\x00\x00\x00"  #elapsed, flags
+		pkt << clientip
+		if messageType == DHCPDiscover
+			# give next ip address (not super reliable high volume but it should work for a basic server)
+			self.current_ip += 1
+			if self.current_ip > self.end_ip
+				self.current_ip = self.start_ip
+			end
+		end
+		pkt << Rex::Socket.addr_iton(self.current_ip)
+		pkt << self.ipstring #next server ip
+		pkt << self.relayip
+		pkt << buf[28..43] #client hw address
+		pkt << servhostname
+		pkt << self.myfilename
+		pkt << magic
+		pkt << "\x35\x01" #Option
+
+		if messageType == DHCPDiscover  #DHCP Discover - send DHCP Offer
+			pkt << [DHCPOffer].pack('C')
+			# check if already served based on hw addr (MAC address)
+			if self.serveOnce == true && self.served.has_key?(buf[28..43])
+				#dlog ("Already served; allowing normal boot")
+				return
+			end
+		elsif messageType == DHCPRequest #DHCP Request - send DHCP ACK
+			pkt << [DHCPAck].pack('C')
+			# now we ignore their discovers (but we'll respond to requests in case a packet was lost)
+			self.served.merge!( buf[28..43] => true ) 
+		else
+			#dlog("ignoring unknown DHCP request - type #{messageType}")
+			return
+		end
+
+		# Options!
+		pkt << dhcpoption(OpDHCPServer, self.ipstring)
+		pkt << dhcpoption(OpLeaseTime, [self.leasetime].pack('N'))
+		pkt << dhcpoption(OpSubnetMask, self.netmaskn)
+		pkt << dhcpoption(OpRouter, self.router)
+		pkt << dhcpoption(OpDns, self.dnsserv)
+		pkt << dhcpoption(OpPXEMagic, PXEMagic)
+		pkt << dhcpoption(OpPXEConfigFile, self.pxeconfigfile)
+		pkt << dhcpoption(OpPXEPathPrefix, self.pxepathprefix)
+		pkt << dhcpoption(OpPXERebootTime, [self.pxereboottime].pack('N'))
+		pkt << dhcpoption(OpEnd)
+
+		pkt << ("\x00" * 32) #padding
+
+		send_packet(nil, pkt)
+	end
+
+end
+
+end
+end
+end