packetfu 1.1.11 → 1.1.12.pre

data/lib/packetfu/pcapng/idb.rb

@@ -0,0 +1,125 @@
+require 'stringio'
+
+module PacketFu
+  module PcapNG
+
+    # Pcapng::IDB represents a Interface Description Block (IDB) of a pcapng file.
+    #
+    # == Pcapng::IDB Definition
+    #   Int32   :type           Default: 0x00000001
+    #   Int32   :block_len
+    #   Int16   :link_type      Default: 1
+    #   Int16   :reserved       Default: 0
+    #   Int64   :snaplen        Default: 0 (no limit)
+    #   String  :options
+    #   Int32   :block_len2
+    class IDB < Struct.new(:type, :block_len, :link_type, :reserved,
+                           :snaplen, :options, :block_len2)
+      include StructFu
+      include Block
+      attr_accessor :endian
+      attr_accessor :section
+      attr_accessor :packets
+
+      MIN_SIZE     = 5*4
+
+      # Option code for if_tsresol option
+      OPTION_IF_TSRESOL = 9
+
+      def initialize(args={})
+        @endian = set_endianness(args[:endian] || :little)
+        @packets = []
+        @options_decoded = false
+        init_fields(args)
+        super(args[:type], args[:block_len], args[:link_type], args[:reserved],
+              args[:snaplen], args[:options], args[:block_len2])
+      end
+
+      # Used by #initialize to set the initial fields
+      def init_fields(args={})
+        args[:type]  = @int32.new(args[:type] || PcapNG::IDB_TYPE.to_i)
+        args[:block_len] = @int32.new(args[:block_len] || MIN_SIZE)
+        args[:link_type] = @int16.new(args[:link_type] || 1)
+        args[:reserved] = @int16.new(args[:reserved] || 0)
+        args[:snaplen] = @int32.new(args[:snaplen] || 0)
+        args[:options] = StructFu::String.new(args[:options] || '')
+        args[:block_len2] = @int32.new(args[:block_len2] || MIN_SIZE)
+        args
+      end
+
+      def has_options?
+        self[:options].size > 0
+      end
+
+      # Reads a String or a IO to populate the object
+      def read(str_or_io)
+        if str_or_io.respond_to? :read
+          io = str_or_io
+        else
+          io = StringIO.new(force_binary(str_or_io.to_s))
+        end
+        return self if io.eof?
+
+        self[:type].read io.read(4)
+        self[:block_len].read io.read(4)
+        self[:link_type].read io.read(2)
+        self[:reserved].read io.read(2)
+        self[:snaplen].read io.read(4)
+        self[:options].read io.read(self[:block_len].to_i - MIN_SIZE)
+        self[:block_len2].read io.read(4)
+
+        unless self[:block_len].to_i == self[:block_len2].to_i
+          raise InvalidFileError, 'Incoherency in Interface Description Block'
+        end
+      
+        self
+      end
+      
+      # Add a xPB to this section
+      def <<(xpb)
+        @packets << xpb
+      end
+
+      # Give timestamp resolution for this interface
+      def ts_resol(force=false)
+        if @options_decoded and not force
+          @ts_resol
+        else
+          packstr = (@endian == :little) ? 'v' : 'n'
+          idx = 0
+          options = self[:options]
+          opt_code = opt_len = 0
+
+          while idx < options.length do
+            opt_code, opt_len = options[idx, 4].unpack("#{packstr}2")
+            if opt_code == OPTION_IF_TSRESOL and opt_len == 1
+              tsresol = options[idx+4, 1].unpack('C').first
+              if tsresol & 0x80 == 0
+                @ts_resol = 10 ** -tsresol
+              else
+                @ts_resol = 2 ** -(tsresol & 0x7f)
+              end
+
+              @options_decoded = true
+              return @ts_resol
+            else
+              idx += 4 + opt_len
+            end
+          end
+
+          @options_decoded = true
+          @ts_resol = 1E-6  # default value
+        end
+      end
+
+      # Return the object as a String
+      def to_s
+        pad_field :options
+        recalc_block_len
+        to_a.map(&:to_s).join + @packets.map(&:to_s).join
+      end
+
+    end
+
+  end
+end

data/lib/packetfu/pcapng/shb.rb

@@ -0,0 +1,146 @@
+require 'stringio'
+
+module PacketFu
+  module PcapNG
+
+    # PcapngSHB represents a Section Header Block (SHB) of a pcapng file.
+    #
+    # == PcapngSHB Definition
+    #   Int32   :type           Default: 0x0A0D0D0A
+    #   Int32   :block_len
+    #   Int32   :magic          Default: 0x1A2B3C4D  # :big is 0x4D3C2C1A
+    #   Int16   :ver_major      Default: 1
+    #   Int16   :ver_minor      Default: 0
+    #   Int64   :section_len
+    #   String  :options        Default: ''
+    #   Int32   :block_len2
+    class SHB < Struct.new(:type, :block_len, :magic, :ver_major, :ver_minor,
+                           :section_len, :options, :block_len2)
+      include StructFu
+      include Block
+      attr_accessor :endian
+      attr_reader :interfaces
+      # Get unsupported blocks given in pcapng file as raw data
+      attr_reader :unknown_blocks
+
+      MAGIC_INT32  = 0x1A2B3C4D
+      MAGIC_LITTLE = [MAGIC_INT32].pack('V')
+      MAGIC_BIG    = [MAGIC_INT32].pack('N')
+
+      MIN_SIZE     = 7*4
+      SECTION_LEN_UNDEFINED = 0xffffffff_ffffffff
+
+      def initialize(args={})
+        @endian = set_endianness(args[:endian] || :little)
+        @interfaces = []
+        @unknown_blocks = []
+        init_fields(args)
+        super(args[:type], args[:block_len], args[:magic], args[:ver_major],
+              args[:ver_minor], args[:section_len], args[:options], args[:block_len2])
+      end
+
+      # Used by #initialize to set the initial fields
+      def init_fields(args={})
+        args[:type]  = @int32.new(args[:type] || PcapNG::SHB_TYPE.to_i)
+        args[:block_len] = @int32.new(args[:block_len] || MIN_SIZE)
+        args[:magic] = @int32.new(args[:magic] || MAGIC_INT32)
+        args[:ver_major] = @int16.new(args[:ver_major] || 1)
+        args[:ver_minor] = @int16.new(args[:ver_minor] || 0)
+        args[:section_len] = @int64.new(args[:section_len] || SECTION_LEN_UNDEFINED)
+        args[:options] = StructFu::String.new(args[:options] || '')
+        args[:block_len2] = @int32.new(args[:block_len2] || MIN_SIZE)
+        args
+      end
+
+      def has_options?
+        self[:options].size > 0
+      end
+
+      # Reads a String or a IO to populate the object
+      def read(str_or_io)
+        if str_or_io.respond_to? :read
+          io = str_or_io
+        else
+          io = StringIO.new(force_binary(str_or_io.to_s))
+        end
+        return self if io.eof?
+
+        type_str = io.read(4)
+        unless type_str == PcapNG::SHB_TYPE.to_s
+          type = type_str.unpack('H*').join
+          raise InvalidFileError, "Incorrect type (#{type})for Section Header Block"
+        end
+
+        block_len_str = io.read(4)
+
+        magic_str = io.read(4)
+        case @endian
+        when :little
+          case magic_str
+          when MAGIC_LITTLE
+          when MAGIC_BIG
+            force_endianness :big
+          else
+            raise InvalidFileError, 'Incorrect magic for Section Header Block'
+          end
+        when :big
+          case magic_str
+          when MAGIC_BIG
+          when MAGIC_LITTLE
+            force_endianness :little
+          else
+            raise InvalidFileError, 'Incorrect magic for Section Header Block'
+          end
+        end
+
+        self[:type].read type_str
+        self[:block_len].read block_len_str
+        self[:magic].read magic_str
+        self[:ver_major].read io.read(2)
+        self[:ver_minor].read io.read(2)
+        self[:section_len].read io.read(8)
+        self[:options].read io.read(self[:block_len].to_i - MIN_SIZE)
+        self[:block_len2].read io.read(4)
+
+        unless self[:block_len].to_i == self[:block_len2].to_i
+          raise InvalidFileError, 'Incoherency in Section Header Block'
+        end
+
+        self
+      end
+
+      # Add a IDB to this section
+      def <<(idb)
+        @interfaces << idb
+      end
+
+      # Return the object as a String
+      def to_s
+        body = @interfaces.map(&:to_s).join
+        unless self[:section_len].to_i == SECTION_LEN_UNDEFINED
+          self.section_len.value = body.size
+        end
+        pad_field :options
+        recalc_block_len
+        to_a.map(&:to_s).join + body
+      end
+
+
+      private
+
+      def force_endianness(endian)
+        set_endianness endian
+        @endian = endian
+        self[:type]  = @int32.new(self[:type].to_i)
+        self[:block_len] = @int32.new(self[:block_len].to_i)
+        self[:magic] = @int32.new(self[:magic].to_i)
+        self[:ver_major] = @int16.new(self[:ver_major].to_i)
+        self[:ver_minor] = @int16.new(self[:ver_minor].to_i)
+        self[:section_len] = @int64.new(self[:section_len].to_i)
+        self[:block_len2] = @int32.new(self[:block_len2].to_i)
+      end
+
+    end
+
+  end
+end

data/lib/packetfu/pcapng/spb.rb

@@ -0,0 +1,83 @@
+require 'stringio'
+
+module PacketFu
+  module PcapNG
+
+    # Pcapng::SPB represents a Section Simple Packet Block (SPB) of a pcapng file.
+    #
+    # == Pcapng::SPB Definition
+    #   Int32   :type           Default: 0x00000003
+    #   Int32   :block_len
+    #   Int32   :orig_len
+    #   String  :data
+    #   Int32   :block_len2
+    class SPB < Struct.new(:type, :block_len, :orig_len, :data, :block_len2)
+      include StructFu
+      include Block
+      attr_accessor :endian
+      attr_accessor :interface
+
+      MIN_SIZE     = 4*4
+
+      def initialize(args={})
+        @endian = set_endianness(args[:endian] || :little)
+        init_fields(args)
+        super(args[:type], args[:block_len], args[:orig_len], args[:data],
+              args[:block_len2])
+      end
+
+      # Used by #initialize to set the initial fields
+      def init_fields(args={})
+        args[:type]  = @int32.new(args[:type] || PcapNG::SPB_TYPE.to_i)
+        args[:block_len] = @int32.new(args[:block_len] || MIN_SIZE)
+        args[:orig_len] = @int32.new(args[:orig_len] || 0)
+        args[:data] = StructFu::String.new(args[:data] || '')
+        args[:block_len2] = @int32.new(args[:block_len2] || MIN_SIZE)
+        args
+      end
+
+      def has_options?
+        false
+      end
+
+      def read(str_or_io)
+        if str_or_io.respond_to? :read
+          io = str_or_io
+        else
+          io = StringIO.new(force_binary(str_or_io.to_s))
+        end
+        return self if io.eof?
+
+        self[:type].read io.read(4)
+        self[:block_len].read io.read(4)
+        self[:orig_len].read io.read(4)
+        # Take care of IDB snaplen
+        # CAUTION: snaplen == 0 -> no capture limit
+        if interface and interface.snaplen.to_i > 0
+          data_len = [self[:orig_len].to_i, interface.snaplen.to_i].min
+        else
+          data_len = self[:orig_len].to_i
+        end
+        data_pad_len = (4 - (data_len % 4)) % 4
+        self[:data].read io.read(data_len)
+        io.read data_pad_len
+        self[:block_len2].read io.read(4)
+
+        unless self[:block_len].to_i == self[:block_len2].to_i
+          raise InvalidFileError, 'Incoherency in Simple Packet Block'
+        end
+
+        self
+      end
+
+      # Return the object as a String
+      def to_s
+        pad_field :data
+        recalc_block_len
+        to_a.map(&:to_s).join
+      end
+
+    end
+
+  end
+end

data/lib/packetfu/pcapng/unknown_block.rb

@@ -0,0 +1,60 @@
+require 'stringio'
+
+module PacketFu
+  module PcapNG
+
+    # Pcapng::UnknownBlock is used to handle unsupported blocks of a pcapng file.
+    class UnknownBlock < Struct.new(:type, :block_len, :body, :block_len2)
+      include StructFu
+      include Block
+      attr_accessor :endian
+      attr_accessor :section
+
+      MIN_SIZE     = 12
+
+      def initialize(args={})
+        @endian = set_endianness(args[:endian] || :little)
+        init_fields(args)
+        super(args[:type], args[:block_len], args[:body], args[:block_len2])
+      end
+
+      # Used by #initialize to set the initial fields
+      def init_fields(args={})
+        args[:type]  = @int32.new(args[:type] || 0)
+        args[:block_len] = @int32.new(args[:block_len] || MIN_SIZE)
+        args[:body] = StructFu::String.new(args[:body] || '')
+        args[:block_len2] = @int32.new(args[:block_len2] || MIN_SIZE)
+        args
+      end
+
+      def read(str_or_io)
+        if str_or_io.respond_to? :read
+          io = str_or_io
+        else
+          io = StringIO.new(force_binary(str_or_io.to_s))
+        end
+        return self if io.eof?
+
+        self[:type].read io.read(4)
+        self[:block_len].read io.read(4)
+        self[:body].read io.read(self[:block_len].to_i - MIN_SIZE)
+        self[:block_len2].read io.read(4)
+        
+        unless self[:block_len].to_i == self[:block_len2].to_i
+          raise InvalidFileError, 'Incoherency in Header Block'
+        end
+
+        self
+      end
+
+      # Return the object as a String
+      def to_s
+        pad_field :body
+        recalc_block_len
+        to_a.map(&:to_s).join
+      end
+
+    end
+
+  end
+end

data/lib/packetfu/protos.rb

@@ -0,0 +1,3 @@
+# Picks up all the protocols defined in the protos subdirectory
+path = File.expand_path("lib/packetfu/protos/*.rb")
+Dir.glob(path).each {|file| require file}

data/lib/packetfu/protos/arp.rb

@@ -1,7 +1,7 @@
 # -*- coding: binary -*-
+require 'packetfu/common'
 require 'packetfu/protos/eth/header'
 require 'packetfu/protos/eth/mixin'
-
 require 'packetfu/protos/arp/header'
 require 'packetfu/protos/arp/mixin'
 
@@ -16,7 +16,7 @@ module PacketFu
   #  arp_pkt.arp_saddr_ip="10.10.10.17"  # Your IP address
   #  arp_pkt.arp_daddr_ip="10.10.10.1"  # Target IP address
   #  arp_pkt.arp_opcode=1  # Request
-  # 
+  #
   #  arp_pkt.to_w('eth0')	# Inject on the wire. (requires root)
   #  arp_pkt.to_f('/tmp/arp.pcap') # Write to a file.
   #
@@ -24,7 +24,7 @@ module PacketFu
   #
   #  :flavor
   #   Sets the "flavor" of the ARP packet. Choices are currently:
-  #     :windows, :linux, :hp_deskjet 
+  #     :windows, :linux, :hp_deskjet
   #  :eth
   #   A pre-generated EthHeader object. If not specified, a new one will be created.
   #  :arp
@@ -53,23 +53,23 @@ module PacketFu
 
     def initialize(args={})
       @eth_header = EthHeader.new(args).read(args[:eth])
-      @arp_header = ARPHeader.new(args).read(args[:arp]) 
+      @arp_header = ARPHeader.new(args).read(args[:arp])
       @eth_header.eth_proto = "\x08\x06"
       @eth_header.body=@arp_header
 
       # Please send more flavors to todb+packetfu@planb-security.net.
       # Most of these initial fingerprints come from one (1) sample.
       case (args[:flavor].nil?) ? :nil : args[:flavor].to_s.downcase.intern
-      when :windows; @arp_header.body = "\x00" * 64				# 64 bytes of padding 
-      when :linux; @arp_header.body = "\x00" * 4 +				# 32 bytes of padding 
+      when :windows; @arp_header.body = "\x00" * 64				# 64 bytes of padding
+      when :linux; @arp_header.body = "\x00" * 4 +				# 32 bytes of padding
         "\x00\x07\x5c\x14" + "\x00" * 4 +
         "\x00\x0f\x83\x34" + "\x00\x0f\x83\x74" +
-        "\x01\x11\x83\x78" + "\x00\x00\x00\x0c" + 
+        "\x01\x11\x83\x78" + "\x00\x00\x00\x0c" +
         "\x00\x00\x00\x00"
       when :hp_deskjet; 																	# Pads up to 60 bytes.
-        @arp_header.body = "\xe0\x90\x0d\x6c" + 
-        "\xff\xff\xee\xee" + "\x00" * 4 + 
-        "\xe0\x8f\xfa\x18\x00\x20"	
+        @arp_header.body = "\xe0\x90\x0d\x6c" +
+        "\xff\xff\xee\xee" + "\x00" * 4 +
+        "\xe0\x8f\xfa\x18\x00\x20"
       else; @arp_header.body = "\x00" * 18								# Pads up to 60 bytes.
       end