metasploit-framework/modules/auxiliary/scanner/upnp/ssdp_amp.rb

94 lines
2.8 KiB
Ruby
Raw Normal View History

2014-08-26 05:53:14 +00:00
##
2017-07-24 13:26:21 +00:00
# This module requires Metasploit: https://metasploit.com/download
2014-08-26 05:53:14 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
2014-08-26 05:53:14 +00:00
include Msf::Auxiliary::Report
include Msf::Exploit::Capture
2014-08-26 05:53:14 +00:00
include Msf::Auxiliary::UDPScanner
2014-08-26 09:03:32 +00:00
include Msf::Auxiliary::DRDoS
2014-08-26 05:53:14 +00:00
def initialize
super(
'Name' => 'SSDP ssdp:all M-SEARCH Amplification Scanner',
2014-08-26 05:53:14 +00:00
'Description' => 'Discover SSDP amplification possibilities',
2014-08-26 14:26:30 +00:00
'Author' => ['xistence <xistence[at]0x90.nl>'], # Original scanner module
2014-08-26 15:29:28 +00:00
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb
2014-08-26 15:29:28 +00:00
['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-017A']
],
2014-08-26 05:53:14 +00:00
)
2014-08-26 14:26:30 +00:00
register_options([
2014-08-26 05:53:14 +00:00
Opt::RPORT(1900),
2014-08-26 14:26:30 +00:00
OptBool.new('SHORT', [ false, "Does a shorter request, for a higher amplifier, not compatible with all devices", false])
])
2014-08-26 05:53:14 +00:00
end
def setup
super
# SSDP packet containing the "ST:ssdp:all" search query
if datastore['short']
# Short packet doesn't contain Host, MX and last \r\n
@msearch_probe = "M-SEARCH * HTTP/1.1\r\nST: ssdp:all\r\nMan: \"ssdp:discover\"\r\n"
2014-08-26 05:53:14 +00:00
else
@msearch_probe = "M-SEARCH * HTTP/1.1\r\nHost: 239.255.255.250:1900\r\nST: ssdp:all\r\nMan: \"ssdp:discover\"\r\nMX: 1\r\n\r\n"
2014-08-26 05:53:14 +00:00
end
end
def scanner_prescan(batch)
print_status("Sending SSDP ssdp:all M-SEARCH probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
2014-08-26 05:53:14 +00:00
@results = {}
end
def scan_host(ip)
if spoofed?
datastore['ScannerRecvWindow'] = 0
scanner_spoof_send(@msearch_probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
else
scanner_send(@msearch_probe, ip, datastore['RPORT'])
end
2014-08-26 05:53:14 +00:00
end
def scanner_process(data, shost, sport)
2014-08-26 09:03:32 +00:00
if data =~ /HTTP\/\d\.\d 200/
@results[shost] ||= []
@results[shost] << data
else
vprint_error("Skipping #{data.size}-byte non-SSDP response from #{shost}:#{sport}")
2014-08-26 09:03:32 +00:00
end
end
2014-08-26 05:53:14 +00:00
2014-08-26 09:03:32 +00:00
# Called after the scan block
def scanner_postscan(batch)
@results.keys.each do |k|
response_map = { @msearch_probe => @results[k] }
report_service(
2014-08-26 14:26:30 +00:00
host: k,
proto: 'udp',
port: datastore['RPORT'],
name: 'ssdp'
2014-08-26 09:03:32 +00:00
)
2014-08-26 05:53:14 +00:00
2014-08-26 09:03:32 +00:00
peer = "#{k}:#{datastore['RPORT']}"
vulnerable, proof = prove_amplification(response_map)
what = 'SSDP ssdp:all M-SEARCH amplification'
2014-08-26 09:03:32 +00:00
if vulnerable
print_good("#{peer} - Vulnerable to #{what}: #{proof}")
2014-08-26 14:26:30 +00:00
report_vuln(
host: k,
port: datastore['RPORT'],
proto: 'udp',
name: what,
refs: self.references
)
2014-08-26 09:03:32 +00:00
else
vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
end
2014-08-26 05:53:14 +00:00
end
end
end