2013-11-23 16:17:24 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-11-23 16:17:24 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
|
|
include Msf::Auxiliary::Scanner
|
2014-09-20 20:08:52 +00:00
|
|
|
include Msf::Exploit::Capture
|
2013-11-23 16:17:24 +00:00
|
|
|
include Msf::Auxiliary::Report
|
|
|
|
|
include Msf::Exploit::Remote::Udp
|
2014-09-20 20:08:52 +00:00
|
|
|
include Msf::Auxiliary::DRDoS
|
|
|
|
|
include Msf::Auxiliary::UDPScanner
|
2013-11-23 16:17:24 +00:00
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
|
super(
|
2013-12-26 16:29:11 +00:00
|
|
|
'Name' => 'Chargen Probe Utility',
|
2013-11-23 16:17:24 +00:00
|
|
|
'Description' => %q{
|
|
|
|
|
Chargen is a debugging and measurement tool and a character
|
|
|
|
|
generator service. A character generator service simply sends
|
|
|
|
|
data without regard to the input.
|
|
|
|
|
Chargen is susceptible to spoofing the source of transmissions
|
|
|
|
|
as well as use in a reflection attack vector. The misuse of the
|
|
|
|
|
testing features of the Chargen service may allow attackers to
|
|
|
|
|
craft malicious network payloads and reflect them by spoofing
|
|
|
|
|
the transmission source to effectively direct it to a target.
|
|
|
|
|
This can result in traffic loops and service degradation with
|
|
|
|
|
large amounts of network traffic.
|
|
|
|
|
},
|
|
|
|
|
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
2013-12-26 16:29:11 +00:00
|
|
|
[ 'CVE', '1999-0103' ], # Note, does not actually trigger a flood.
|
2013-11-23 16:17:24 +00:00
|
|
|
[ 'URL', 'https://www.cert.be/pro/docs/chargensnmp-ddos-attacks-rise' ],
|
|
|
|
|
[ 'URL', 'http://tools.ietf.org/html/rfc864' ],
|
|
|
|
|
],
|
|
|
|
|
'DisclosureDate' => 'Feb 08 1996')
|
|
|
|
|
|
|
|
|
|
register_options([
|
2013-12-20 15:10:15 +00:00
|
|
|
Opt::RPORT(19)
|
2013-11-23 16:17:24 +00:00
|
|
|
])
|
|
|
|
|
|
2013-12-14 18:41:31 +00:00
|
|
|
deregister_options('RHOST')
|
2013-11-23 16:17:24 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run_host(rhost)
|
2014-09-20 20:08:52 +00:00
|
|
|
data = Rex::Text.rand_text_alpha_lower(1)
|
|
|
|
|
if spoofed?
|
|
|
|
|
scanner_spoof_send(data, rhost, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
|
|
|
|
|
else
|
|
|
|
|
begin
|
|
|
|
|
connect_udp
|
|
|
|
|
udp_sock.write(data)
|
|
|
|
|
r = udp_sock.recvfrom(65535, 0.1)
|
2013-11-23 16:17:24 +00:00
|
|
|
|
2014-09-20 20:08:52 +00:00
|
|
|
if r and r[1]
|
|
|
|
|
vprint_status("#{rhost}:#{rport} - Response: #{r[0].to_s}")
|
|
|
|
|
res = r[0].to_s.strip
|
|
|
|
|
if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/))
|
|
|
|
|
print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)")
|
|
|
|
|
report_service(:host => rhost, :port => rport, :proto => "udp", :name => "chargen", :info => res.length)
|
|
|
|
|
end
|
2013-11-23 16:17:24 +00:00
|
|
|
end
|
2014-09-20 20:08:52 +00:00
|
|
|
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
|
|
|
|
|
nil
|
|
|
|
|
ensure
|
|
|
|
|
disconnect_udp if self.udp_sock
|
2013-12-19 19:56:11 +00:00
|
|
|
end
|
2013-11-23 16:17:24 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
