From 4d80e37741c001dd0ccb264689bfc0ad2c825a71 Mon Sep 17 00:00:00 2001
From: "Ewerson Guimaraes (Crash)" <crash@dclabs.com.br>
Date: Thu, 18 Oct 2012 20:03:28 -0300
Subject: [PATCH] NTP Clock Variables Disclosure

---
 modules/auxiliary/scanner/ntp/ntp_readvar.rb | 67 ++++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 modules/auxiliary/scanner/ntp/ntp_readvar.rb

diff --git a/modules/auxiliary/scanner/ntp/ntp_readvar.rb b/modules/auxiliary/scanner/ntp/ntp_readvar.rb
new file mode 100644
index 0000000000..34cbd132f9
--- /dev/null
+++ b/modules/auxiliary/scanner/ntp/ntp_readvar.rb
@@ -0,0 +1,67 @@
+#####
+
+
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+
+	include Msf::Exploit::Remote::Udp
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::Scanner
+
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'NTP Clock Variables Disclosure',
+			'Description'    => %q{
+				This module reads the system internal NTP variables. These variables contain potentially sensitive 
+				information, such as the NTP software version, operating system version, peers, and more..
+			},
+			'Author'         => 'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>',
+			'License'        => MSF_LICENSE,
+			'Version'        => '',
+			'References'     =>
+				[
+						['URL','http://www.rapid7.com/vulndb/lookup/ntp-clock-variables-disclosure' ],
+			]
+			)
+		)
+		register_options(
+		[
+			Opt::RPORT(123)
+		], self.class)
+	end
+
+	def run_host(ip)
+
+		connect_udp
+
+		readvar = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00" #readvar command
+		print_status("Connecting target #{rhost}:#{rport}...")
+
+		print_status("Sending command")
+		udp_sock.put(readvar)
+		reply = udp_sock.recvfrom(65535, 0.1)
+		p_reply =( reply[0].split(","))
+		arr_count = 0
+				while ( arr_count < p_reply.size)
+						if arr_count == 0
+							print_good (p_reply[arr_count].slice(12,p_reply[arr_count].size)) #12 is the adjustment of packet garbage
+							arr_count =  arr_count + 1
+						else
+							print_good (p_reply[arr_count].strip)
+							arr_count =  arr_count + 1
+						end
+				end
+		disconnect_udp
+
+	end
+
+end
\ No newline at end of file