Land #3705, xistence's UPNP SSDP M-SEARCH amplification scanner

2014-08-26 08:30:43 -07:00 · 2014-08-26 08:30:43 -07:00 · ff7e0f3c19
parent b3e898736f bb00c97f46
commit ff7e0f3c19
9 changed files with 102 additions and 13 deletions
--- a/lib/msf/core/auxiliary/drdos.rb
+++ b/lib/msf/core/auxiliary/drdos.rb
@ -8,7 +8,7 @@ module Msf
 ###
 module Auxiliary::DRDoS

-  def prove_drdos(response_map)
+  def prove_amplification(response_map)
    vulnerable = false
    proofs = []
    response_map.each do |request, responses|
@ -30,7 +30,8 @@ module Auxiliary::DRDoS
      bandwidth_amplification = total_size - request.size
      if bandwidth_amplification > 0
        vulnerable = true
-        this_proof += "a #{bandwidth_amplification}-byte bandwidth amplification"
+        multiplier = total_size / request.size
+        this_proof += "a #{multiplier}x, #{bandwidth_amplification}-byte bandwidth amplification"
      else
        this_proof += 'no bandwidth amplification'
      end
--- a/modules/auxiliary/scanner/ntp/ntp_monlist.rb
+++ b/modules/auxiliary/scanner/ntp/ntp_monlist.rb
@ -123,7 +123,7 @@ class Metasploit3 < Msf::Auxiliary
        end
      end

-      vulnerable, proof = prove_drdos(response_map)
+      vulnerable, proof = prove_amplification(response_map)
      what = 'NTP Mode 7 monlist DRDoS (CVE-2013-5211)'
      if vulnerable
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
--- a/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb
+++ b/modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb
@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
      )

      peer = "#{k}:#{rport}"
-      vulnerable, proof = prove_drdos(response_map)
+      vulnerable, proof = prove_amplification(response_map)
      what = 'R7-2014-12 NTP Mode 7 PEER_LIST DRDoS'
      if vulnerable
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
--- a/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb
+++ b/modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb
@ -64,7 +64,7 @@ class Metasploit3 < Msf::Auxiliary
      )

      peer = "#{k}:#{rport}"
-      vulnerable, proof = prove_drdos(response_map)
+      vulnerable, proof = prove_amplification(response_map)
      what = 'R7-2014-12 NTP Mode 7 PEER_LIST_SUM DRDoS'
      if vulnerable
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
--- a/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb
+++ b/modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb
@ -67,7 +67,7 @@ class Metasploit3 < Msf::Auxiliary
      )

      peer = "#{k}:#{rport}"
-      vulnerable, proof = prove_drdos(response_map)
+      vulnerable, proof = prove_amplification(response_map)
      what = 'R7-2014-12 NTP Mode 6 REQ_NONCE DRDoS'
      if vulnerable
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
--- a/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb
+++ b/modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb
@ -66,7 +66,7 @@ class Metasploit3 < Msf::Auxiliary
      )

      peer = "#{k}:#{rport}"
-      vulnerable, proof = prove_drdos(response_map)
+      vulnerable, proof = prove_amplification(response_map)
      what = 'R7-2014-12 NTP Mode 7 GET_RESTRICT DRDoS'
      if vulnerable
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
--- a/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb
+++ b/modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb
@ -66,7 +66,7 @@ class Metasploit3 < Msf::Auxiliary
      )

      peer = "#{k}:#{rport}"
-      vulnerable, proof = prove_drdos(response_map)
+      vulnerable, proof = prove_amplification(response_map)
      what = 'R7-2014-12 NTP Mode 6 UNSETTRAP DRDoS'
      if vulnerable
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
--- a/modules/auxiliary/scanner/upnp/ssdp_amp.rb
+++ b/modules/auxiliary/scanner/upnp/ssdp_amp.rb
@ -0,0 +1,88 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::UDPScanner
+  include Msf::Auxiliary::DRDoS
+
+  def initialize
+    super(
+      'Name'        => 'SSDP ssdp:all M-SEARCH Amplification Scanner',
+      'Description' => 'Discover SSDP amplification possibilities',
+      'Author'      => ['xistence <xistence[at]0x90.nl>'], # Original scanner module
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-017A']
+        ],
+    )
+
+    register_options([
+      Opt::RPORT(1900),
+      OptBool.new('SHORT', [ false, "Does a shorter request, for a higher amplifier, not compatible with all devices", false])
+    ], self.class)
+  end
+
+  def setup
+    super
+    # SSDP packet containing the "ST:ssdp:all" search query
+    if datastore['short']
+      # Short packet doesn't contain Host, MX and last \r\n
+      @msearch_probe = "M-SEARCH * HTTP/1.1\r\nST: ssdp:all\r\nMan: \"ssdp:discover\"\r\n"
+    else
+      @msearch_probe = "M-SEARCH * HTTP/1.1\r\nHost: 239.255.255.250:1900\r\nST: ssdp:all\r\nMan: \"ssdp:discover\"\r\nMX: 1\r\n\r\n"
+    end
+  end
+
+  def scanner_prescan(batch)
+    print_status("Sending SSDP ssdp:all M-SEARCH probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
+    @results = {}
+  end
+
+  def scan_host(ip)
+    scanner_send(@msearch_probe, ip, datastore['RPORT'])
+  end
+
+  def scanner_process(data, shost, sport)
+    if data =~ /HTTP\/\d\.\d 200/
+      @results[shost] ||= []
+      @results[shost] << data
+    else
+      vprint_error("Skipping #{data.size}-byte non-SSDP response from #{shost}:#{sport}")
+    end
+  end
+
+  # Called after the scan block
+  def scanner_postscan(batch)
+    @results.keys.each do |k|
+      response_map = { @msearch_probe => @results[k] }
+      report_service(
+        host: k,
+        proto: 'udp',
+        port: datastore['RPORT'],
+        name: 'ssdp'
+      )
+
+      peer = "#{k}:#{datastore['RPORT']}"
+      vulnerable, proof = prove_amplification(response_map)
+      what = 'SSDP ssdp:all M-SEARCH amplification'
+      if vulnerable
+        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
+        report_vuln(
+          host: k,
+          port: datastore['RPORT'],
+          proto: 'udp',
+          name: what,
+          refs: self.references
+        )
+      else
+        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
+      end
+    end
+  end
+end
--- a/spec/lib/msf/core/auxiliary/drdos_spec.rb
+++ b/spec/lib/msf/core/auxiliary/drdos_spec.rb
@ -10,28 +10,28 @@ describe Msf::Auxiliary::DRDoS do
    mod
  end

-  describe '#prove_drdos' do
+  describe '#prove_amplification' do
    it 'should detect drdos when there is packet amplification only' do
      map = { 'foo' => [ 'a', 'b' ] }
-      result, _ = subject.prove_drdos(map)
+      result, _ = subject.prove_amplification(map)
      result.should be true
    end

    it 'should detect drdos when there is bandwidth amplification only' do
      map = { 'foo' => [ 'foofoo' ] }
-      result, _ = subject.prove_drdos(map)
+      result, _ = subject.prove_amplification(map)
      result.should be true
    end

    it 'should detect drdos when there is packet and bandwidth amplification' do
      map = { 'foo' => [ 'foofoo', 'a' ] }
-      result, _ = subject.prove_drdos(map)
+      result, _ = subject.prove_amplification(map)
      result.should be true
    end

    it 'should not detect drdos when there is no packet and no bandwidth amplification' do
      map = { 'foo' => [ 'foo' ] }
-      result, _ = subject.prove_drdos(map)
+      result, _ = subject.prove_amplification(map)
      result.should be false
    end
  end