95 lines
2.8 KiB
Ruby
95 lines
2.8 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
include Msf::Auxiliary::Report
|
|
include Msf::Exploit::Capture
|
|
include Msf::Auxiliary::UDPScanner
|
|
include Msf::Auxiliary::DRDoS
|
|
|
|
def initialize
|
|
super(
|
|
'Name' => 'SSDP ssdp:all M-SEARCH Amplification Scanner',
|
|
'Description' => 'Discover SSDP amplification possibilities',
|
|
'Author' => ['xistence <xistence[at]0x90.nl>'], # Original scanner module
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
['URL', 'https://www.us-cert.gov/ncas/alerts/TA14-017A']
|
|
],
|
|
)
|
|
|
|
register_options([
|
|
Opt::RPORT(1900),
|
|
OptBool.new('SHORT', [ false, "Does a shorter request, for a higher amplifier, not compatible with all devices", false])
|
|
], self.class)
|
|
end
|
|
|
|
def setup
|
|
super
|
|
# SSDP packet containing the "ST:ssdp:all" search query
|
|
if datastore['short']
|
|
# Short packet doesn't contain Host, MX and last \r\n
|
|
@msearch_probe = "M-SEARCH * HTTP/1.1\r\nST: ssdp:all\r\nMan: \"ssdp:discover\"\r\n"
|
|
else
|
|
@msearch_probe = "M-SEARCH * HTTP/1.1\r\nHost: 239.255.255.250:1900\r\nST: ssdp:all\r\nMan: \"ssdp:discover\"\r\nMX: 1\r\n\r\n"
|
|
end
|
|
end
|
|
|
|
def scanner_prescan(batch)
|
|
print_status("Sending SSDP ssdp:all M-SEARCH probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
|
|
@results = {}
|
|
end
|
|
|
|
def scan_host(ip)
|
|
if spoofed?
|
|
datastore['ScannerRecvWindow'] = 0
|
|
scanner_spoof_send(@msearch_probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
|
|
else
|
|
scanner_send(@msearch_probe, ip, datastore['RPORT'])
|
|
end
|
|
end
|
|
|
|
def scanner_process(data, shost, sport)
|
|
if data =~ /HTTP\/\d\.\d 200/
|
|
@results[shost] ||= []
|
|
@results[shost] << data
|
|
else
|
|
vprint_error("Skipping #{data.size}-byte non-SSDP response from #{shost}:#{sport}")
|
|
end
|
|
end
|
|
|
|
# Called after the scan block
|
|
def scanner_postscan(batch)
|
|
@results.keys.each do |k|
|
|
response_map = { @msearch_probe => @results[k] }
|
|
report_service(
|
|
host: k,
|
|
proto: 'udp',
|
|
port: datastore['RPORT'],
|
|
name: 'ssdp'
|
|
)
|
|
|
|
peer = "#{k}:#{datastore['RPORT']}"
|
|
vulnerable, proof = prove_amplification(response_map)
|
|
what = 'SSDP ssdp:all M-SEARCH amplification'
|
|
if vulnerable
|
|
print_good("#{peer} - Vulnerable to #{what}: #{proof}")
|
|
report_vuln(
|
|
host: k,
|
|
port: datastore['RPORT'],
|
|
proto: 'udp',
|
|
name: what,
|
|
refs: self.references
|
|
)
|
|
else
|
|
vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
|
|
end
|
|
end
|
|
end
|
|
end
|