Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Scanner
8
  include Msf::Exploit::Capture
9
  include Msf::Auxiliary::Report
10
  include Msf::Exploit::Remote::Udp
11
  include Msf::Auxiliary::DRDoS
12
  include Msf::Auxiliary::UDPScanner
13

14
  def initialize
15
    super(
16
      'Name'        => 'Chargen Probe Utility',
17
      'Description' => %q{
18
        Chargen is a debugging and measurement tool and a character
19
        generator service. A character generator service simply sends
20
        data without regard to the input.
21
        Chargen is susceptible to spoofing the source of transmissions
22
        as well as use in a reflection attack vector. The misuse of the
23
        testing features of the Chargen service may allow attackers to
24
        craft malicious network payloads and reflect them by spoofing
25
        the transmission source to effectively direct it to a target.
26
        This can result in traffic loops and service degradation with
27
        large amounts of network traffic.
28
      },
29
      'Author'      => 'Matteo Cantoni <goony[at]nothink.org>',
30
      'License'     => MSF_LICENSE,
31
      'References'  =>
32
        [
33
          [ 'CVE', '1999-0103' ], # Note, does not actually trigger a flood.
34
          [ 'URL', 'http://tools.ietf.org/html/rfc864' ]
35
        ],
36
      'DisclosureDate' => 'Feb 08 1996')
37

38
      register_options([
39
        Opt::RPORT(19)
40
      ])
41
  end
42

43
  def run_host(rhost)
44
    data = Rex::Text.rand_text_alpha_lower(1)
45
    if spoofed?
46
      scanner_spoof_send(data, rhost, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
47
    else
48
      begin
49
        connect_udp
50
        udp_sock.write(data)
51
        r = udp_sock.recvfrom(65535, 0.1)
52

53
        if r and r[1]
54
          vprint_status("#{rhost}:#{rport} - Response: #{r[0].to_s}")
55
          res = r[0].to_s.strip
56
          if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/))
57
            print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)")
58
            report_service(:host => rhost, :port => rport, :proto => "udp", :name => "chargen", :info => res.length)
59
          end
60
        end
61
      rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
62
        nil
63
      ensure
64
        disconnect_udp if self.udp_sock
65
      end
66
    end
67
  end
68
end
69

70