Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/scanner/chargen/chargen_probe.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Auxiliary::Scanner
8
include Msf::Exploit::Capture
9
include Msf::Auxiliary::Report
10
include Msf::Exploit::Remote::Udp
11
include Msf::Auxiliary::DRDoS
12
include Msf::Auxiliary::UDPScanner
13
14
def initialize
15
super(
16
'Name' => 'Chargen Probe Utility',
17
'Description' => %q{
18
Chargen is a debugging and measurement tool and a character
19
generator service. A character generator service simply sends
20
data without regard to the input.
21
Chargen is susceptible to spoofing the source of transmissions
22
as well as use in a reflection attack vector. The misuse of the
23
testing features of the Chargen service may allow attackers to
24
craft malicious network payloads and reflect them by spoofing
25
the transmission source to effectively direct it to a target.
26
This can result in traffic loops and service degradation with
27
large amounts of network traffic.
28
},
29
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',
30
'License' => MSF_LICENSE,
31
'References' => [
32
[ 'CVE', '1999-0103' ], # Note, does not actually trigger a flood.
33
[ 'URL', 'http://tools.ietf.org/html/rfc864' ]
34
],
35
'DisclosureDate' => 'Feb 08 1996',
36
'Notes' => {
37
'Stability' => [CRASH_SAFE],
38
'SideEffects' => [],
39
'Reliability' => []
40
}
41
)
42
43
register_options([
44
Opt::RPORT(19)
45
])
46
end
47
48
def run_host(rhost)
49
data = Rex::Text.rand_text_alpha_lower(1)
50
if spoofed?
51
scanner_spoof_send(data, rhost, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
52
else
53
begin
54
connect_udp
55
udp_sock.write(data)
56
r = udp_sock.recvfrom(65535, 0.1)
57
58
if r and r[1]
59
vprint_status("#{rhost}:#{rport} - Response: #{r[0]}")
60
res = r[0].to_s.strip
61
if res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/)
62
print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)")
63
report_service(host: rhost, port: rport, proto: 'udp', name: 'chargen', info: res.length)
64
end
65
end
66
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
67
nil
68
ensure
69
disconnect_udp if udp_sock
70
end
71
end
72
end
73
end
74
75