Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/scanner/ntp/ntp_readvar.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Report

8
  include Msf::Exploit::Remote::Udp

9
  include Msf::Auxiliary::UDPScanner

10
  include Msf::Auxiliary::NTP

11
  include Msf::Auxiliary::DRDoS

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'NTP Clock Variables Disclosure',

18
        'Description' => %q{

19
          This module reads the system internal NTP variables. These variables contain

20
          potentially sensitive information, such as the NTP software version, operating

21
          system version, peers, and more.

22
        },

23
        'Author' => [

24
          'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>', # original Metasploit module

25
          'Jon Hart <jon_hart[at]rapid7.com>' # UDPScanner version for faster scans

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb

30
          [ 'URL', 'https://www.rapid7.com/db/vulnerabilities/ntp-clock-variables-disclosure/' ]

31
        ],

32
        'Notes' => {

33
          'Reliability' => UNKNOWN_RELIABILITY,

34
          'Stability' => UNKNOWN_STABILITY,

35
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

36
        }

37
      )

38
    )

39
  end

40


41
  def scanner_process(data, shost, _sport)

42
    @results[shost] ||= []

43
    @results[shost] << Rex::Proto::NTP::NTPControl.new.read(data)

44
  end

45


46
  def scan_host(ip)

47
    if spoofed?

48
      datastore['ScannerRecvWindow'] = 0

49
      scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])

50
    else

51
      scanner_send(@probe, ip, datastore['RPORT'])

52
    end

53
  end

54


55
  def scanner_prescan(batch)

56
    @results = {}

57
    print_status("Sending NTP v2 READVAR probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")

58
    @probe = Rex::Proto::NTP::NTPControl.new

59
    @probe.version = datastore['VERSION']

60
    @probe.operation = 2

61
  end

62


63
  def scanner_postscan(_batch)

64
    @results.keys.each do |k|

65
      # TODO: check to see if any of the responses are actually NTP before reporting

66
      report_service(

67
        host: k,

68
        proto: 'udp',

69
        port: rport,

70
        name: 'ntp',

71
        info: @results[k].map { |r| r.payload.slice(0, r.payload_size) }.join.inspect

72
      )

73


74
      peer = "#{k}:#{rport}"

75
      response_map = { @probe => @results[k] }

76
      vulnerable, proof = prove_amplification(response_map)

77
      what = 'NTP Mode 6 READVAR DRDoS'

78
      if vulnerable

79
        print_good("#{peer} - Vulnerable to #{what}: #{proof}")

80
        report_vuln(

81
          host: k,

82
          port: rport,

83
          proto: 'udp',

84
          name: what,

85
          refs: references

86
        )

87
      else

88
        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")

89
      end

90
    end

91
  end

92
end

93


94