Skip to content

Commit 038d6d5

Browse files
committed
Merge pull request #2 from todb-r7/simplify-chargen-detection
Add chargen to udp_probe and udp_sweep
2 parents d26303e + 2f34f84 commit 038d6d5

File tree

2 files changed

+35
-0
lines changed

2 files changed

+35
-0
lines changed

modules/auxiliary/scanner/discovery/udp_probe.rb

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -204,6 +204,11 @@ def parse_reply(pkt)
204204

205205
case pkt[2]
206206

207+
when 19
208+
app = 'chargen'
209+
return unless chargen_parse(pkt[0])
210+
@results[hkey] = true
211+
207212
when 53
208213
app = 'DNS'
209214
ver = nil
@@ -362,6 +367,13 @@ def db2disco_parse(data)
362367
"#{res[2]}_#{res[1]}"
363368
end
364369

370+
#
371+
# Validate a chargen packet.
372+
#
373+
def chargen_parse(data)
374+
data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i
375+
end
376+
365377
#
366378
# Validate this is truly Citrix ICA; returns true or false.
367379
#
@@ -397,6 +409,11 @@ def mssql_ping_parse(data)
397409
# The probe definitions
398410
#
399411

412+
def probe_chargen(ip)
413+
pkt = Rex::Text.rand_text_alpha_lower(1)
414+
return [pkt, 19]
415+
end
416+
400417
def probe_pkt_dns(ip)
401418
data = [rand(0xffff)].pack('n') +
402419
"\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+

modules/auxiliary/scanner/discovery/udp_sweep.rb

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,12 @@ def scanner_process(data, shost, sport)
153153

154154
case sport
155155

156+
when 19
157+
app = 'chargen'
158+
ver = nil
159+
return unless chargen_parse(data)
160+
@results[hkey] = true
161+
156162
when 53
157163
app = 'DNS'
158164
ver = nil
@@ -306,6 +312,13 @@ def scanner_process(data, shost, sport)
306312
print_status("Discovered #{app} on #{shost}:#{sport} (#{inf})")
307313
end
308314

315+
#
316+
# Validate a chargen packet.
317+
#
318+
def chargen_parse(data)
319+
data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i
320+
end
321+
309322
#
310323
# Parse a db2disco packet.
311324
#
@@ -349,6 +362,11 @@ def mssql_ping_parse(data)
349362
# The probe definitions
350363
#
351364

365+
def probe_chargen(ip)
366+
pkt = Rex::Text.rand_text_alpha_lower(1)
367+
return [pkt, 19]
368+
end
369+
352370
def probe_pkt_dns(ip)
353371
data = [rand(0xffff)].pack('n') +
354372
"\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+

0 commit comments

Comments
 (0)