Land rapid7#3696, pile of NTP DRDoS 0days

Dr. DoS in da house?

Author: wvu

lib/msf/core/auxiliary/drdos.rb

@@ -0,0 +1,46 @@
+# -*- coding: binary -*-
+module Msf
+
+###
+#
+# This module provides methods for Distributed Reflective Denial of Service (DRDoS) attacks
+#
+###
+module Auxiliary::DRDoS
+
+  def prove_drdos(response_map)
+    vulnerable = false
+    proofs = []
+    response_map.each do |request, responses|
+      responses ||= []
+      this_proof = ''
+
+      # compute packet amplification
+      if responses.size > 1
+        vulnerable = true
+        this_proof += "#{responses.size}x packet amplification"
+      else
+        this_proof += 'No packet amplification'
+      end
+
+      this_proof += ' and '
+
+      # compute bandwidth amplification
+      total_size = responses.map(&:size).reduce(:+)
+      bandwidth_amplification = total_size - request.size
+      if bandwidth_amplification > 0
+        vulnerable = true
+        this_proof += "a #{bandwidth_amplification}-byte bandwidth amplification"
+      else
+        this_proof += 'no bandwidth amplification'
+      end
+
+      # TODO (maybe): show the request and responses in more detail?
+      proofs << this_proof
+    end
+
+    [ vulnerable, proofs.join(', ') ]
+  end
+
+end
+end

lib/msf/core/auxiliary/mixins.rb

@@ -5,6 +5,7 @@
 #
 require 'msf/core/auxiliary/auth_brute'
 require 'msf/core/auxiliary/dos'
+require 'msf/core/auxiliary/drdos'
 require 'msf/core/auxiliary/fuzzer'
 require 'msf/core/auxiliary/report'
 require 'msf/core/auxiliary/scanner'
@@ -20,4 +21,5 @@
 require 'msf/core/auxiliary/cisco'
 require 'msf/core/auxiliary/nmap'
 require 'msf/core/auxiliary/iax2'
+require 'msf/core/auxiliary/ntp'
 require 'msf/core/auxiliary/pii'

lib/msf/core/auxiliary/ntp.rb

@@ -0,0 +1,33 @@
+# -*- coding: binary -*-
+require 'rex/proto/ntp'
+
+module Msf
+
+###
+#
+# This module provides methods for working with NTP
+#
+###
+module Auxiliary::NTP
+
+  include Auxiliary::Scanner
+
+  #
+  # Initializes an instance of an auxiliary module that uses NTP
+  #
+
+  def initialize(info = {})
+    super
+    register_options(
+    [
+      Opt::RPORT(123),
+    ], self.class)
+
+    register_advanced_options(
+      [
+        OptInt.new('VERSION', [true, 'Use this NTP version', 2]),
+        OptInt.new('IMPLEMENTATION', [true, 'Use this NTP mode 7 implementation', 3])
+      ], self.class)
+  end
+end
+end

lib/rex/proto/ntp/modes.rb

@@ -101,7 +101,7 @@ def self.ntp_control(version, operation, payload = nil)
       n.payload_size = payload.size
       n.payload = payload
     end
-    n.to_s
+    n
   end
 
   def self.ntp_private(version, implementation, request_code, payload = nil)
@@ -110,14 +110,14 @@ def self.ntp_private(version, implementation, request_code, payload = nil)
     n.implementation = implementation
     n.request_code = request_code
     n.payload = payload if payload
-    n.to_s
+    n
   end
 
   def self.ntp_generic(version, mode)
     n = NTPGeneric.new
     n.version = version
     n.mode = mode
-    n.to_s
+    n
   end
 
   # Parses the given message and provides a description about the NTP message inside

modules/auxiliary/scanner/ntp/ntp_monlist.rb

@@ -8,7 +8,10 @@
 class Metasploit3 < Msf::Auxiliary
 
   include Msf::Auxiliary::Report
-  include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::Udp
+  include Msf::Auxiliary::UDPScanner
+  include Msf::Auxiliary::NTP
+  include Msf::Auxiliary::DRDoS
 
   def initialize
     super(
@@ -33,10 +36,7 @@ def initialize
 
     register_options(
     [
-      Opt::RPORT(123),
-      Opt::CHOST,
       OptInt.new('RETRY', [false, "Number of tries to query the NTP server", 3]),
-      OptInt.new('BATCHSIZE', [true, 'The number of hosts to probe in each set', 256]),
       OptBool.new('SHOW_LIST', [false, 'Show the recent clients list', 'false'])
     ], self.class)
 
@@ -46,134 +46,112 @@ def initialize
     ], self.class)
   end
 
-  # Define our batch size
-  def run_batch_size
-    datastore['BATCHSIZE'].to_i
+  # Called for each IP in the batch
+  def scan_host(ip)
+    scanner_send(@probe, ip, datastore['RPORT'])
   end
 
-  # Fingerprint a single host
-  def run_batch(batch)
+  # Called for each response packet
+  def scanner_process(data, shost, sport)
+    @results[shost] ||= { messages: [], peers: [] }
+    @results[shost][:messages] << Rex::Proto::NTP::NTPPrivate.new(data)
+    @results[shost][:peers] << extract_peer_tuples(data)
+  end
 
+  # Called before the scan block
+  def scanner_prescan(batch)
     @results = {}
     @aliases = {}
+    @probe = Rex::Proto::NTP.ntp_private(datastore['VERSION'], datastore['IMPLEMENTATION'], 42)
+  end
 
-    vprint_status("Sending probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
-
-    begin
-      udp_sock = nil
-      idx = 0
-
-      # Create an unbound UDP socket if no CHOST is specified, otherwise
-      # create a UDP socket bound to CHOST (in order to avail of pivoting)
-      udp_sock = Rex::Socket::Udp.create({
-        'LocalHost' => datastore['CHOST'] || nil,
-        'Context'   => {'Msf' => framework, 'MsfExploit' => self}
-      })
-      add_socket(udp_sock)
-
-      # Try more times since NTP servers can be a bit busy
-      1.upto(datastore['RETRY'].to_i) do
-        batch.each do |ip|
-          next if @results[ip]
-
-          begin
-            data = probe_pkt_ntp
-            udp_sock.sendto(data, ip, datastore['RPORT'].to_i, 0)
-          rescue ::Interrupt
-            raise $!
-          rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
-            nil
-          end
-
-          if (idx % 30 == 0)
-            while (r = udp_sock.recvfrom(65535, 0.1) and r[1])
-              parse_reply(r)
-            end
-          end
-
-          idx += 1
-        end
-      end
-
-      while (r = udp_sock.recvfrom(65535, 10) and r[1])
-        parse_reply(r)
-      end
-
-    rescue ::Interrupt
-      raise $!
-    rescue ::Exception => e
-      print_error("Unknown error: #{e.class} #{e}")
-    end
-
+  # Called after the scan block
+  def scanner_postscan(batch)
     @results.keys.each do |k|
+      response_map = { @probe => @results[k][:messages] }
+      peer = "#{k}:#{rport}"
 
+      # TODO: check to see if any of the responses are actually NTP before reporting
       report_service(
         :host  => k,
         :proto => 'udp',
-        :port  => datastore['RPORT'].to_i,
+        :port  => rport,
         :name  => 'ntp'
       )
 
-      report_note(
-        :host  => k,
-        :proto => 'udp',
-        :port  => datastore['RPORT'].to_i,
-        :type  => 'ntp.monlist',
-        :data  => {:monlist => @results[k]}
-      )
-
-      if (@aliases[k] and @aliases[k].keys[0] != k)
-        print_good("#{k}:#{datastore['RPORT'].to_i} NTP monlist request permitted (#{@results[k].length} entries)")
+      peers = @results[k][:peers].flatten(1)
+      unless peers.empty?
+        print_good("#{peer} NTP monlist request permitted (#{peers.length} entries)")
+        # store the peers found from the monlist
+        report_note(
+          :host  => k,
+          :proto => 'udp',
+          :port  => rport,
+          :type  => 'ntp.monlist',
+          :data  => {:monlist => peers}
+        )
+        # print out peers if desired
+        if datastore['SHOW_LIST']
+          peers.each do |ntp_peer|
+            print_status("#{peer} #{ntp_peer}")
+          end
+        end
+        # store any aliases for our target
         report_note(
           :host  => k,
           :proto => 'udp',
-          :port  => datastore['RPORT'].to_i,
+          :port  => rport,
           :type  => 'ntp.addresses',
-          :data  => {:addresses => @aliases[k].keys}
+          :data  => {:addresses => peers.map { |p| p.last }.sort.uniq }
         )
-      end
 
-      if (datastore['StoreNTPClients'])
-        print_status("#{k} Storing #{@results[k].length} NTP client hosts in the database...")
-        @results[k].each do |r|
-          maddr,mport,mserv = r
-          report_note(
-            :host => maddr,
-            :type => 'ntp.client.history',
-            :data => {
-              :address => maddr,
-              :port    => mport,
-              :server  => mserv
-            }
-          )
+        if (datastore['StoreNTPClients'])
+          print_status("#{peer} Storing #{peers.length} NTP client hosts in the database...")
+          peers.each do |r|
+            maddr,mport,mserv = r
+            next if maddr == '127.0.0.1' # some NTP servers peer with themselves..., but we can't store loopback
+            report_note(
+              :host => maddr,
+              :type => 'ntp.client.history',
+              :data => {
+                :address => maddr,
+                :port    => mport,
+                :server  => mserv
+              }
+            )
+          end
         end
       end
-    end
-
-  end
-
-  def parse_reply(pkt)
 
-    # Ignore "empty" packets
-    return if not pkt[1]
-
-    if(pkt[1] =~ /^::ffff:/)
-      pkt[1] = pkt[1].sub(/^::ffff:/, '')
+      vulnerable, proof = prove_drdos(response_map)
+      what = 'NTP Mode 7 monlist DRDoS (CVE-2013-5211)'
+      if vulnerable
+        print_good("#{peer} - Vulnerable to #{what}: #{proof}")
+        report_vuln({
+          :host  => k,
+          :port  => rport,
+          :proto => 'udp',
+          :name  => what,
+          :refs  => self.references
+        })
+      else
+        vprint_status("#{peer} - Not vulnerable to #{what}: #{proof}")
+      end
     end
 
-    data = pkt[0]
-    host = pkt[1]
-    port = pkt[2]
+  end
 
-    return if pkt[0].length < (72 + 16)
+  # Examine the monlist reponse +data+ and extract all peer tuples (saddd, dport, daddr)
+  def extract_peer_tuples(data)
+    return [] if data.length < 76
 
     # NTP headers 8 bytes
     ntp_flags, ntp_auth, ntp_vers, ntp_code = data.slice!(0,4).unpack('C*')
-    vprint_status("#{host}:#{port} - ntp_auth: #{ntp_auth}, ntp_vers: #{ntp_vers}")
     pcnt, plen = data.slice!(0,4).unpack('nn')
-    return if plen != 72
+    return [] if plen != 72
 
     idx = 0
+    peer_tuples = []
     1.upto(pcnt) do
       #u_int32 firsttime; /* first time we received a packet */
       #u_int32 lasttime;  /* last packet from this host */
@@ -184,21 +162,11 @@ def parse_reply(pkt)
       #u_int32 flags;     /* flags about destination */
       #u_short port;      /* port number of last reception */
 
-      firsttime,lasttime,restr,count,saddr,daddr,flags,dport = data[idx, 30].unpack("NNNNNNNn")
+      _,_,_,_,saddr,daddr,_,dport = data[idx, 30].unpack("NNNNNNNn")
 
-      @results[host] ||= []
-      @aliases[host] ||= {}
-      @results[host] << [ Rex::Socket.addr_itoa(daddr), dport, Rex::Socket.addr_itoa(saddr) ]
-      @aliases[host][Rex::Socket.addr_itoa(saddr)] = true
-      if datastore['SHOW_LIST']
-        print_status("#{host}:#{port} #{Rex::Socket.addr_itoa(saddr)} (lst: #{lasttime}sec., cnt: #{count})")
-      end
+      peer_tuples << [ Rex::Socket.addr_itoa(saddr), dport, Rex::Socket.addr_itoa(daddr) ]
       idx += plen
     end
+    peer_tuples
   end
-
-  def probe_pkt_ntp
-    "\x17\x00\x03\x2a" + "\x00" * 188
-  end
-
 end