Land rapid7#3841, @jabra-'s modifications to ssdp_amp to support spoofing

jhart-r7 · jhart-r7 · commit 259a36857731 · 2014-09-22T12:28:46.000-07:00
diff --git a/modules/auxiliary/scanner/upnp/ssdp_amp.rb b/modules/auxiliary/scanner/upnp/ssdp_amp.rb
@@ -7,6 +7,7 @@
 
 class Metasploit3 < Msf::Auxiliary
   include Msf::Auxiliary::Report
+  include Msf::Exploit::Capture
   include Msf::Auxiliary::UDPScanner
   include Msf::Auxiliary::DRDoS
 
@@ -45,7 +46,12 @@ def scanner_prescan(batch)
   end
 
   def scan_host(ip)
-    scanner_send(@msearch_probe, ip, datastore['RPORT'])
+    if spoofed?
+      datastore['ScannerRecvWindow'] = 0
+      scanner_spoof_send(@msearch_probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
+    else
+      scanner_send(@msearch_probe, ip, datastore['RPORT'])
+    end
   end
 
   def scanner_process(data, shost, sport)
