Land rapid7#2681, @mcantoni and @todb-r7's support for chargen

Author: jvazquez-r7

modules/auxiliary/scanner/chargen/chargen_probe.rb

@@ -0,0 +1,68 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::Udp
+
+  def initialize
+    super(
+      'Name'        => 'Identifies Open Chargen Service Checking The Answer.',
+      'Description' => %q{
+        Chargen is a debugging and measurement tool and a character
+        generator service. A character generator service simply sends
+        data without regard to the input.
+        Chargen is susceptible to spoofing the source of transmissions
+        as well as use in a reflection attack vector. The misuse of the
+        testing features of the Chargen service may allow attackers to
+        craft malicious network payloads and reflect them by spoofing
+        the transmission source to effectively direct it to a target.
+        This can result in traffic loops and service degradation with
+        large amounts of network traffic.
+      },
+      'Author'      => 'Matteo Cantoni <goony[at]nothink.org>',
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'CVE', '1999-0103' ],
+          [ 'URL', 'https://www.cert.be/pro/docs/chargensnmp-ddos-attacks-rise' ],
+          [ 'URL', 'http://tools.ietf.org/html/rfc864' ],
+        ],
+      'DisclosureDate' => 'Feb 08 1996')
+
+      register_options([
+        Opt::RPORT(19)
+      ])
+
+    deregister_options('RHOST')
+  end
+
+  def run_host(rhost)
+    begin
+      connect_udp
+      pkt = Rex::Text.rand_text_alpha_lower(1)
+      udp_sock.write(pkt)
+      r = udp_sock.recvfrom(65535, 0.1)
+
+      if r and r[1]
+        vprint_status("#{rhost}:#{rport} - Response: #{r[0].to_s}")
+        res = r[0].to_s.strip
+        if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/))
+          print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)")
+          report_service(:host => rhost, :port => rport, :name => "chargen", :info => res.length)
+        end
+      end
+    rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
+      nil
+    ensure
+      disconnect_udp if self.udp_sock
+    end
+  end
+end

modules/auxiliary/scanner/discovery/udp_probe.rb

@@ -46,6 +46,7 @@ def initialize
     @probes << 'probe_pkt_citrix'
     @probes << 'probe_pkt_pca_st'
     @probes << 'probe_pkt_pca_nq'
+    @probes << 'probe_chargen'
 
   end
 
@@ -204,6 +205,11 @@ def parse_reply(pkt)
 
     case pkt[2]
 
+      when 19
+        app = 'chargen'
+        return unless chargen_parse(pkt[0])
+        @results[hkey] = true
+
       when 53
         app = 'DNS'
         ver = nil
@@ -362,6 +368,13 @@ def db2disco_parse(data)
     "#{res[2]}_#{res[1]}"
   end
 
+  #
+  # Validate a chargen packet.
+  #
+  def chargen_parse(data)
+    data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i
+  end
+
   #
   # Validate this is truly Citrix ICA; returns true or false.
   #
@@ -397,6 +410,11 @@ def mssql_ping_parse(data)
   # The probe definitions
   #
 
+  def probe_chargen(ip)
+    pkt = Rex::Text.rand_text_alpha_lower(1)
+    return [pkt, 19]
+  end
+
   def probe_pkt_dns(ip)
     data = [rand(0xffff)].pack('n') +
     "\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+

modules/auxiliary/scanner/discovery/udp_sweep.rb

@@ -41,6 +41,7 @@ def initialize
     @probes << 'probe_pkt_citrix'
     @probes << 'probe_pkt_pca_st'
     @probes << 'probe_pkt_pca_nq'
+    @probes << 'probe_chargen'
   end
 
   def setup
@@ -153,6 +154,12 @@ def scanner_process(data, shost, sport)
 
     case sport
 
+      when 19
+        app = 'chargen'
+        ver = nil
+        return unless chargen_parse(data)
+        @results[hkey] = true
+
       when 53
         app = 'DNS'
         ver = nil
@@ -306,6 +313,13 @@ def scanner_process(data, shost, sport)
     print_status("Discovered #{app} on #{shost}:#{sport} (#{inf})")
   end
 
+  #
+  # Validate a chargen packet.
+  #
+  def chargen_parse(data)
+    data =~ /ABCDEFGHIJKLMNOPQRSTUVWXYZ|0123456789/i
+  end
+
   #
   # Parse a db2disco packet.
   #
@@ -349,6 +363,11 @@ def mssql_ping_parse(data)
   # The probe definitions
   #
 
+  def probe_chargen(ip)
+    pkt = Rex::Text.rand_text_alpha_lower(1)
+    return [pkt, 19]
+  end
+
   def probe_pkt_dns(ip)
     data = [rand(0xffff)].pack('n') +
     "\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00"+