I recently needed to check a NTP Reserved Mode Denial of Service vulnerability CVE-2009-3563, but without causing the DoS condition on the production server. Using Metasploit’s auxillary module auxiliary/dos/ntp/ntpd_reserved_dos was not an option so I wrote my own Ruby script to assess the remote server. This script verifies the returned UDP packet content to determine presence of vulnerability and is shared below.
#Author: Gursev Singh Kalra require 'socket' TIMEOUT = 5 if(ARGV.count != 1) puts "[-] Target host not provided. Usage: ntp.rb <target_server>" exit end target_server = ARGV target_port = 123 socket = nil response = nil begin test_string = "\x97\x00\x00\x00\xAA\x00\x00\x00" socket = UDPSocket.open socket.send(test_string, 0, target_server, target_port) if select([socket], nil, nil, TIMEOUT) response = socket.recvfrom(10) end rescue (IOError ex) puts ex.to_s ensure socket.close if(socket) end if(response && response.index("\x97\x00\x00\x00")) puts "[+] Vulnerable to NTP Mode 7 Request Denial Of Service" else puts "[-] Not vulnerable to NTP Mode 7 Request Denial Of Service " end
|Figure 1: Image shows request capture in wireshark|
|Figure 2: Image shows response capture in wireshark|
|Figure 3: Image shows script in action|