I
recently needed to check a NTP Reserved Mode Denial of Service vulnerability CVE-2009-3563,
but without causing the DoS condition on the production server. Using Metasploit’s auxillary module auxiliary/dos/ntp/ntpd_reserved_dos was not an option so I wrote my own Ruby script to assess the remote server. This
script verifies the returned UDP packet content to determine presence of vulnerability
and is shared below.
#Author: Gursev Singh Kalra
require 'socket'
TIMEOUT = 5
if(ARGV.count != 1)
puts "[-] Target host not provided. Usage: ntp.rb <target_server>"
exit
end
target_server = ARGV[0]
target_port = 123
socket = nil
response = nil
begin
test_string = "\x97\x00\x00\x00\xAA\x00\x00\x00"
socket = UDPSocket.open
socket.send(test_string, 0, target_server, target_port)
if select([socket], nil, nil, TIMEOUT)
response = socket.recvfrom(10)
end
rescue (IOError ex)
puts ex.to_s
ensure
socket.close if(socket)
end
if(response && response[0].index("\x97\x00\x00\x00"))
puts "[+] Vulnerable to NTP Mode 7 Request Denial Of Service"
else
puts "[-] Not vulnerable to NTP Mode 7 Request Denial Of Service "
end
No comments:
Post a Comment