Portmapper Amplification Scanner

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Auxiliary  include Msf::Auxiliary::Report  include Msf::Auxiliary::UDPScanner  include Msf::Auxiliary::DRDoS  def initialize    super(      'Name'        => 'Portmapper Amplification Scanner',      'Description' => %q{        This module can be used to discover Portmapper services which can be used in an        amplification DDoS attack against a third party.      },      'Author'      => ['xistence <xistence[at]0x90.nl>'],      'License'     => MSF_LICENSE,      'References'  =>        [          ['CVE', '2013-5211'], # see also scanner/ntp/ntp_monlist.rb          ['URL', 'https://www.cisa.gov/uscert/ncas/alerts/TA14-017A'],          ['URL', 'http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industry/']        ],    )    register_options( [      Opt::RPORT(111),    ])  end  def rport    datastore['RPORT']  end  def xid_summary    @xid_summary ||= [Rex::Text::rand_text_numeric(8).to_i].pack('N')  end  def xid_dump    @xid_dump ||= [Rex::Text::rand_text_numeric(8).to_i].pack('N')  end  def xid_metrics    @xid_metrics ||= [Rex::Text::rand_text_numeric(8).to_i].pack('N')  end  def setup    super    # RPC DUMP (Program version: 3) request: rpcinfo -T udp -s <IP>    @portmap_summary = ''    @portmap_summary << xid_summary # Random ID    @portmap_summary << "\x00\x00\x00\x00" # Message Type: 0 (Call)    @portmap_summary << "\x00\x00\x00\x02" # RPC Version: 2    @portmap_summary << "\x00\x01\x86\xa0" # Program: Portmap (10000)    @portmap_summary << "\x00\x00\x00\x03" # Program version: 3    @portmap_summary << "\x00\x00\x00\x04" # Procedure: DUMP (4)    @portmap_summary << "\x00\x00\x00\x00" # Credentials Flavor: AUTH_NULL (0)    @portmap_summary << "\x00\x00\x00\x00" # Credentials Length: 0    @portmap_summary << "\x00\x00\x00\x00" # Verifier Flavor: AUTH_NULL (0)    @portmap_summary << "\x00\x00\x00\x00" # Verifier Length: 0    # RPC DUMP (Program version: 2) request: rpcinfo -T udp -p <IP>    @portmap_dump = ''    @portmap_dump << xid_dump # Random ID    @portmap_dump << "\x00\x00\x00\x00" # Message Type: 0 (Call)    @portmap_dump << "\x00\x00\x00\x02" # RPC Version: 2    @portmap_dump << "\x00\x01\x86\xa0" # Program: Portmap (10000)    @portmap_dump << "\x00\x00\x00\x02" # Program version: 2    @portmap_dump << "\x00\x00\x00\x04" # Procedure: DUMP (4)    @portmap_dump << "\x00\x00\x00\x00" # Credentials Flavor: AUTH_NULL (0)    @portmap_dump << "\x00\x00\x00\x00" # Credentials Length: 0    @portmap_dump << "\x00\x00\x00\x00" # Verifier Flavor: AUTH_NULL (0)    @portmap_dump << "\x00\x00\x00\x00" # Verifier Length: 0    # RPC GETSTAT request: rpcinfo -T udp -m <IP>    @portmap_metrics = ''    @portmap_metrics << xid_metrics # Random ID    @portmap_metrics << "\x00\x00\x00\x00" # Message Type: 0 (Call)    @portmap_metrics << "\x00\x00\x00\x02" # RPC Version: 2    @portmap_metrics << "\x00\x01\x86\xa0" # Program: Portmap (10000)    @portmap_metrics << "\x00\x00\x00\x04" # Program version: 4    @portmap_metrics << "\x00\x00\x00\x0c" # Procedure: GETSTAT (12)    @portmap_metrics << "\x00\x00\x00\x00" # Credentials Flavor: AUTH_NULL (0)    @portmap_metrics << "\x00\x00\x00\x00" # Credentials Length: 0    @portmap_metrics << "\x00\x00\x00\x00" # Verifier Flavor: AUTH_NULL (0)    @portmap_metrics << "\x00\x00\x00\x00" # Verifier Length: 0  end  def scanner_prescan(batch)    print_status("Sending Portmap RPC probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")    @results_summary = {}    @results_dump = {}    @results_metrics = {}  end  def scan_host(ip)    if spoofed?      datastore['ScannerRecvWindow'] = 0      scanner_spoof_send(@portmap_summary, ip, rport, datastore['SRCIP'], datastore['NUM_REQUESTS'])      scanner_spoof_send(@portmap_dump, ip, rport, datastore['SRCIP'], datastore['NUM_REQUESTS'])      scanner_spoof_send(@portmap_metrics, ip, rport, datastore['SRCIP'], datastore['NUM_REQUESTS'])    else      scanner_send(@portmap_summary, ip, rport)      scanner_send(@portmap_dump, ip, rport)      scanner_send(@portmap_metrics, ip, rport)    end  end  def scanner_process(data, shost, sport)    if data =~ /#{@xid_summary}\x00\x00\x00\x01/      @results_summary[shost] ||= []      @results_summary[shost] << data    elsif data =~ /#{@xid_metrics}\x00\x00\x00\x01/      @results_metrics[shost] ||= []      @results_metrics[shost] << data    elsif data =~ /#{@xid_dump}\x00\x00\x00\x01/      @results_dump[shost] ||= []      @results_dump[shost] << data    else      vprint_error("Skipping #{data.size}-byte non-Portmap response from #{shost}:#{sport}")    end  end  # Called after the scan block  def scanner_postscan(batch)    @results_summary.keys.each do |k|      response_map_summary = { @portmap_summary => @results_summary[k] }      what = 'Portmap RPC DUMP (Program version: 3) amplification'      report_result(k, what, response_map_summary)    end    @results_dump.keys.each do |k|      response_map_dump = { @portmap_dump => @results_dump[k] }      what = 'Portmap RPC DUMP (Program version: 2) amplification'      report_result(k, what, response_map_dump)    end    @results_metrics.keys.each do |k|      response_map_metrics = { @portmap_summary => @results_metrics[k] }      what = 'Portmap RPC GETSTAT amplification'      report_result(k, what, response_map_metrics)    end  end  def report_result(host, attack, map)    report_service(      host: host,      proto: 'udp',      port: rport,      name: 'portmap'    )    peer = "#{host}:#{rport}"    vulnerable, proof = prove_amplification(map)    if vulnerable      print_good("#{peer} - Vulnerable to #{attack}: #{proof}")      report_vuln(        host: host,        port: rport,        proto: 'udp',        name: attack,        refs: references      )    else      vprint_status("#{peer} - Not vulnerable to #{attack}: #{proof}")    end  endend