ntp monlist DDoS

b1tninja · Jan 23, 2014 · eba481f · eba481f
1 parent 9219192
commit eba481f
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 5 deletions.
diff --git a/src/proto-ntp.c b/src/proto-ntp.c
@@ -101,11 +101,16 @@ ntp_modlist_parse(const unsigned char *px,
 {
     unsigned offset = 4;
     unsigned errcode;
+    unsigned record_count;
+    unsigned record_size;
 
-    if (offset + 1 >= length)
+    if (offset + 4 >= length)
         return;
 
     errcode = (px[offset]>>4)&0xF;
+    record_count = (px[offset+0]&0xF) << 8 | px[offset+1];
+    record_size = (px[offset+2]&0xF) << 8 | px[offset+3];
+
     if (errcode) {
         char foo[12];
         const char *errmsg = val2string_lookup(error_codes, errcode);
@@ -118,7 +123,27 @@ ntp_modlist_parse(const unsigned char *px,
         banout_append(banout, PROTO_NTP, errmsg, ~0);
         banout_append(banout, PROTO_NTP, "\"", ~0);
         return;
-    }    
+    }
+
+    if (4 + record_count * record_size > length) {
+        banout_append(banout, PROTO_NTP, "response-too-big", ~0);
+        return;
+    }
+    if (record_count * record_size > 500) {
+        banout_append(banout, PROTO_NTP, "response-too-big", ~0);
+        return;
+    }
+
+    offset += 4;
+
+    {
+        char msg[128];
+
+        sprintf_s(msg, sizeof(msg), " response-size=%u-bytes more=%s",
+            record_count * record_size, ((px[0]>>6)&1)?"true":"false");
+
+        banout_append(banout, PROTO_NTP, msg, ~0);
+    }
 }
 
 /*****************************************************************************
@@ -177,11 +202,11 @@ ntp_v2_parse(const unsigned char *px,
     is_more = (px[0]>>6)&1;
 
     /* Validate: this is version 2 */
-    if (((px[0]>>3)&3) != 2)
+    if (((px[0]>>3)&7) != 2)
         return;
 
     /* Extract: mode */
-    mode = px[0] & 3;
+    mode = px[0] & 7;
     switch (mode) {
         case 6: /* control */
             break;
@@ -208,6 +233,7 @@ ntp_handle_response(struct Output *out, time_t timestamp,
     unsigned ip_me;
     unsigned request_id = 0;
     struct BannerOutput banout[1];
+    unsigned offset = parsed->app_offset;
 
     UNUSEDPARM(length);
 
@@ -219,7 +245,7 @@ ntp_handle_response(struct Output *out, time_t timestamp,
     banout_init(banout);
 
     /* Parse the packet */
-    switch ((px[1]&0x38)>>3) {
+    switch ((px[offset]>>3)&7) {
         case 2:
             ntp_v2_parse(
                px + parsed->app_offset,    /* incoming  response */

diff --git a/vs10/masscan.vcxproj b/vs10/masscan.vcxproj
@@ -41,6 +41,7 @@
     <ClCompile Include="..\src\proto-http.c" />
     <ClCompile Include="..\src\proto-icmp.c" />
     <ClCompile Include="..\src\proto-netbios.c" />
+    <ClCompile Include="..\src\proto-ntp.c" />
     <ClCompile Include="..\src\proto-sctp.c" />
     <ClCompile Include="..\src\proto-snmp.c" />
     <ClCompile Include="..\src\proto-ssh.c" />
@@ -75,6 +76,8 @@
     <ClCompile Include="..\src\rawsock-pfring.c" />
     <ClCompile Include="..\src\rawsock.c" />
     <ClCompile Include="..\src\rte-ring.c" />
+    <ClCompile Include="..\src\script-ntp-monlist.c" />
+    <ClCompile Include="..\src\script.c" />
     <ClCompile Include="..\src\siphash24.c" />
     <ClCompile Include="..\src\smack1.c" />
     <ClCompile Include="..\src\smackqueue.c" />
@@ -114,6 +117,7 @@
     <ClInclude Include="..\src\proto-http.h" />
     <ClInclude Include="..\src\proto-icmp.h" />
     <ClInclude Include="..\src\proto-netbios.h" />
+    <ClInclude Include="..\src\proto-ntp.h" />
     <ClInclude Include="..\src\proto-preprocess.h" />
     <ClInclude Include="..\src\proto-sctp.h" />
     <ClInclude Include="..\src\proto-snmp.h" />
@@ -132,6 +136,7 @@
     <ClInclude Include="..\src\rawsock-pfring.h" />
     <ClInclude Include="..\src\rawsock.h" />
     <ClInclude Include="..\src\rte-ring.h" />
+    <ClInclude Include="..\src\script.h" />
     <ClInclude Include="..\src\siphash24.h" />
     <ClInclude Include="..\src\smack.h" />
     <ClInclude Include="..\src\smackqueue.h" />

diff --git a/vs10/masscan.vcxproj.filters b/vs10/masscan.vcxproj.filters
@@ -31,6 +31,9 @@
     <Filter Include="Source Files\pixie">
       <UniqueIdentifier>{cbd42363-ae71-4e2d-9633-0cb518d5e447}</UniqueIdentifier>
     </Filter>
+    <Filter Include="Source Files\scripts">
+      <UniqueIdentifier>{ba03c2ec-de65-4581-bef1-8e24f95a8580}</UniqueIdentifier>
+    </Filter>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\src\proto-banner1.c">
@@ -225,6 +228,15 @@
     <ClCompile Include="..\src\out-grepable.c">
       <Filter>Source Files\output</Filter>
     </ClCompile>
+    <ClCompile Include="..\src\script.c">
+      <Filter>Source Files\scripts</Filter>
+    </ClCompile>
+    <ClCompile Include="..\src\script-ntp-monlist.c">
+      <Filter>Source Files\scripts</Filter>
+    </ClCompile>
+    <ClCompile Include="..\src\proto-ntp.c">
+      <Filter>Source Files\proto</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="..\src\proto-arp.h">
@@ -392,6 +404,12 @@
     <ClInclude Include="..\src\masscan-version.h">
       <Filter>Source Files</Filter>
     </ClInclude>
+    <ClInclude Include="..\src\script.h">
+      <Filter>Source Files\scripts</Filter>
+    </ClInclude>
+    <ClInclude Include="..\src\proto-ntp.h">
+      <Filter>Source Files\proto</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <None Include="..\README.md" />