Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix ntp_nak_to_the_future #19749

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Dec 19, 2024

This fixes the auxiliary/scanner/ntp/ntp_nak_to_the_future module which was broken in commit 5f88971 (landed in #8185). The issue was that when the BinData::Record instance is sent with the socket, the string representation of it was used instead of the packed binary. It should be calling #to_binar_s. This PR fixes the issue and documents how the module can be tested.

This was the only module that used the NTPSymmetric definition and it's been converted to instead use the new NTPHeader definition which adds more natural handing for NTPTimestamp and NTPShort fields. The NTPHeader definition was originally written for #19748 and these two PRs share common commits in their history for the new definition.

Other NTP modules could be broken and have not been tested. NTPSymmetric had the most overlap with the definition needed for timeroast, so that was the only one that was thoroughly reviewed.

Verification

  • Use the Dockerfile included in the module docs to start a vulnerable instance of the application
    • Build it with: docker build -t ntpd:4.2.8p3 .
    • Run it with: docker run --rm -it --name ntp-server -p 123:123/udp ntpd:4.2.8p3
  • Start msfconsole and use the module
  • Set the RHOSTS value as necessary
  • Run the module and see that the target is vulnerable

Demo

metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) > run
[+] 192.168.159.128:123 - NTP - VULNERABLE: Accepted a NTP symmetric active association
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 1 of 2 hosts (50% complete)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) >

@zeroSteiner zeroSteiner force-pushed the fix/mod/ntp_nak_to_the_future branch from f48e4a0 to 092ca5d Compare December 19, 2024 15:20
@zeroSteiner zeroSteiner force-pushed the fix/mod/ntp_nak_to_the_future branch from 092ca5d to 5385b3d Compare December 20, 2024 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Todo
Development

Successfully merging this pull request may close these issues.

2 participants