Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Fetching contributors…

Octocat-spinner-32-eaf2f5

Cannot retrieve contributors at this time

executable file 85 lines (69 sloc) 2.391 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
#!/usr/bin/env python

import struct
import socket
from socket import *
import binascii
import getopt
import sys

def usage():
        help = "Options:\n"
        help += "\t-h <host>\t target host\n"
        help += "\t-v \t\t Turn on Verbosity\n"
        return help

def main():
        print "ntp error response mode 7 checker"
        print "CVE-2009-3563"
        print "by brad a."
        print "--------------------------------------"
        try:
                opts,args = getopt.getopt(sys.argv[1:], "h:v",[])
        except getopt.GetoptError:
                print usage()
                return

        host = verbose = 0
        port = 123
        for o, a in opts:
                if o == "-h":
                        host = a
                if o == "-v":
                 verbose = 1
        if host == 0:
                print usage()
                return
        print "[+] Targeting",host
        s = socket(AF_INET,SOCK_DGRAM)
        s.settimeout(2)
        #s.bind (('0.0.0.0', 123))
        #msg = "1797000000"
        ver_msg = "160200010000000000000000"

        #s.connect((host,port))

        print "[+] Sending Version Request"

        try:
               s.connect((host,port))
               s.send(binascii.unhexlify(ver_msg))
               recv_data = s.recv(1024)
        except:
               print "[!] Host has timed out or is not responding"
               return

        #recv_data = s.recv(1024)
        print "[+] Client Response:\n\t",recv_data

        recv_data = 0
        msg = "17"

        print "[+] Sending Mode 7 Malformed Packet"
        hex_msg = binascii.unhexlify(msg)
        if verbose == 1:
                print "[+] Sending \t H(", hex_msg, ")\n\t\t A(", binascii.hexlify(hex_msg),")"
        s.send(hex_msg)
        try:
                recv_data = s.recv(1024)
        except:
               print "[+] Response timed out! This most likely means its not vuln"

        print "[+] Client Response:\n\t\t",binascii.hexlify(recv_data)
        s.close()
        if recv_data:
               print "[+] Since we got a response, ima say this guy is vulnerable"
               print "[+] But check the banner for further confirmation some OS's (i.e. juniper/JunOS) are not vuln"
               print "[+] ntpd < 4.2.4p8 and 4.2.5 are vuln"
        else:
               print "[+] No response! guess its not vuln"



main()

Something went wrong with that request. Please try again.