CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/auxiliary/dos/http/ws_dos.md
Views: 1904

Vulnerable Application

ws < 1.1.5 || (2.0.0 , 3.3.1) https://nodesecurity.io/advisories/550

Vulnerable Analysis

This module exploits a Denial of Service vulnerability in npm module "ws". By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash.

Verification Steps

  1. Start the vulnerable server using the sample server code below node server.js

  2. Start msfconsole

  3. use auxiliary/dos/http/ws_dos

  4. set RHOST <IP>

  5. run

  6. The server should crash

Options

None.

Scenarios

Server output from crash

/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:40
    paramsList.push(parsedParams);
               ^

TypeError: paramsList.push is not a function
    at value.split.forEach (/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:40:16)
    at Array.forEach (<anonymous>)
    at Object.parse (/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:15:20)
    at WebSocketServer.completeUpgrade (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:230:30)
    at WebSocketServer.handleUpgrade (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:197:10)
    at Server.WebSocketServer._ultron.on (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:87:14)
    at emitThree (events.js:136:13)
    at Server.emit (events.js:217:7)
    at onParserExecuteCommon (_http_server.js:495:14)
    at onParserExecute (_http_server.js:450:3)

Sample server

const WebSocket = require('ws');
const wss = new WebSocket.Server(
{ port: 3000 }
);
wss.on('connection', function connection(ws) {
console.log('connected');
ws.on('message', function incoming(message)
{ console.log('received: %s', message); }
);
ws.on('error', function (err)
{ console.error(err); }
);
});