Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/fuzzers/http/http_get_uri_long.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'English'

7
class MetasploitModule < Msf::Auxiliary

8
  include Msf::Exploit::Remote::Tcp

9
  include Msf::Auxiliary::Fuzzer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'HTTP GET Request URI Fuzzer (Incrementing Lengths)',

16
        'Description' => %q{

17
          This module sends a series of HTTP GET request with incrementing URL lengths.

18
        },

19
        'Author' => [ 'nullthreat' ],

20
        'License' => MSF_LICENSE,

21
        'Notes' => {

22
          'Stability' => [CRASH_SERVICE_DOWN],

23
          'SideEffects' => [],

24
          'Reliability' => []

25
        }

26
      )

27
    )

28
    register_options([

29
      Opt::RPORT(80),

30
      OptInt.new('MAXLENGTH', [true, 'The longest string length to try', 16384]),

31
      OptString.new('URIBASE', [true, 'The base URL to use for the request fuzzer', '/']),

32
      OptString.new('VHOST', [false, 'The virtual host name to use in requests'])

33
    ])

34
  end

35


36
  def do_http_get(uri = '', opts = {})

37
    @connected = false

38
    connect

39
    @connected = true

40


41
    sock.put("GET #{uri} HTTP/1.1\r\nHost: #{datastore['VHOST'] || rhost}\r\n\r\n")

42
    sock.get_once(-1, opts[:timeout] || 0.01)

43
  end

44


45
  def run

46
    last_str = nil

47
    last_inp = nil

48
    last_err = nil

49


50
    pre = make_http_uri_base

51
    cnt = 0

52


53
    1.upto(datastore['MAXLENGTH'].to_i) do |len|

54
      cnt += 1

55


56
      str = fuzzer_gen_string(len)

57


58
      # XXX: Encode the string or leave it raw? Best to make a new boolean option to enable/disable this

59
      uri = pre + str

60


61
      if (cnt % 100 == 0)

62
        print_status("Fuzzing with iteration #{cnt} using string length #{len}")

63
      end

64


65
      begin

66
        do_http_get(uri, timeout: 0.25)

67
      rescue ::Interrupt

68
        print_status("Exiting on interrupt: iteration #{cnt} using string length #{len}")

69
        raise $ERROR_INFO

70
      rescue StandardError => e

71
        last_err = e

72
      ensure

73
        disconnect

74
      end

75


76
      if !@connected

77
        if last_str

78
          print_status("The service may have crashed: iteration:#{cnt - 1} len=#{len} uri=''#{last_str}'' error=#{last_err}")

79
        else

80
          print_status("Could not connect to the service: #{last_err}")

81
        end

82
        break

83
      end

84


85
      last_str = str

86
      last_inp = @last_fuzzer_input

87
    end

88
  end

89


90
  def make_http_uri_base

91
    datastore['URIBASE']

92
  end

93
end

94


95