CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/fuzzers/http/http_get_uri_long.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Fuzzer

9


10
  def initialize(info = {})

11
    super(update_info(info,

12
      'Name'           => 'HTTP GET Request URI Fuzzer (Incrementing Lengths)',

13
      'Description'    => %q{

14
        This module sends a series of HTTP GET request with incrementing URL lengths.

15
      },

16
      'Author'         => [ 'nullthreat' ],

17
      'License'        => MSF_LICENSE

18
    ))

19
    register_options([

20
      Opt::RPORT(80),

21
      OptInt.new("MAXLENGTH", [true, "The longest string length to try", 16384] ),

22
      OptString.new("URIBASE", [true, "The base URL to use for the request fuzzer", "/"]),

23
      OptString.new("VHOST", [false, "The virtual host name to use in requests"])

24
    ])

25
  end

26


27
  def do_http_get(uri='',opts={})

28
    @connected = false

29
    connect

30
    @connected = true

31


32
    sock.put("GET #{uri} HTTP/1.1\r\nHost: #{datastore['VHOST'] || rhost}\r\n\r\n")

33
    sock.get_once(-1, opts[:timeout] || 0.01)

34
  end

35


36
  def run

37
    last_str = nil

38
    last_inp = nil

39
    last_err = nil

40


41
    pre = make_http_uri_base

42
    cnt = 0

43


44
    1.upto(datastore['MAXLENGTH'].to_i) do |len|

45
      cnt += 1

46


47
      str = fuzzer_gen_string(len)

48


49
      # XXX: Encode the string or leave it raw? Best to make a new boolean option to enable/disable this

50
      uri = pre + str

51


52
      if(cnt % 100 == 0)

53
        print_status("Fuzzing with iteration #{cnt} using string length #{len}")

54
      end

55


56
      begin

57
        r = do_http_get(uri,:timeout => 0.25)

58
      rescue ::Interrupt

59
        print_status("Exiting on interrupt: iteration #{cnt} using string length #{len}")

60
        raise $!

61
      rescue ::Exception => e

62
        last_err = e

63
      ensure

64
        disconnect

65
      end

66


67
      if(not @connected)

68
        if(last_str)

69
          print_status("The service may have crashed: iteration:#{cnt-1} len=#{len} uri=''#{last_str}'' error=#{last_err}")

70
        else

71
          print_status("Could not connect to the service: #{last_err}")

72
        end

73
        return

74
      end

75


76
      last_str = str

77
      last_inp = @last_fuzzer_input

78
    end

79
  end

80


81
  def make_http_uri_base

82
    datastore['URIBASE']

83
  end

84
end

85


86