Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/fuzzers/http/http_get_uri_strings.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'English'

7
class MetasploitModule < Msf::Auxiliary

8
  include Msf::Exploit::Remote::Tcp

9
  include Msf::Auxiliary::Fuzzer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'HTTP GET Request URI Fuzzer (Fuzzer Strings)',

16
        'Description' => %q{

17
          This module sends a series of HTTP GET request with malicious URIs.

18
        },

19
        'Author' => [ 'nullthreat' ],

20
        'License' => MSF_LICENSE,

21
        'Notes' => {

22
          'Stability' => [CRASH_SERVICE_DOWN],

23
          'SideEffects' => [],

24
          'Reliability' => []

25
        }

26
      )

27
    )

28
    register_options([

29
      Opt::RPORT(80),

30
      OptString.new('VHOST', [false, 'The virtual host name to use in requests']),

31
      OptString.new('URIBASE', [true, 'The base URL to use for the request fuzzer', '/'])

32
    ])

33
  end

34


35
  def do_http_get(uri = '', opts = {})

36
    @connected = false

37
    connect

38
    @connected = true

39


40
    sock.put("GET #{uri} HTTP/1.1\r\nHost: #{datastore['VHOST'] || rhost}\r\n\r\n")

41
    sock.get_once(-1, opts[:timeout] || 0.01)

42
  end

43


44
  def run

45
    last_str = nil

46
    last_inp = nil

47
    last_err = nil

48


49
    pre = make_http_uri_base

50
    cnt = 0

51


52
    fuzz_strings do |str|

53
      cnt += 1

54


55
      # XXX: Encode the string or leave it raw? Best to make a new boolean option to enable/disable this

56
      uri = pre + str

57


58
      if (cnt % 100 == 0)

59
        print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")

60
      end

61


62
      begin

63
        do_http_get(uri, timeout: 0.50)

64
      rescue ::Interrupt

65
        print_status("Exiting on interrupt: iteration #{cnt} using #{@last_fuzzer_input}")

66
        raise $ERROR_INFO

67
      rescue StandardError => e

68
        last_err = e

69
      ensure

70
        disconnect

71
      end

72


73
      if !@connected

74
        if last_str

75
          print_status("The service may have crashed: iteration:#{cnt - 1} method=#{last_inp} uri=''#{last_str}'' error=#{last_err}")

76
        else

77
          print_status("Could not connect to the service: #{last_err}")

78
        end

79
        return

80
      end

81


82
      last_str = str

83
      last_inp = @last_fuzzer_input

84
    end

85
  end

86


87
  def make_http_uri_base

88
    datastore['URIBASE']

89
  end

90
end

91


92