New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Flexense HTTP Server <= 10.6.24 DOS #9701
Conversation
This module triggers a Denial of Service vulnerability in the Sync Breeze Enterprise HTTP server. Vulnerable version of the product can be downloaded here (http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.6.24.exe). After installing the software web server should be enabled via Options->Server->Enable web server on port. Module triggers a user space write access violation on syncbrs.exe memory region. Number of requests that will crash the server changes between 200-1000 depending on the OS version and system memory.
msftidy.rb adjustment.
|
Could you add a markdown documentation file (containing details on the vulnerability itself and what the module does to exploit it, and example usage)? See https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation#how-you-can-write-kbs and this PR, which would be an example of module markdown. |
Added check function. Smaller & cleaner code.
|
Hi @EgeBalci, thanks for the submission! However this PR looks a lot like exploit/windows/http/syncbreeze_bof, could you explain how this one is different than the other one? Thank you! |
|
Hi @jrobles-r7, "exploit/windows/http/syncbreeze_bof" module exploits a stack based buffer overflow on Sync Breeze Enterprise v9.4.28, v10.0.28 and v10.1.16 versions. After v10.1.16 version this bug is fixed with a bound checking mitigation but this module triggers another buffer overflow on products that are using Flexense HTTP Server versions <= 10.6.24 and Sync Breeze Enterprise v10.6.24 is one of them. This BOF is caused by filling up a queue structure inside the HTTP header parser code. I tried hard on exploiting it but it seems unexploitable to me. Flexense HTTP Server code is located inside libspp.dll and it is used in multiple Flexense products such as;
We can change this module as "flexense_http_server_dos" if it makes more sense. |
|
Hey @EgeBalci, sorry for the delay. I'd like to get this landed. If you'd take care of renaming it to Meanwhile, I'll get started with testing. Thanks! |
| Exploit::CheckCode::Safe | ||
| end | ||
| rescue | ||
| Exploit::CheckCode::Safe |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest we respond with Exploit::CheckCode::Unknown, since we don't have enough information to know if it's safe.
Exploit::CheckCode changed to Unknown as suggested.
Release NotesThis module will crash the Sync Breeze Enterprise HTTP server by sending requests that cause the server to attempt to write to an invalid memory location. |
|
Updates to this PR in 026b22d. Thanks. |
This module triggers a Denial of Service vulnerability in the Sync Breeze Enterprise HTTP server. Vulnerable version of the product can be downloaded here (http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.6.24.exe). After installing the software web server should be enabled via Options->Server->Enable web server on port. Module triggers a user space write access violation on syncbrs.exe memory region. Number of requests that will crash the server changes between 200-1000 depending on the OS version and system memory.
Usage
msfconsoleuse auxiliary/dos/http/syncbreeze_enterprise_dosRHOSTPy exploit code