Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flexense HTTP Server <= 10.6.24 DOS #9701

Merged
merged 8 commits into from May 29, 2018
Merged

Flexense HTTP Server <= 10.6.24 DOS #9701

merged 8 commits into from May 29, 2018

Conversation

EgeBalci
Copy link
Contributor

@EgeBalci EgeBalci commented Mar 11, 2018

This module triggers a Denial of Service vulnerability in the Sync Breeze Enterprise HTTP server. Vulnerable version of the product can be downloaded here (http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.6.24.exe). After installing the software web server should be enabled via Options->Server->Enable web server on port. Module triggers a user space write access violation on syncbrs.exe memory region. Number of requests that will crash the server changes between 200-1000 depending on the OS version and system memory.

Usage

  • Start msfconsole
  • use auxiliary/dos/http/syncbreeze_enterprise_dos
  • set RHOST
  • run

Py exploit code

Ege Balcı added 3 commits March 11, 2018 23:07
This module triggers a Denial of Service vulnerability in the Sync Breeze Enterprise HTTP server. Vulnerable version of the product can be downloaded here (http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.6.24.exe). After installing the software web server should be enabled via Options->Server->Enable web server on port. Module triggers a user space write access violation on syncbrs.exe memory region. Number of requests that will crash the server changes between 200-1000 depending on the OS version and system memory.
msftidy.rb adjustment.
@s0m3gai
Copy link

s0m3gai commented Mar 12, 2018

Could you add a markdown documentation file (containing details on the vulnerability itself and what the module does to exploit it, and example usage)? See https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation#how-you-can-write-kbs and this PR, which would be an example of module markdown.

Ege Balcı added 3 commits March 12, 2018 20:30
Added check function.
Smaller & cleaner code.
@jrobles-r7
Copy link
Contributor

Hi @EgeBalci, thanks for the submission! However this PR looks a lot like exploit/windows/http/syncbreeze_bof, could you explain how this one is different than the other one? Thank you!

@EgeBalci
Copy link
Contributor Author

Hi @jrobles-r7, "exploit/windows/http/syncbreeze_bof" module exploits a stack based buffer overflow on Sync Breeze Enterprise v9.4.28, v10.0.28 and v10.1.16 versions. After v10.1.16 version this bug is fixed with a bound checking mitigation but this module triggers another buffer overflow on products that are using Flexense HTTP Server versions <= 10.6.24 and Sync Breeze Enterprise v10.6.24 is one of them. This BOF is caused by filling up a queue structure inside the HTTP header parser code. I tried hard on exploiting it but it seems unexploitable to me.

Flexense HTTP Server code is located inside libspp.dll and it is used in multiple Flexense products such as;

  • DiskBoss - Data Management Solution
  • SyncBreeze - File Synchronization Solution
  • DiskPulse - Real-Time Disk Change Monitor
  • DiskSavvy - Disk Space Analyzer
  • DupScout - Duplicate Files Finder
  • SysGauge - System Monitor
  • DiskSorter - File Classification

We can change this module as "flexense_http_server_dos" if it makes more sense.

@bcoles bcoles added docs and removed needs-docs labels Apr 6, 2018
@asoto-r7
Copy link
Contributor

Hey @EgeBalci, sorry for the delay. I'd like to get this landed. If you'd take care of renaming it to flexense_http_server_dos, I think that would help ease some confusion and also emphasize that the exploit works on a variety of Flexense services.

Meanwhile, I'll get started with testing.

Thanks!

@asoto-r7 asoto-r7 self-assigned this May 23, 2018
Exploit::CheckCode::Safe
end
rescue
Exploit::CheckCode::Safe
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest we respond with Exploit::CheckCode::Unknown, since we don't have enough information to know if it's safe.

Ege Balcı added 2 commits May 25, 2018 20:18
Exploit::CheckCode changed to Unknown as suggested.
@EgeBalci EgeBalci changed the title Adding Sync Breeze Enterprise 10.6.24 DOS Flexense HTTP Server <= 10.6.24 DOS May 25, 2018
asoto-r7 added a commit to asoto-r7/metasploit-framework that referenced this pull request May 29, 2018
asoto-r7 added a commit to asoto-r7/metasploit-framework that referenced this pull request May 29, 2018
@asoto-r7 asoto-r7 merged commit 3ab7526 into rapid7:master May 29, 2018
msjenkins-r7 pushed a commit that referenced this pull request Jun 1, 2018
@acammack-r7
Copy link
Contributor

Release Notes

This module will crash the Sync Breeze Enterprise HTTP server by sending requests that cause the server to attempt to write to an invalid memory location.

@tdoan-r7 tdoan-r7 added the rn-enhancement release notes enhancement label Jun 20, 2018
@wvu
Copy link
Contributor

wvu commented Jun 26, 2018

Updates to this PR in 026b22d. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-enhancement release notes enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

8 participants