Full Disclosure mailing list archives
Re: Apache Killer
From: Javier Bassi <javierbassi () gmail com>
Date: Tue, 13 Sep 2011 22:36:16 -0300
On Mon, Sep 12, 2011 at 11:26 PM, xD 0x41 wrote:
I know this topic is OLD but, i just wonder and, also having spoken to kcope re this myself, discussed the size of each bucket wich can be made to stupendous amounts and using a different vector, ok, instead of Range:bytes= , picture a GET request with as was shown in the code is there, you "Request-Range: bytes=5-,5-69,5-" , now we have bypassed most filters already in place, and the request range code, is exactly the same as range code. Only one person spotted this.
HTTPD advisory was very clear that both Range and Request-Range can be used. Everyone who unset Range probably unset Request-Range too. If host is vulnerable its a little better to use Range because using Request-Range will take 8 bytes more. (more bytes = less ranges) I have tested a bit the exploit and saw 1300 ranges is just a fixed number chosen by kingcope but it can be a little bigger. Range field can be almost 8KB long and its a total waste of bytes to use x-y, format where y is an increasing number that will take more than one digit. So instead of 1300 you can get it to 2725 max if you use repeat x-, where x is always single digit number. By doing that the exploit gets much more effective. I have attached the source if anyone cares
Attachment:
killapache2.pl
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Apache Killer xD 0x41 (Sep 13)
- Re: Apache Killer Javier Bassi (Sep 13)
- Re: Apache Killer GloW - XD (Sep 13)
- Re: Apache Killer Javier Bassi (Sep 13)