The Nmap scan of Metasploitable 2 revealed:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
The Nessus scan had this to say regarding port 80:
55976 – Apache HTTP Server Byte Range DoS
Synopsis
The web server running on the remote host is affected by a denial of service vulnerability.
Description
The version of Apache HTTP Server running on the remote host is affected by a denial of service vulnerability. Making a series of HTTP requests with overlapping ranges in the Range or Request-Range request headers can result in memory and CPU exhaustion. A remote, unauthenticated attacker could exploit this to make the system unresponsive.Exploit code is publicly available and attacks have reportedly been observed in the wild.
And so I went on a hunt looking for the code that is applicable to this version of the Apache server (2.2.8) and found it here, aptly called “The Apache Killer“.
The last few days OSS Web Admins are very concerned about a recent Apache HTTPd Denial Of Service. “Apache Killer (written by Kingcope)” is a perl script causing remote DoS through memory exhaustion to an apache httpd server. The script sends large amounts of HEAD requests with lots of ranges, resulting in swapping memory to filesystem on the remote side, making the remote system unstable.
While the vulnerability is publicly known from August 19, an official advisory haven’t been published yet. Although, a temp workaround must be found in order to avoid regular system crashes. The most efficient and elegant solution that i have read is using the mod_rewrite engine.
Let’s get our hands dirty to see how we can deal with the DoS remote attack.
The target system is an Ubuntu 8.04 with Apache/2.2.8 installation. Initially, i run the perl script to confirm that the system is vulnerable.
I download the code to my desktop and named the file: killapache.pl and ran in the terminal:
~/Desktop# perl killapache.pl 192.168.1.103 50
Host does not seem vulnerable
No matter what I tried I received the same non-vulnerable message. I was quite disappointed as this would have been my first DOS attack.
If we scan with OWASP ZAP or traverse to our browser and pop in the URL of our Metasplotable 2 we can see that there are various services running on the server on port 80 that may provide additional attack vectors; however, at this time I was solely interested in attacking the Apache server itself.
I will be returning to explore some of these services in the due course.