Simple function to check for the "Apache Killer" (see http://lists.grok.org.uk/pipermail/full-disclosure/2011-August/082299.html)

gistfile1.aw

#!/usr/bin/env php
<?php

	function testForExploit($url = NULL) {
		$oCurl = curl_init($url);
		curl_setopt_array($oCurl, array (CURLOPT_HTTPHEADER => array('Range: bytes=0-4')
		                                ,CURLOPT_RETURNTRANSFER => 1
		                                ,CURLOPT_TIMEOUT => 15
		                                ,CURLOPT_CONNECTTIMEOUT => 0
		                                ,CURLOPT_SSL_VERIFYHOST => 0
		                                ,CURLOPT_SSL_VERIFYPEER => 0
		                                ,CURLOPT_FOLLOWLOCATION => 1
		                                ,CURLOPT_HEADER => 1
		                                ,CURLOPT_NOBODY => 1
		                                ,CURLOPT_ENCODING => 'gzip'));
		$strReturn = curl_exec($oCurl);
		if (strpos($strReturn, 'Partial') !== false) {
			echo "$url is propably exploitable!!!".PHP_EOL;
		} else {
		    echo "Probably NOT exploitable".PHP_EOL;
		}
		echo PHP_EOL.$strReturn.PHP_EOL;
	}

	if (!isset($argv[1])) {
		die('No url passed'.PHP_EOL);
	}
	$url = $argv[1];
	if (empty($url)) {
		die('no url or invalid url passed'.PHP_EOL);
	}
	if (!preg_match('/^(http|https|ftp):\/\/([A-Z0-9][A-Z0-9_-]*(?:\.[A-Z0-9][A-Z0-9_-]*)+):?(\d+)?\/?/i', $url)) {
		die('invalid url passed'.PHP_EOL);
	}
	
    testForExploit($url);