0day DoS: Mikrotik Server side DoS attack

Intro..

After exploring the winbox clientserver protocol, i wanted to find some ways to get rid of winbox service and winbox client…
This finding, has to do only with the mikrotik router, who has winbox service running (on port 8291 or in any other port)
On my try to make a test on the server, in order to cause a lot of traffic, i saw the service being unstable, causing various probs to whole router. The minimum prob was the 100% cpu load, but there are various probs depending on hardware and routeros version. The exploit’s logic is very simple, and the winbox protocol analysis is simple too.So it made me identify that vulnerability very easy. The vulnerability found while trying to download a DLL/plugin file from mikrotik router (just like winbox client does) and choose a big file, and request the 1st part of it many times.. That is what causes the DoS. The only file needed here is the .py script, and it is tested on python 2.4 and 2.7 versions.

More details, download and usage, are below.. :

Vulnerability Description
===========================
The denial of service, happens on mikrotik router’s winbox service when
the attacker is requesting continuesly a part of a .dll/plugin file, so the service
becomes unstable causing every remote clients (with winbox) to disconnect
and denies to accept any further connections. That happens for about 5 minutes. After
the 5 minutes, winbox is stable again, being able to accept new connections.
If you send the malicious packet in a loop (requesting part of a file right after
the service becoming available again) then you result in a 100% denial of winbox service.
While the winbox service is unstable and in a denial to serve state, it raises router’s CPU 100%
and other actions. The “other actions” depends on the router version and on the hardware.
For example on Mikrotik Router v3.30 there was a LAN corruption, BGP fail, whole router failure
=> Mikrotik Router v2.9.6 there was a BGP failure
=> Mikrotik Router v4.13 unstable wifi links
=> Mikrotik Router v5.14/5.15 rarely stacking
=>>> Behaviour may vary most times, but ALL will have CPU 100% . Most routers loose BGP after long time attack <<

The exploit
=============
This is a vulnerability in winbox service, exploiting the fact that winbox lets you download files/plugins
that winbox client needs to control the server, and generally lets you gain basic infos about the service BEFORE
user login!
Sending requests specially crafted for the winbox service, can cause a 100% denial of winbox service (router side).
This script, offers you the possibility to download any of the dlls that can be downloaded from the router one-by-one
or alltogether! (look usage for more info) .. The file must be contained in the router’s dll index.
The dlls downloaded, are in the format of the winbox service.. Meaning that they are compressed with gzip and they
have 0xFFFF bytes every 0x101 bytes (the format that winbox client is expecting the files)
These DLLs can be used by the “Winbox remote code execution” exploit script 😉

Download script here: mkDl

Usage
=======
Try running the script without arguments to see usage.. or
Use the script as described below:
1. You can download ALL the files of the router’s dll index using the following command:

python mkDl.py 10.0.0.1 * 1

the “1” in the end, is the speed.. “Speed” is a factor I added, so the script delays a bit while receiving
information from the server. It is a MUST for remote routers when they are in long distance (many hops) to use
a slower speed ( 9 for example ).
Also in the beginning of the dlls file list, script shows you the router’s version (provided by router’s index)
2. You can download a specific .dll file from the remote router.

python mkDl.py 10.67.162.1 roteros.dll 1

In this example i download roteros.dll (which is the biggest and main plugin) with a speed factor of 1 (very fast)
Because roteros and 1-2 other files are big, you have to request them in different part (parts of 64k each)
That is a restriction of winbox communication protocol.
If you don’t know which file to request, make a “*” request first (1st usage example), see the dlls list, and press ctrl-c
to stop the script.
3. You can cause a Denial Of Service to the remote router.. Means denial in winbox service or more (read above for more)

python mkDl.py 10.67.162.1 DoS

This command starts requesting from router’s winbox service the 1st part of roteros.dll looping the request
and causing DoS to the router. The script is requesting the file till the router stops responding to the port (8291).
Then it waits till the service is up again (using some exception handling), then it requests again till the remote service is down again etc etc… The requests lasts for about 2 seconds, and the router is not responding for about 5 minutes as far as i have seen from my tests in different routeros versions.

A PoC video with DoS and download files feature.. :

 

 

 

Tagged , , , , , , , , , . Bookmark the permalink.

33 Responses to 0day DoS: Mikrotik Server side DoS attack

  1. PoURaN says:

    ErebusBat reported an error in python 2.7.1 on lion osx .. There was a weird behaviour in the DoS loop where there wasn’t flood with the “- Sending evil packet.. press CTRL-C to stop -” as expected and there was not DoS at all.. I’ll keep you updated when i check Lion myself 🙂
    Btw works fine as tested on windows python 2.7 and backtrack 5..

  2. PoURaN says:

    Finaly the prob in mac lion was just the spacing of the file and specific in lines 205-211 make again in mac the spacing inside coda.. and it will be ok 😉

  3. ErebusBat says:

    PoURaN~

    This is confirmed fixed on my box now. Also for your list…. this absolutely kills the winbox service on my 493G/ROS 5.5 however I saw no depreciable change in traffic flow.

    I tested my traffic flow by SCPing a large file from my laptop (LAN SIDE) to a server on the WAN side of the Mikrotik.

    However you could lock admins out… I know plenty of people who would be lost without WinBox.

  4. dleech says:

    i Have problem about this, can someone explain to me …
    what should i do ..

    Traceback (most recent call last):
    File “mkDl.py”, line 225, in
    s.connect((mikrotikIP, 8291))
    File “C:Python27libsocket.py”, line 224, in meth
    return getattr(self._sock,name)(*args)
    socket.error: [Errno 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed bec
    ause connected host has failed to respond

  5. PoURaN says:

    @dleech
    can you please tell us how do you run the script? Is the remote IP a mikrotik router?

  6. d4taps says:

    What do I do in the files (( DLL ))

    How do I see the information inside it ?!

  7. PoURaN says:

    @d4taps
    you don’t need to.. they are the original DLLs as they are provided by mikrotik router v5.14.. If you wanna see them you have to remove the two 0xFF 0xFF bytes in every 0x101 bytes inside every DLL.. (that’s the format, that winbox wants to “see” the receiving file) if you see the script’s source you’ll find out.. 😉

  8. Masoud says:

    how can i hack a Mikrotik Router?
    i want to hack isp mikrotik and find user & pw of mikrotik.

  9. GOomile says:

    connection reseted by server… 🙁

  10. RBA says:

    same problem..connection reseted by server…

  11. kambiz says:

    i have problem with runnig the script
    when I run this command: C:mkD1python mkD1.py

    I receive this error:

    File “mkD1.py”,line 75
    print “[+] Index received!”

    SyntaxError: invalid syntax
    would you please help me with it?

  12. PoURaN says:

    @kambiz
    Hey kambiz,
    tell me exactly what you do.. I am just testing it again doing:
    C:Python27>python mkD1.py 10.10.10.1 roteros.dll 1

    and works fine… and also for DoS attack:

    C:Python27>python mkD1.py 10.10.10.1 DoS

  13. kambiz says:

    I’ve solved the problem.the problem occurred because the script syntax belongs to python version2 but the python I installed is version3.so I convert it to version3 by using 2to3.py in python.
    now i have another problem. when i run this:

    c:Python32>python mkDl.py (mikrotik ip) * 7

    I receive this error:

    [Winbox plugin downloader]

    Traceback (most recent call last):
    File “mkDl.py”, line 226, in
    s.send(winboxStringIndex)
    TypeError: ‘str’ dose not support the buffer interface.

    would you please help me with it?

  14. PoURaN says:

    @kambiz
    I can’t install python 32 atm to check it.. but i see in line 226 has s.send(winboxStartingIndex) and not s.send(winboxStringIndex)

  15. kambiz says:

    yes I made a mistake while typing
    as you said it is: s.send(winboxStartingIndex)

  16. kambiz says:

    the problem is solved by installing python27.
    I have another question.is there any way or any exploit to download the backup files from mikrotik?

  17. PoURaN says:

    @kambiz
    No, only from winbox

  18. HEY , ADMIN,
    can I get users with this method?

  19. De@th says:

    It worked fine but still have a question.
    isn’t their any way to get mikrotik password or those DLL file this script download contain router password.

    • PoURaN says:

      no you can’t do it with this method.. and inside dll there is no info like that.. You can just grab the admin’s saved winbox passwords (if there are any) using the command execution exploit and a mac spoofing method BUT you must be in the same Lan as the victim OR you can social him, so you don’t need same lan and mac sppofing … 😛

  20. Ghacker2012 says:

    what i want to do is exactly what u have just said “You can just grab

    the admin’s saved winbox passwords (if there are any)” . iam on the

    same lan . please can you explain it for me how to grab password for

    admin from saved password and how can i make this “command execution

    exploit and a mac spoofing method ” , please help me in this

  21. Ghacker says:

    @PoURaN
    41.35.44.57

  22. hi says:

    thanks PoURaN for this great info i don’t think that i will find it any where and i have 3 questions :
    1st how can i get the backup of mikrotik or the other info like user name isn’t the dll files that we downloaded contain all the infos?

    2nd how do i use the dll files to extract the info on it like ppp and any others.

    3rd.what mac do i have to spoof the admin pc lan or the mikrotik or any one on who connected to the mikrotic.

  23. PoURaN says:

    @hi
    Hello, concerning your questions:
    1) no you can’t.. and no the DLLs don’t contain any infos about users/backups.. they just contain functions in order to make winbox.exe work for the specific mikrotik version.
    2) you can’t.. look 1) :p
    3) mac spoofing can be done where you are in the same LAN with your victim (in this case your victim is the mikrotik admin).. search more about mac spoofing..

  24. hi says:

    thanks PoURaN again for ur answering
    you said “You can just grab the admin’s saved winbox passwords (if there are any) using the command execution exploit and a mac spoofing method ”
    i know how to spoof the mac address but what do u mean about command execution exploit what is this and can u tell me in details because it’s almost a year and iam trying how to hack the mikrotik to get the user and pass 🙂

  25. hi says:

    at least can u tell me how to get the the command execution exploit do i need the a backtrack?

  26. PoURaN says:

    @hi
    Hey man.. I was a bit busy that’s why I was late in reply.. So.. By saying remote code execution exploit, I mean this one.. http://www.133tsec.com/2012/04/27/0day-mikrotik-winbox-client-side-attack-a-remote-code-execution-exploit/
    Watch and understand the video I made there.. To execute code to your victim, you have to do it 1) even by social.. (talk to him and ask him to connect to yor malicious mtik emulator) 2) by spoofing his router and force him to connect to you instead of his router (mac spoofing – same LAN)
    For how to make a malicious emulator for mtik watch the vid of the exploit i told you earlier..
    cya

  27. hi says:

    thanks m8 i will
    c u

  28. insane says:

    I think is a goood ideea to write a script that is honeyspot for mikrotik to collect user/pass and the spoof router`s mac.

  29. Joca says:

    Not Working on 6.0rc6

  30. Guru says:

    root@kali:~/Desktop/mkDl# python mkDl.py 192.168.0.16 * 1

    [Winbox plugin downloader]

    Usage : mkDl.py
    : [from 0 to 9] 1=faster, 9=slower but more reliable

  31. gofur says:

    after download all dll file so next what?

  32. Lojze says:

    Hi there
    I was wondering on how to create a custom dll that winbox would download and that it would show me the welcome screen for instance

    as I was always fascinated on how routeros.dll for instance shapes the way winbox looks like for the fist test, just this would be enough: https://www.qtechsystem.com/wp-content/uploads/2019/05/winbox-Login-1024×616.png

    but I am not realy sure how theese dlls are constructed, when opening them with ghidra for instance (awesome decompiler): https://ghidra-sre.org/

    it is not able to identify anything not even DLLMain

    so if you have already played around with that and maybe have some source for some example dll that winbox would load, let me know

    Thanks for Anwsering and Best Regards

Leave a Reply

Your email address will not be published. Required fields are marked *