CVE-2005-0277
published 2005-05-02CVE-2005-0277: Buffer overflow in the FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) and execute…
PriorityP341medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
61.91%
99.1th percentile
Buffer overflow in the FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via (1) a long username in the USER command or (2) an FTP command that contains a long argument, such as cd, send, or ls.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3com | 3cdaemon | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF
bytes↗
\xEB\x26\x90\x00\x00\x00\x00\x00\x00\x02\x06\x6C\x59\x6C\x59\xF8\x1D\x9C\xDE\x8C\xD1\x4C\x70\xD4\x03\x58\x46\x57\x53\x32\x5F\x33\x32\x2E\x44\x4C\x4C
- →Detect exploitation attempts by monitoring FTP USER command payloads exceeding 229 bytes; the exploit places a SEH/return address overwrite at offset 229 within the USER argument. ↗
- →Flag FTP sessions where the USER command argument is 673–2048 bytes long, as both public exploits use buffers of exactly these sizes against 3CDaemon. ↗
- →Detect the exploit's NOP sled pattern (200 bytes of 0x90) followed by shellcode in the FTP USER command payload. ↗
- →Monitor for FTP USER command payloads containing the SEH pad bytes EB 0C 90 90 at offset 229, which is the short-jump stub used by the class101 exploit. ↗
- →Alert on outbound connections from the 3CDaemon process (3CDaemon.exe) to attacker-controlled IPs on high ports or port 101/4444 immediately after an oversized USER command, indicating successful shellcode execution. ↗
- →The Metasploit module fingerprints the target by matching the FTP banner string '3Com 3CDaemon FTP Server Version 2.0'; alert on reconnaissance scanning for this banner. ↗
- →The exploit uses bad-char-filtered payload space of 674 bytes with specific bad characters; network signatures should look for long FTP USER arguments containing NOP sleds and the absence of bytes 0x00, 0x25, 0x0D, 0x0A, 0x3A, 0x22, 0x20, 0x2F, 0x5C, 0x2E, 0x09. ↗
- ·The Metasploit module requires selecting the correct return address target per OS; wrong target selection causes a crash rather than code execution. Return addresses differ across Windows 2000, XP SP0/SP1, NT 4.0, and Win2k French. ↗
- ·The exploit payload has a stack adjustment of -3500 bytes and uses a -find connection type, meaning the payload reuses the existing FTP connection socket rather than opening a new one; detection must account for shellcode executing over the same TCP session. ↗
- ·The class101 exploit (EDB-827) notes only 4 bad bytes (0x00, 0x25, 0x0D, 0x0A) and uses XOR-encoded shellcode; the return address via 'call ebx' is stable across multiple Win2k SP4 language variants, making it broadly applicable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
3Com 3CDaemon 2.0 FTP Server - 'Username' Remote Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2005-0277 3Com 3CDaemon 2.0 FTP Server - 'Username' Remote Overflow (Metasploit)
3Com 3CDaemon 2.0 FTP Server - 'Username' Remote Overflow (Metasploit)
---
##
# $Id: 3cdaemon_ftp_user.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 '3Com 3CDaemon 2.0 FTP Username Overflow',
'Description' => %q{
This module exploits a vulnerability in the 3Com 3CDaemon
FTP service. This package is being distributed from the 3Com
web site and is recommended in numerous support documents.
This module uses the USER command to trigger the overflow.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Vers
Exploit-DB
3Com 3CDaemon FTP - Unauthorized 'USER' Remote Buffer Overflow
exploitdb·2005-02-18
CVE-2005-0277 3Com 3CDaemon FTP - Unauthorized 'USER' Remote Buffer Overflow
3Com 3CDaemon FTP - Unauthorized 'USER' Remote Buffer Overflow
---
/* Added " on line 86 /str0ke */
/*
3com 3CDaemon FTP Unauthorized "USER" Remote BOverflow
The particularity of this exploit is to exploits a FTP server
without the need of any authorization.
Homepage: www.3com.com
version: 3CDaemon v2.0 rev10
Link: ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip
Application Risk: Severely High
Internet Risk: Low
Hole History:
14-4-2002: BOF flaw found by skyrim
15-4-2002: crash exploit done. securiteam.com/exploits/5NP050A75A.html
04-1-2005: Updated advisory by Sowhat securitytracker.com/id?1012768
17-2-2005: lame exploit released milw0rm.com/id.php?id=825
18-2-2005: proper exploit released hat-squad.com, class101.org, class101.hat-squad.com
Notes:
-4 bad bytes, 0x00, 0x25, 0x0
Exploit-DB
3Com FTP Server 2.0 - Remote Overflow
exploitdb·2005-02-17
CVE-2005-0277 3Com FTP Server 2.0 - Remote Overflow
3Com FTP Server 2.0 - Remote Overflow
---
/* Email fixed brotha /str0ke */
/*
3Com Ftp Server remote overflow exploit
author : c0d3r "kaveh razavi" [email protected]
package : 3CDaemon version 2.0 revision 10
advisory : http://secway.org/advisory/ad20041011.txt
company address : 3com.com
it is just a simple PoC tested on winxp sp 1 and may not work on other systems .
just a lame coded software that didnt cost to bother myself to develop
the exploit code . every command has got overflow .
compiled with visual c++ 6 : cl 3com.c
greetz : LorD and NT of Iran Hackers Sabotages , irc.zirc.org #ihs
Jamie of exploitdev (hey man how should I thank u with ur helps?),
sIiiS and vbehzadan of hyper-security , pishi , redhat , araz , simorgh
securiteam , roberto of zone-h , milw0rm (dont u see tha
Metasploit
3Com 3CDaemon 2.0 FTP Username Overflow
metasploit
3Com 3CDaemon 2.0 FTP Username Overflow
3Com 3CDaemon 2.0 FTP Username Overflow
This module exploits a vulnerability in the 3Com 3CDaemon FTP service. This package is being distributed from the 3Com web site and is recommended in numerous support documents. This module uses the USER command to trigger the overflow.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=110485674622696&w=2http://marc.info/?l=bugtraq&m=110886719528518&w=2http://www.securityfocus.com/bid/12155https://exchange.xforce.ibmcloud.com/vulnerabilities/18754http://marc.info/?l=bugtraq&m=110485674622696&w=2http://marc.info/?l=bugtraq&m=110886719528518&w=2http://www.securityfocus.com/bid/12155https://exchange.xforce.ibmcloud.com/vulnerabilities/18754
2005-05-02
Published