cbcvebase.
CVE-2005-0277
published 2005-05-02

CVE-2005-0277: Buffer overflow in the FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) and execute…

PriorityP341medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
61.91%
99.1th percentile
Buffer overflow in the FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via (1) a long username in the USER command or (2) an FTP command that contains a long argument, such as cd, send, or ls.

Affected

1 ranges
VendorProductVersion rangeFixed in
3com3cdaemon

Detection & IOCsextracted from sources · hover to see the quote

version3Com 3CDaemon FTP Server Version 2.0
commandUSER <2048-byte overflow buffer>
port4444
bytes
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x10\x5A\x4A\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0A\x99\xE2\xFA\xEB\x05\xE8\xEB\xFF\xFF\xFF
bytes
\xEB\x26\x90\x00\x00\x00\x00\x00\x00\x02\x06\x6C\x59\x6C\x59\xF8\x1D\x9C\xDE\x8C\xD1\x4C\x70\xD4\x03\x58\x46\x57\x53\x32\x5F\x33\x32\x2E\x44\x4C\x4C
  • Detect exploitation attempts by monitoring FTP USER command payloads exceeding 229 bytes; the exploit places a SEH/return address overwrite at offset 229 within the USER argument.
  • Flag FTP sessions where the USER command argument is 673–2048 bytes long, as both public exploits use buffers of exactly these sizes against 3CDaemon.
  • Detect the exploit's NOP sled pattern (200 bytes of 0x90) followed by shellcode in the FTP USER command payload.
  • Monitor for FTP USER command payloads containing the SEH pad bytes EB 0C 90 90 at offset 229, which is the short-jump stub used by the class101 exploit.
  • Alert on outbound connections from the 3CDaemon process (3CDaemon.exe) to attacker-controlled IPs on high ports or port 101/4444 immediately after an oversized USER command, indicating successful shellcode execution.
  • The Metasploit module fingerprints the target by matching the FTP banner string '3Com 3CDaemon FTP Server Version 2.0'; alert on reconnaissance scanning for this banner.
  • The exploit uses bad-char-filtered payload space of 674 bytes with specific bad characters; network signatures should look for long FTP USER arguments containing NOP sleds and the absence of bytes 0x00, 0x25, 0x0D, 0x0A, 0x3A, 0x22, 0x20, 0x2F, 0x5C, 0x2E, 0x09.
  • ·The Metasploit module requires selecting the correct return address target per OS; wrong target selection causes a crash rather than code execution. Return addresses differ across Windows 2000, XP SP0/SP1, NT 4.0, and Win2k French.
  • ·The exploit payload has a stack adjustment of -3500 bytes and uses a -find connection type, meaning the payload reuses the existing FTP connection socket rather than opening a new one; detection must account for shellcode executing over the same TCP session.
  • ·The class101 exploit (EDB-827) notes only 4 bad bytes (0x00, 0x25, 0x0D, 0x0A) and uses XOR-encoded shellcode; the return address via 'call ebx' is stable across multiple Win2k SP4 language variants, making it broadly applicable.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.