Vulnerability & Exploit Database

Back to search

TFTP Server for Windows 1.4 ST WRQ Buffer Overflow

This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw is due to the way TFTP handles the filename parameter extracted from a WRQ request. The server will append the user-supplied filename to TFTP server binary's path without any bounds checking, and then attempt to check this path with a fopen(). Since this isn't a valid file path, fopen() returns null, which allows the corrupted data to be used in a strcmp() function, causing an access violation. Since the offset is sensitive to how the TFTP server is launched, you must know in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone' , and then manually select your target accordingly. A successful attempt will lead to remote code execution under the context of SYSTEM if run as a service, or the user if run as a standalone. A failed attempt will result a denial-of-service.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/windows/tftp/tftpserver_wrq_bof

Authors

  • Mati Aharoni
  • Datacut

References

Targets

  • Windows XP SP2/SP3 EN Service Mode
  • Windows XP SP2/SP3 EN Standalone Mode
  • Windows 7 SP0/SP1 EN x64 Service Mode
  • Windows 7 SP0/SP1 EN x64 Standalone Mode
  • Windows 7 SP0/SP1 EN x86 Service Mode
  • Windows 7 SP0/SP1 EN x86 Standalone Mode

Platforms

  • windows

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/tftp/tftpserver_wrq_bof msf exploit(tftpserver_wrq_bof) > show targets ...targets... msf exploit(tftpserver_wrq_bof) > set TARGET <target-id> msf exploit(tftpserver_wrq_bof) > show options ...show and set options... msf exploit(tftpserver_wrq_bof) > exploit