module

TFTP Server for Windows 1.4 ST WRQ Buffer Overflow

Try Surface Command
Back to search
Disclosed
2008-03-26
Created
2018-05-30

Description

This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw
is due to the way TFTP handles the filename parameter extracted from a WRQ request.
The server will append the user-supplied filename to TFTP server binary's path
without any bounds checking, and then attempt to check this path with a fopen().
Since this isn't a valid file path, fopen() returns null, which allows the
corrupted data to be used in a strcmp() function, causing an access violation.

Since the offset is sensitive to how the TFTP server is launched, you must know
in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone'
, and then manually select your target accordingly. A successful attempt will lead
to remote code execution under the context of SYSTEM if run as a service, or
the user if run as a standalone. A failed attempt will result a denial-of-service.

Authors

Mati Aharoni
Datacut

Platform

Windows

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/windows/tftp/tftpserver_wrq_bof
    msf exploit(tftpserver_wrq_bof) > show targets
        ...targets...
    msf exploit(tftpserver_wrq_bof) > set TARGET < target-id >
    msf exploit(tftpserver_wrq_bof) > show options
        ...show and set options...
    msf exploit(tftpserver_wrq_bof) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today