Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
175 lines (148 sloc) 4.56 KB
# TFTP Formats
# Type Op # Format without header
# 2 bytes string 1 byte string 1 byte
# -----------------------------------------------
# RRQ/ | 01/02 | Filename | 0 | Mode | 0 |
# WRQ -----------------------------------------------
# 2 bytes 2 bytes n bytes
# ---------------------------------
# DATA | 03 | Block # | Data |
# ---------------------------------
# 2 bytes 2 bytes
# -------------------
# ACK | 04 | Block # |
# --------------------
# 2 bytes 2 bytes string 1 byte
# ----------------------------------------
# ERROR | 05 | ErrorCode | ErrMsg | 0 |
# ----------------------------------------
# Error Codes
# Value Meaning
# 0 Not defined, see error message (if any).
# 1 File not found.
# 2 Access violation.
# 3 Disk full or allocation exceeded.
# 4 Illegal TFTP operation.
# 5 Unknown transfer ID.
# 6 File already exists.
# 7 No such user.
#
# Written by Omer Gull from Check Point Research
#
from boofuzz import *
import struct
import time
#constants
KNOWN_PATH = "boot\\x64\\Images\\"
KNOWN_FILE = "boot.wim"
#callbacks
def callback_ACK(session, request, connection, target):
if session.last_recv:
if session.last_recv.startswith("\x00\x06"):
ACK = "\x00\x04\x00\x00\x04" #ACK BLOCK0
ERR = "\x00\x05\x00\x00" # ERR
try:
# change dst port to the one that replied us
target._target_connection.port = target._target_connection.new_port
target.send(ACK)
# revert dst port to initial port after response
target.recv(1000)
# kill tftp session
target.send(ERR)
target._target_connection.port = 69
except Exception as e:
pass
def longToASCII(number):
return str(struct.unpack('i', number)[0])
def doubleToASCII(number):
return str(struct.unpack('q', number)[0])
s_initialize("REQ")
s_group("opcodes", values=["\x00\x01", "\x00\x02"])
if s_block_start("blk_REQ", group="opcodes"):
s_static(KNOWN_PATH)
s_string(KNOWN_FILE, max_len=255-len(KNOWN_PATH))
s_delim("\x00")
s_group("modes", values=["octet", "netascii", "blah"])
if s_block_start("blk_mode", group="modes"):
s_static("\x00")
s_string("tsize", max_len=900) #try to fuzz an option name
s_delim("\x00")
if s_block_start("blk_tsize_value"):#, encoder=doubleToASCII):
s_delim("0")
s_block_end("blk_tsize_value")
s_delim("\x00")
s_static("blksize")
s_delim("\x00")
if s_block_start("blk_blksize_value", encoder=longToASCII):
s_long(1456)
s_block_end("blk_blksize_value")
s_delim("\x00")
s_static("windowsize")
s_delim("\x00")
if s_block_start("blk_windowsize_value", encoder=longToASCII):
s_long(64)
s_block_end("blk_windowsize_value")
s_delim("\x00")
s_static("msftwindow")
s_delim("\x00")
if s_block_start("blk_msftwindow_value"):#, encoder=longToASCII):
s_static("31416")
s_block_end("blk_msftwindow_value")
s_delim("\x00")
s_static("timeout")
s_delim("\x00")
if s_block_start("blk_timeout_value", encoder=longToASCII):
s_long(100)
s_block_end("blk_timeout_value")
s_delim("\x00")
s_block_end("blk_mode")
s_block_end("blk_REQ")
# ## followup packets: ACK \ ERROR
# DATA (\x00\x03) is not parsed by wdstftp.dll
s_initialize("ACK")
if s_block_start("blk_ACK"):
s_static("\x00\x04")
s_word(0)
s_byte(4)
s_block_end("blk_ACK")
s_initialize("ERR")
if s_block_start("blk_ERR"):
s_static("\x00\x05")
s_word(0)
s_string("fuzz", 0, max_len=1022)
s_static("\x00")
s_block_end("blk_ERR")
s_initialize("OACK")
if s_block_start("blk_OACK"):
s_static("\x00\x06")
s_static("tsize")
s_delim("\x00")
if s_block_start("blk_tsize_value", encoder=doubleToASCII):
s_double(0)
s_block_end("blk_tsize_value")
s_delim("\x00")
s_static("blksize")
s_delim("\x00")
if s_block_start("blk_blksize_value", encoder=longToASCII):
s_long(1456)
s_block_end("blk_blksize_value")
s_delim("\x00")
s_static("windowsize")
s_delim("\x00")
if s_block_start("blk_windowsize_value", encoder=longToASCII):
s_long(4)
s_block_end("blk_windowsize_value")
s_delim("\x00")
s_static("msftwindow")
s_delim("\x00")
if s_block_start("blk_msftwindow_value", encoder=longToASCII):
s_static(31416)
s_block_end("blk_msftwindow_value")
s_delim("\x00")
s_string("timeout")
s_delim("\x00")
if s_block_start("blk_timeout_value", encoder=longToASCII):
s_long(1)
s_block_end("blk_timeout_value")
s_delim("\x00")
s_block_end("blk_OACK")
You can’t perform that action at this time.