cbcvebase.
CVE-2002-2226
published 2002-12-31

CVE-2002-2226: Buffer overflow in tftpd of TFTP32 2.21 and earlier allows remote attackers to execute arbitrary code via a long filename argument.

PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.48%
99.1th percentile
Buffer overflow in tftpd of TFTP32 2.21 and earlier allows remote attackers to execute arbitrary code via a long filename argument.

Affected

12 ranges
VendorProductVersion rangeFixed in
philippe_jounintftpd32<= 2.74
philippe_jounintftpd32
philippe_jounintftpd32
philippe_jounintftpd32
philippe_jounintftpd32
philippe_jounintftpd32
philippe_jounintftpd32
philippe_jounintftpd32
philippe_jounintftpd32
philippe_jounintftpd32
philippe_jounintftpd32
tftpd32tftpd32<= 2.21

Detection & IOCsextracted from sources · hover to see the quote

port69/udp
otherReturn address 0x77f9d463 (Windows NT 4.0 SP6a English)
otherReturn address 0x7c2ec663 (Windows 2000 Pro SP4 English)
otherReturn address 0x77dc0df0 (Windows XP Pro SP0 English)
otherReturn address 0x77dc5527 (Windows XP Pro SP1 English)
bytes
\x00\x01 (TFTP RRQ opcode) followed by long filename buffer
bytes
\xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2\x0B\x03\xF2\x88\x0E\x2B\xF2\xB8\xAF\xA7\xE6\x77\xB1\x05\xB2\x04\x2B\xE2\x89\x0C\x24\x2B\xE2\x89\x34\x24\xFF\xD0\x90\xEB\xFD\xE8\xD4\xFF\xFF\xFF
bytes
\x00\x01 + rand_text_english(120) + "." + rand_text_english(135) + [ret].pack('V') + payload + \x00
  • Detect oversized TFTP RRQ (opcode 0x0001) or WRQ (opcode 0x0002) packets on UDP/69 where the filename field exceeds normal bounds (~255 bytes); the exploit sends 120+ bytes before a '.' separator followed by 135+ bytes.
  • Alert on TFTP packets to UDP port 69 containing the shellcode byte sequence starting with \xEB\x27\x8B\x34\x24\x33\xC9\x33\xD2\xB2.
  • The exploit payload BadChars is only \x00; any non-null byte sequence of 250+ bytes appended after a TFTP RRQ opcode on UDP/69 targeting TFTPD32 is suspicious.
  • The Metasploit module uses EXITFUNC=process and a StackAdjustment of -3500, which is characteristic of this specific exploit's stack pivot behaviour and can be used as a behavioral detection signal.
  • Monitor for TFTP RRQ/WRQ packets on UDP/69 where the total packet length is anomalously large (well beyond the 512-byte TFTP block size or a normal filename length), indicating a buffer overflow attempt against TFTPD32.
  • ·The PoC exploit hardcodes a target IP and uses a fixed offset (116 'A's + '.' + 140 'A's for EIP), meaning the exact buffer layout may differ from the Metasploit module offsets (120 + '.' + 135). Detections based on exact byte offsets should account for both variants.
  • ·The CVE affects TFTPD32 version 2.21 and earlier per NVD, but the Exploit-DB title references version 2.50, suggesting the vulnerability or a variant may affect a broader version range than originally documented.
  • ·The return addresses in the Metasploit module are OS/SP-specific hardcoded values; exploitation will only succeed against the exact listed Windows targets (NT4 SP6a, 2000 SP4, XP SP0, XP SP1 English).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.