CVE-2005-1812
published 2005-06-01CVE-2005-1812: Multiple stack-based buffer overflows in FutureSoft TFTP Server Evaluation Version 1.0.0.1 allow remote attackers to execute arbitrary code via a long (1)…
PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.92%
99.1th percentile
Multiple stack-based buffer overflows in FutureSoft TFTP Server Evaluation Version 1.0.0.1 allow remote attackers to execute arbitrary code via a long (1) filename or (2) transfer mode string in a Read Request (RRQ) or Write Request (WRQ) packet.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| futuresoft | tftp_server_2000 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x01 + 14 bytes filename + \x00 + 167 bytes transfer-mode overflow with SEH overwrite at offset 157
- →Detect exploit attempts by monitoring UDP port 69 for TFTP RRQ packets (opcode \x00\x01) where the transfer-mode field (second null-terminated string) exceeds normal length — overflow triggers at ~157 bytes into the mode field where SEH/EIP are overwritten. ↗
- →Flag UDP/69 TFTP RRQ packets whose total payload length exceeds ~200 bytes; normal TFTP RRQ packets are short (filename + mode string only). ↗
- →Look for TFTP RRQ packets containing a NOP sled (\x90 sequences) following the mode-string field, indicative of shellcode delivery. ↗
- →The vulnerability is only exploitable on Windows 2000 Professional; Windows 2000 Server could not trigger the overflow — scope detection efforts accordingly. ↗
- ·The CVE-2007-1645 NVD entry notes possible overlap with CVE-2006-4781 and CVE-2005-1812 — ensure deduplication when correlating alerts across these CVEs. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j3f7-44vq-gc5f: Multiple stack-based buffer overflows in FutureSoft TFTP Server Evaluation Version 1
ghsa_unreviewed·2022-05-01
CVE-2005-1812 [HIGH] CWE-119 GHSA-j3f7-44vq-gc5f: Multiple stack-based buffer overflows in FutureSoft TFTP Server Evaluation Version 1
Multiple stack-based buffer overflows in FutureSoft TFTP Server Evaluation Version 1.0.0.1 allow remote attackers to execute arbitrary code via a long (1) filename or (2) transfer mode string in a Read Request (RRQ) or Write Request (WRQ) packet.
GHSA
GHSA-8fg3-mqfj-ph9w: Buffer overflow in FutureSoft TFTP Server 2000 on Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via a long request on U
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2007-1645 [CRITICAL] GHSA-8fg3-mqfj-ph9w: Buffer overflow in FutureSoft TFTP Server 2000 on Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via a long request on U
Buffer overflow in FutureSoft TFTP Server 2000 on Microsoft Windows 2000 SP4 allows remote attackers to execute arbitrary code via a long request on UDP port 69. NOTE: this issue might overlap CVE-2006-4781 or CVE-2005-1812.
No detection rules found.
Exploit-DB
FutureSoft TFTP Server 2000 - Transfer-Mode Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2005-1812 FutureSoft TFTP Server 2000 - Transfer-Mode Overflow (Metasploit)
FutureSoft TFTP Server 2000 - Transfer-Mode Overflow (Metasploit)
---
##
# $Id: futuresoft_transfermode.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'FutureSoft TFTP Server 2000 Transfer-Mode Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the FutureSoft TFTP Server
2000 product. By sending an overly long transfer-mode string, we were able
to overwrite both the SEH and the saved EIP. A subsequent write-exception
that will occur allows the transferring of execution to our
Exploit-DB
FutureSoft TFTP Server 2000 - Remote Denial of Service
exploitdb·2005-06-02
CVE-2005-1812 FutureSoft TFTP Server 2000 - Remote Denial of Service
FutureSoft TFTP Server 2000 - Remote Denial of Service
---
/*
*
* FutureSoft TFTP Server 2000 Remote Denial of Service Exploit
* http://www.futuresoft.com/products/lit-tftp2000.htm
* Bug Discovered by SIG^2 (http://www.security.org.sg)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: [email protected]
* Credit to kozan
* Usage:tftp_exp [targetPort]
*
*/
/*
*
* Vulnerable Versions:
* TFTP Server 2000 Evaluation Version 1.0.0.1
*
*/
#include
#include
#pragma comment(lib, "ws2_32.lib")
/* |RRQ|AAAAAAAAAAAAAAAA....|NULL|netasc|NULL| */
char expbuffer[] =
"\x00\x01"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x4
Metasploit
FutureSoft TFTP Server 2000 Transfer-Mode Overflow
metasploit
FutureSoft TFTP Server 2000 Transfer-Mode Overflow
FutureSoft TFTP Server 2000 Transfer-Mode Overflow
This module exploits a stack buffer overflow in the FutureSoft TFTP Server 2000 product. By sending an overly long transfer-mode string, we were able to overwrite both the SEH and the saved EIP. A subsequent write-exception that will occur allows the transferring of execution to our shellcode via the overwritten SEH. This module has been tested against Windows 2000 Professional and for some reason does not seem to work against Windows 2000 Server (could not trigger the overflow at all).
No writeups or analysis indexed.
http://secunia.com/advisories/15539http://securitytracker.com/id?1014079http://www.security.org.sg/vuln/tftp2000-1001.htmlhttp://www.securityfocus.com/bid/13821http://secunia.com/advisories/15539http://securitytracker.com/id?1014079http://www.security.org.sg/vuln/tftp2000-1001.htmlhttp://www.securityfocus.com/bid/13821
2005-06-01
Published