cbcvebase.
CVE-2006-4948
published 2006-09-23

CVE-2006-4948: Stack-based buffer overflow in tftpd.exe in ProSysInfo TFTP Server TFTPDWIN 0.4.2 and earlier allows remote attackers to execute arbitrary code or cause a…

PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
54.09%
98.9th percentile
Stack-based buffer overflow in tftpd.exe in ProSysInfo TFTP Server TFTPDWIN 0.4.2 and earlier allows remote attackers to execute arbitrary code or cause a denial of service via a long file name. NOTE: the provenance of this information is unknown; the details are obtained from third party information.

Affected

2 ranges
VendorProductVersion rangeFixed in
prosysinfotftp_server_tftpdwin<= 0.4.2
prosysinfotftp_server_tftpdwin

Detection & IOCsextracted from sources · hover to see the quote

port69/udp
registry0x00458b91 (pop edx / ret gadget in tftpd.exe)
other0x4061fb42 (pop ebp / ret gadget in tftpd.exe)
other0x0040105D (ret gadget in tftpd.exe)
processtftpd.exe
bytes
\x00\x02 + payload + ret + netascii\x00
bytes
\x00\x01 (TFTP RRQ opcode prefix in exploit packet)
  • Detect oversized UDP packets destined for port 69 (TFTP) — the exploit sends a long filename/payload that overflows the stack in tftpd.exe via a recv_from call.
  • Alert on TFTP WRQ packets (opcode \x00\x02) to port 69/udp where the filename field is abnormally long (>284 bytes) and is followed by the mode string 'netascii'.
  • Alert on TFTP RRQ packets (opcode \x00\x01) to port 69/udp containing NOP sleds (\x90 sequences) followed by shellcode — indicative of the Perl PoC exploit.
  • Monitor for unexpected outbound TCP connections on port 4444 from the host running tftpd.exe, which would indicate successful bind-shell exploitation.
  • The exploit payload space is 284 bytes with bad chars \x00; TFTP packets to port 69 with payload regions exceeding this size and lacking null bytes in the filename field are suspicious.
  • ·The Metasploit module targets only TFTPDWIN version 0.4.2; the return address (ROP gadget) is hardcoded to a specific offset within tftpd.exe and will not work against other versions.
  • ·The Metasploit module was tested on w2ksp0, w2ksp4, xpsp0, xpsp2 (English); reliability on other OS versions or locales is not guaranteed.
  • ·The exploit requires a StackAdjustment of -3500 bytes, meaning the payload must account for significant stack displacement; standard shellcode without this adjustment will fail.
  • ·The universal PoC (exploit 7452) restricts shellcode to avoid bytes 0x00, 0x6e, 0x65, 0x74 — any detection or payload generation must account for these bad characters.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.