cbcvebase.
CVE-2006-6183
published 2006-12-01

CVE-2006-6183: Multiple stack-based buffer overflows in 3Com 3CTftpSvc 2.0.1, and possibly earlier, allow remote attackers to cause a denial of service (crash) or execute…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
70.57%
99.3th percentile
Multiple stack-based buffer overflows in 3Com 3CTftpSvc 2.0.1, and possibly earlier, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a long mode field (aka transporting mode) in a (1) GET or (2) PUT command.

Affected

1 ranges
VendorProductVersion rangeFixed in
3com3ctftpsvc<= 2.0.1

Detection & IOCsextracted from sources · hover to see the quote

port69/UDP
registry0x00402b02 (3CTftpSvc 2.0.1 return address)
other0x77d4e23b (JMP ESI, user32.dll, Windows XP SP2 ENG)
other0x77d8117b (JMP ESI, Windows XP SP1 FR)
other0x77d8d9af (JMP ESI, Windows XP SP2 FR)
other0x77dc2063 (JMP ESI, user32.dll, Windows XP SP2 ENG alternate)
other0x77e5080e (JMP ESI, user32.dll, Windows 2000 SP4 ENG)
version3CTftpSvc 2.0.1
bytes
\x00\x02 (TFTP WRQ opcode prefix for exploit packet)
bytes
\x00\x02 + filename + \x00 + NOP*129 + shellcode + ret + \x00 (exploit packet structure)
  • Alert on UDP port 69 packets where the TFTP mode field (after the null-terminated filename) exceeds 460–470 bytes in a RRQ (opcode 0x0001) or WRQ (opcode 0x0002) request.
  • Inspect TFTP WRQ/RRQ packets (opcodes \x00\x01 and \x00\x02) on UDP/69 for NOP sleds (0x90 sequences of 73–129 bytes) immediately following the null-terminated filename, indicating exploit delivery.
  • Detect TFTP packets on UDP/69 containing the known bind-shell shellcode byte sequences from public exploits (e.g., starting with \x31\xc9\x83\xe9\xb0 or \x2b\xc9\x83\xe9\xb0) in the mode field.
  • Monitor for TFTP mode field payloads containing known ROP/return addresses for user32.dll on Windows XP SP2 (\x3b\xe2\xd4\x77 or \x63\x20\xdc\x77) packed as little-endian 4-byte sequences.
  • Flag any TFTP session where the mode field does not match standard TFTP mode strings ('netascii', 'octet', 'mail') and is anomalously long.
  • After exploitation, watch for unexpected inbound TCP connections to port 4444 on Windows hosts running 3CTftpSvc, indicative of the bind-shell payload.
  • ·The Metasploit module uses EXITFUNC=thread (later version) vs EXITFUNC=seh (earlier version); the return address differs between module versions and targets — ensure the correct target index is matched to the victim OS/SP.
  • ·The payload bad character set is \x00 only; null bytes terminate the TFTP mode field and cannot appear in shellcode.
  • ·Payload space is constrained (344–400 bytes depending on exploit version); staged or small payloads must be used.
  • ·The vulnerability affects 3CTftpSvc 2.0.1 and possibly earlier versions; the return addresses are OS/SP-specific and will not work across different Windows versions without adjustment.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.