cbcvebase.
CVE-2006-6184
published 2006-12-01

CVE-2006-6184: Multiple stack-based buffer overflows in Allied Telesyn TFTP Server (AT-TFTP) 1.9, and possibly earlier, allow remote attackers to cause a denial of service…

PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.65%
99.2th percentile
Multiple stack-based buffer overflows in Allied Telesyn TFTP Server (AT-TFTP) 1.9, and possibly earlier, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a long filename in a (1) GET or (2) PUT command.

Affected

1 ranges
VendorProductVersion rangeFixed in
alliedtelesynat-tftp<= 1.9

Detection & IOCsextracted from sources · hover to see the quote

port69/UDP
filenameat-tftpd.exe
bytes
\x00\x02 followed by 300 bytes of \x41 + \x00 + netascii + \x00 (DoS payload)
bytes
\x00\x02 + 25-byte NOP sled + payload + ret + \x83\xc4\x28\xc3 + \x00 + netascii + \x00 (Metasploit WRQ overflow)
bytes
\x00\x02 + 63-byte NOP sled + shellcode + \xf4\xf5\xe3\x75 + \x00 + netascii + \x00 (Perl exploit WRQ payload)
bytes
Return address 0x702ea6f7 (Windows NT SP4 English)
bytes
Return address 0x750362c3 (Windows 2000 SP0 English)
bytes
Return address 0x75031d85 (Windows 2000 SP1 English)
bytes
Return address 0x7503431b (Windows 2000 SP2 English)
bytes
Return address 0x74fe1c5a (Windows 2000 SP3 English)
bytes
Return address 0x75031dce (Windows 2000 SP4 English)
bytes
Return address 0x71ab7bfb (Windows XP SP0/1 English)
bytes
Return address 0x71ab9372 (Windows XP SP2 English)
bytes
Return address 0x7c86fed3 (Windows Server 2003)
bytes
Return address \xf4\xf5\xe3\x75 — call [ESP+28] in IMM32.dll on win2k Server SP4 Italian
  • Trigger: TFTP WRQ (opcode \x00\x02) or RRQ (opcode \x00\x01) packet with a filename field exceeding ~210–300 bytes sent to UDP/69; the overflow occurs in the filename parsing before the mode string (e.g., 'netascii').
  • The Metasploit module uses EXITFUNC=process and a StackAdjustment of -3500; payload space is 210 bytes with null byte as the only bad character — useful for tuning payload-based signatures.
  • The stack-smashing gadget \x83\xc4\x28\xc3 (add esp, 0x28 / retn) appears immediately after the return address in the Metasploit exploit and can serve as a byte-level signature in UDP payload inspection.
  • AT-TFTP v2.0 is also vulnerable to a similar stack-based buffer overflow via a long filename in a RRQ (\x00\x01) packet; SEH overwrite occurs at 261 bytes of filename data.
  • ·The Metasploit module requires LHOST to be set because the NOP sled length is calculated as (25 - len(LHOST)); an incorrect LHOST shifts the payload and may cause exploitation failure.
  • ·Return addresses are OS/SP-specific; the module provides targets for Windows NT SP4 through Windows Server 2003 (English). Non-English or unlisted SP versions are not covered and exploitation will fail.
  • ·The AT-TFTP v2.0 variant (exploit-db 24952) triggers an SEH overwrite at 261 bytes but no exception is raised (possibly due to a stack cookie), making it a crash/DoS only — not reliably exploitable for code execution.
  • ·The null byte (\x00) is the only bad character for the payload; any shellcode or ROP chain used must be null-free.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.