cbcvebase.
CVE-2008-1610
published 2008-04-01

CVE-2008-1610: Stack-based buffer overflow in TallSoft Quick TFTP Server Pro 2.1 allows remote attackers to cause a denial of service or execute arbitrary code via a long…

PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
53.91%
98.9th percentile
Stack-based buffer overflow in TallSoft Quick TFTP Server Pro 2.1 allows remote attackers to cause a denial of service or execute arbitrary code via a long mode field in a read or write request.

Affected

1 ranges
VendorProductVersion rangeFixed in
tallsoft_quicktftp_server_pro

Detection & IOCsextracted from sources · hover to see the quote

port69/UDP
port4444/TCP
otherSEH overwrite return address 0x74D31458 (oledlg.dll, Windows XP SP2)
otherSEH overwrite return address 0x75022AC4 (ws2help.dll, Windows Server 2000)
bytes
\x00\x02 + filename + \x00 + 'A'*1019 + \xeb\x08\x90\x90 + \x58\x14\xd3\x74 + \x90*16 + shellcode + \x00
bytes
\x00\x02 + 4-byte-random + \x00 + 'A'*1019 + SEH_payload + \x00
bytes
\x00\x02 + \x66\x69\x6c\x65\x2e\x74\x78\x74\x00 + 'A'*1200 + \x00
  • Detect oversized TFTP WRQ/RRQ mode field: a UDP packet to port 69 with opcode \x00\x01 or \x00\x02 followed by a filename, null byte, then a mode field exceeding ~1019 bytes is the attack pattern.
  • The exploit payload begins with TFTP write-request opcode \x00\x02, making WRQ packets with abnormally long mode fields (>1000 bytes) a reliable detection trigger on UDP/69.
  • SEH overwrite uses short JMP \xeb\x08\x90\x90 followed by return address \x58\x14\xd3\x74 (oledlg.dll on XP SP2); presence of this byte sequence in a TFTP mode field is a strong indicator of exploitation.
  • Successful exploitation opens a bind shell on TCP port 4444; monitor for unexpected listening services on port 4444 on TFTP server hosts post-exploitation.
  • Bad characters for payload construction are \x00\x20\x0a\x0d; shellcode in network traffic to UDP/69 avoiding these bytes in the mode field is characteristic of this exploit.
  • MS Update KB926436 corrupts the oledlg.dll opcode address used by the exploit, causing a DoS instead of code execution; patched systems may still crash, so monitor for TFTP server process crashes.
  • ·The Metasploit module targets two specific return addresses depending on OS; the oledlg.dll address (0x74D31458) is broken by MS KB926436 on patched XP SP2 systems, resulting in DoS only rather than code execution.
  • ·Payload space is limited to 460 bytes with a stack adjustment of -3500; payloads larger than this will not function correctly with the Metasploit module.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.