cbcvebase.
CVE-2008-1611
published 2008-04-01

CVE-2008-1611: Stack-based buffer overflow in TFTP Server SP 1.4 for Windows allows remote attackers to cause a denial of service or execute arbitrary code via a long…

PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.64%
99.2th percentile
Stack-based buffer overflow in TFTP Server SP 1.4 for Windows allows remote attackers to cause a denial of service or execute arbitrary code via a long filename in a read or write request.

Affected

1 ranges
VendorProductVersion rangeFixed in
tftp-serverwinagents_tftp_server

Detection & IOCsextracted from sources · hover to see the quote

port69/UDP
port4444/TCP
port9988/TCP
registry0x00409605
registry0x416801
command\x2b\x0e\x41
processTFTPServer.exe
processtftpserversp.exe
bytes
\x00\x01 + [filename] + \x00 + netascii + \x00
bytes
\x00\x02 + [filename] + \x00 + netascii + \x00
bytes
\x00\x02 + evil + \x00 + netascii + \x00
bytes
\xE9\x2E\xFA\xFF\xFF
bytes
\xEB\xF9\x90\x90
bytes
\xe9\x80\xfd\xff\xff
bytes
\xeb\xf9
  • Detect oversized TFTP RRQ (opcode 0x0001) or WRQ (opcode 0x0002) packets on UDP/69 where the filename field exceeds safe bounds (~860–1507 bytes depending on mode), indicative of CVE-2008-1611 exploitation.
  • Alert on TFTP WRQ/RRQ packets containing NOP sled patterns (0x90 repeated) followed by shellcode in the filename field over UDP/69.
  • Monitor for unexpected outbound TCP connections from the TFTP server process (TFTPServer.exe / tftpserversp.exe) to attacker-controlled ports such as 9988, consistent with a reverse shell payload delivered via RRQ overflow.
  • Monitor for unexpected inbound TCP connections on port 4444 originating from the TFTP server host, consistent with a bind-shell payload delivered via WRQ overflow.
  • The exploit offset is sensitive to service launch mode: 1203/1487 bytes (XP SP2/SP3), 1217/1501 bytes (Win7 x64), 1223/1507 bytes (Win7 x86) for Service vs Standalone respectively. Use these thresholds to tune TFTP filename-length anomaly detection.
  • Bad characters for payload encoding are \x00 and \x2f (null byte and forward slash); payloads in the wild will avoid these bytes in shellcode within the TFTP filename field.
  • Successful exploitation runs under SYSTEM context when TFTP is launched as a service; monitor for cmd.exe or shell processes spawned as children of tftpserversp.exe/TFTPServer.exe.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.