CVE-2008-1611
published 2008-04-01CVE-2008-1611: Stack-based buffer overflow in TFTP Server SP 1.4 for Windows allows remote attackers to cause a denial of service or execute arbitrary code via a long…
PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.64%
99.2th percentile
Stack-based buffer overflow in TFTP Server SP 1.4 for Windows allows remote attackers to cause a denial of service or execute arbitrary code via a long filename in a read or write request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tftp-server | winagents_tftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x01 + [filename] + \x00 + netascii + \x00
bytes↗
\x00\x02 + [filename] + \x00 + netascii + \x00
bytes↗
\x00\x02 + evil + \x00 + netascii + \x00
bytes↗
\xE9\x2E\xFA\xFF\xFF
bytes↗
\xEB\xF9\x90\x90
bytes↗
\xe9\x80\xfd\xff\xff
bytes↗
\xeb\xf9
- →Detect oversized TFTP RRQ (opcode 0x0001) or WRQ (opcode 0x0002) packets on UDP/69 where the filename field exceeds safe bounds (~860–1507 bytes depending on mode), indicative of CVE-2008-1611 exploitation. ↗
- →Alert on TFTP WRQ/RRQ packets containing NOP sled patterns (0x90 repeated) followed by shellcode in the filename field over UDP/69. ↗
- →Monitor for unexpected outbound TCP connections from the TFTP server process (TFTPServer.exe / tftpserversp.exe) to attacker-controlled ports such as 9988, consistent with a reverse shell payload delivered via RRQ overflow. ↗
- →Monitor for unexpected inbound TCP connections on port 4444 originating from the TFTP server host, consistent with a bind-shell payload delivered via WRQ overflow. ↗
- →The exploit offset is sensitive to service launch mode: 1203/1487 bytes (XP SP2/SP3), 1217/1501 bytes (Win7 x64), 1223/1507 bytes (Win7 x86) for Service vs Standalone respectively. Use these thresholds to tune TFTP filename-length anomaly detection. ↗
- →Bad characters for payload encoding are \x00 and \x2f (null byte and forward slash); payloads in the wild will avoid these bytes in shellcode within the TFTP filename field. ↗
- →Successful exploitation runs under SYSTEM context when TFTP is launched as a service; monitor for cmd.exe or shell processes spawned as children of tftpserversp.exe/TFTPServer.exe. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
TFTP Server 1.4 - ST WRQ Buffer Overflow (Metasploit)
exploitdb·2012-04-20
CVE-2008-1611 TFTP Server 1.4 - ST WRQ Buffer Overflow (Metasploit)
TFTP Server 1.4 - ST WRQ Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'TFTP Server for Windows 1.4 ST WRQ Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw
is due to the way TFTP handles the filename parameter extracted from a WRQ request.
The server will append the user-supplied filename to TFTP server binary's path
without any bounds checking, and then attempt to open this with a fopen(). Since
this isn't a valid file path, fopen() returns null,
Exploit-DB
TFTP Server 1.4 - ST 'RRQ' Remote Buffer Overflow
exploitdb·2012-01-10
CVE-2008-1611 TFTP Server 1.4 - ST 'RRQ' Remote Buffer Overflow
TFTP Server 1.4 - ST 'RRQ' Remote Buffer Overflow
---
#!/usr/bin/python
#---------------------------------------------------------------------------#
# Exploit: TFTP SERVER V1.4 ST (RRQ Overflow) #
# OS: Windows XP PRO SP3 #
# Author: b33f #
#---------------------------------------------------------------------------#
# Smashing the stack for fun and practise... #
# #
# This tftp service have been pwned extensively: #
# (1) Muts ==> WRQ Overflow #
# http://www.exploit-db.com/exploits/5314/ #
# (2) Molotov ==> WRQ Overflow #
# http://www.exploit-db.com/exploits/10542/ #
# (3) tixxDZ ==> ERROR Overflow #
# http://www.exploit-db.com/exploits/5563/ #
# #
#---------------------------------------------------------------------------#
# After some simple fuzzing with spike I discovered that sen
Exploit-DB
TFTP Server 1.4 - ST Buffer Overflow
exploitdb·2008-03-26
CVE-2008-1611 TFTP Server 1.4 - ST Buffer Overflow
TFTP Server 1.4 - ST Buffer Overflow
---
#!/usr/bin/python
# TFTP Server for Windows V1.4 ST (0day)
# http://sourceforge.net/projects/tftp-server/
# Tested on Windows Vista SP0.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/sourceforge-tftpd.py.txt
##################################################################
# bt ~ # sourceforge-tftpd.py
# [*] TFTP Server for Windows V1.4 ST (0day)
# [*] http://www.offensive-security.com
# [*] Sending evil packet, ph33r
# [*] Check port 4444 for bindshell
# bt ~ # nc -v 172.16.167.134 4444
# (UNKNOWN) [172.16.167.134] 4444 (krb524) open
# Microsoft Windows [Version 6.0.6000]
# Copyright (c) 2006 Microsoft Corporation. All
# rights reserved.
#
# C:\Windows\system32>
##############################
Metasploit
TFTP Server for Windows 1.4 ST WRQ Buffer Overflow
metasploit
TFTP Server for Windows 1.4 ST WRQ Buffer Overflow
TFTP Server for Windows 1.4 ST WRQ Buffer Overflow
This module exploits a vulnerability found in TFTP Server 1.4 ST. The flaw is due to the way TFTP handles the filename parameter extracted from a WRQ request. The server will append the user-supplied filename to TFTP server binary's path without any bounds checking, and then attempt to check this path with a fopen(). Since this isn't a valid file path, fopen() returns null, which allows the corrupted data to be used in a strcmp() function, causing an access violation. Since the offset is sensitive to how the TFTP server is launched, you must know in advance if your victim machine launched the TFTP as a 'Service' or 'Standalone' , and then manually select your target accordingly. A successful attempt will lead to remote code execution unde
No writeups or analysis indexed.
http://secunia.com/advisories/29508http://www.offensive-security.com/0day/sourceforge-tftpd.py.txthttp://www.securityfocus.com/bid/28462https://exchange.xforce.ibmcloud.com/vulnerabilities/41496https://www.exploit-db.com/exploits/5314http://secunia.com/advisories/29508http://www.offensive-security.com/0day/sourceforge-tftpd.py.txthttp://www.securityfocus.com/bid/28462https://exchange.xforce.ibmcloud.com/vulnerabilities/41496https://www.exploit-db.com/exploits/5314
2008-04-01
Published