Critical security advisory #006
Tftpd32 2.81 Format String + DoS PoC
Critical Security - 22:03 2006.01.19
Critical Security research: http://www.critical.lt
Product site: http://tftpd32.jounin.net/
Credits : Critical Security Team (www.critical.lt)
Original Advisory: http://www.critical.lt/?vulnerabilities/200
Due to incorrect use of format strings there is a possibility of remote code execution. You can trigger this vulnerability
by sending SEND or GET request with a specially formated string. Vulnerable code:
LEA ECX,DWORD PTR SS:[ESP+430]
LEA EAX,DWORD PTR SS:[ESP+1C]
PUSH ECX ; /Arglist
PUSH EDX ; |Format
PUSH EAX ; |s = 00E6F4E8
CALL DWORD PTR DS:[<&USER32.wvsprintfA>] ; wvsprintfA
Proof of concept exploit:
http://www.critical.lt/research/tftpd32_281_dos.txt