Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11139
HistoryJan 20, 2006 - 12:00 a.m.

tftpd32 format string

2006-01-2000:00:00
vulners.com
8
JSON

Critical security advisory #006
Tftpd32 2.81 Format String + DoS PoC
Critical Security - 22:03 2006.01.19
Critical Security research: http://www.critical.lt
Product site: http://tftpd32.jounin.net/
Credits : Critical Security Team (www.critical.lt)
Original Advisory: http://www.critical.lt/?vulnerabilities/200
Due to incorrect use of format strings there is a possibility of remote
code execution. You can trigger this vulnerability
by sending SEND or GET request with a specially formated string.
Vulnerable code:

LEA ECX,DWORD PTR SS:[ESP+430]
LEA EAX,DWORD PTR SS:[ESP+1C]
PUSH ECX ; /Arglist
PUSH EDX ; |Format
PUSH EAX ; |s = 00E6F4E8
CALL DWORD PTR DS:[<&USER32.wvsprintfA>] ; \wvsprintfA

Proof of concept exploit:
http://www.critical.lt/research/tftpd32_281_dos.txt

JSON