CVE-2006-6183

3Com 3CTftpSvc < 2.0.1 - Stack-Based Buffer Overflow via Long Mode Field in GET or PUT Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2006-6183. PoCs published by Metasploit, Umesh Wanve, Enseirb, including Metasploit module exploits/windows/tftp/threectftpsvc_long_mode.

AI-analyzed exploit summary This Metasploit module exploits a stack buffer overflow in 3CTftpSvc 2.0.1 via a UDP packet with an overly long mode field, allowing arbitrary code execution. The exploit uses a known return address (0x00402b02) and includes NOP sleds and payload encoding.

Description

Multiple stack-based buffer overflows in 3Com 3CTftpSvc 2.0.1, and possibly earlier, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a long mode field (aka transporting mode) in a (1) GET or (2) PUT command.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotewindows
https://www.exploit-db.com/exploits/16347

This Metasploit module exploits a stack buffer overflow in 3CTftpSvc 2.0.1 via a UDP packet with an overly long mode field, allowing arbitrary code execution. The exploit uses a known return address (0x00402b02) and includes NOP sleds and payload encoding.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: 3CTftpSvc 2.0.1
No auth needed
Prerequisites: Network access to UDP port 69 · Target running vulnerable 3CTftpSvc version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Umesh Wanve · perlremotewindows
https://www.exploit-db.com/exploits/3388

This exploit targets a buffer overflow vulnerability in 3Com TFTP Service <= 2.0.1 by sending a maliciously crafted UDP packet with an overly long transporting mode name. The payload includes a NOP sled and shellcode to achieve remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: 3Com TFTP Service <= 2.0.1
No auth needed
Prerequisites: Network access to the TFTP service · Target running vulnerable 3Com TFTP Service
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Enseirb · remotewindows
https://www.exploit-db.com/exploits/3170

This exploit targets a stack-based buffer overflow in 3Com TFTP Server (3CTftpSvc) via a malformed TFTP Write Request (WRQ) packet with an overly long mode field. It leverages SEH overwrites for reliable code execution on Windows XP systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: 3Com TFTP Server (3CTftpSvc)
No auth needed
Prerequisites: Network access to UDP port 69 (TFTP) · Target system running vulnerable 3Com TFTP Server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by cthulhu · rubyremotewindows
https://www.exploit-db.com/exploits/2865

This exploit targets a buffer overflow in 3Com TFTP Service version 2.0.1 on Windows XP SP2 English. It sends a maliciously crafted TFTP packet with shellcode to achieve remote code execution via a bind shell on port 4444.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: 3Com TFTP Service 2.0.1
No auth needed
Prerequisites: Network access to the target's TFTP service (UDP port 69) · Target running Windows XP SP2 English with 3Com TFTP Service 2.0.1
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Liu Qixu · pythondoswindows
https://www.exploit-db.com/exploits/2855

This exploit triggers a buffer overflow in 3CTftpSvc TFTP Server by sending a malformed TFTP request with an overly long mode field (469+ bytes). It is designed as a DoS but could potentially lead to arbitrary code execution under specific conditions.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: 3CTftpSvc TFTP Server (version not specified)
No auth needed
Prerequisites: Network access to the TFTP server (UDP port 69) · Python with socket library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC GREAT
rubypocwin
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/tftp/threectftpsvc_long_mode.rb

This Metasploit module exploits a stack buffer overflow in 3CTftpSvc 2.0.1 by sending a crafted UDP packet with an overly long mode field, leading to arbitrary code execution. The exploit uses a known return address (0x00402b02) and includes NOP sleds and payload encoding.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: 3CTftpSvc 2.0.1
No auth needed
Prerequisites: Network access to UDP port 69 · Target running vulnerable 3CTftpSvc version
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (7)

Core 7
Core References
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/4738
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21301
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/30545
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/21322
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1930
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/23113
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/452754/100/0/threaded

Scores

EPSS 0.6936
EPSS Percentile 99.3%

Details

CWE
CWE-119
Status published
Products (1)
3com/3ctftpsvc < 2.0.1
Published Dec 01, 2006
Tracked Since Feb 18, 2026