Rapid7 Vulnerability & Exploit Database

OpenTFTP SP 1.4 Error Packet Overflow

Back to Search

OpenTFTP SP 1.4 Error Packet Overflow



This module exploits a buffer overflow in OpenTFTP Server SP 1.4. The vulnerable condition triggers when the TFTP opcode is configured as an error packet, the TFTP service will then format the message using a sprintf() function, which causes an overflow, therefore allowing remote code execution under the context of SYSTEM. The offset (to EIP) is specific to how the TFTP was started (as a 'Stand Alone', or 'Service'). By default the target is set to 'Service' because that's the default configuration during OpenTFTP Server SP 1.4's installation.


  • tixxDZ
  • steponequit




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/tftp/opentftp_error_code
msf exploit(opentftp_error_code) > show targets
msf exploit(opentftp_error_code) > set TARGET < target-id >
msf exploit(opentftp_error_code) > show options
    ...show and set options...
msf exploit(opentftp_error_code) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security