cbcvebase.
CVE-1999-1510
published 1999-05-17

CVE-1999-1510: Buffer overflows in Bisonware FTP server prior to 4.1 allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via long…

PriorityP342high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.09%
99.2th percentile
Buffer overflows in Bisonware FTP server prior to 4.1 allow remote attackers to cause a denial of service, and possibly execute arbitrary commands, via long (1) USER, (2) LIST, or (3) CWD commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
bisonwarebisonware_ftp_server<= 4.1

Detection & IOCsextracted from sources · hover to see the quote

other0x0040333f
other0x7e3c5c9a
port4444
filenameBisonftp.exe
  • Detect buffer overflow attempts against BisonFTP via oversized USER or PASS commands: strings exceeding 550 characters in USER/PASS FTP commands indicate exploitation attempt.
  • Detect buffer overflow attempts via oversized LIST or CWD FTP commands: strings longer than 1500 characters in LIST or CWD arguments indicate exploitation attempt.
  • Metasploit module exploit buffer structure: 1028 random alpha bytes + 16 NOP bytes + encoded payload + NOP padding + return address 0x0040333f + 39 random alpha bytes, sent to BisonFTP on default FTP port.
  • Detect PORT command followed by large amounts of carriage returns and newlines as a DoS vector against BisonFTP.
  • Bad characters for payload encoding are null byte, line feed, and carriage return; their absence in a large FTP command argument may indicate a crafted exploit buffer.
  • ·The return address 0x0040333f (call edx in Bisonftp.exe) is specific to the Windows XP SP3 English target; the alternate return address 0x7e3c5c9a (jmp edx in shell32.dll) targets Windows XP SP3 Spanish. Exploits will fail against other OS versions/languages.
  • ·Payload space is constrained to 388 bytes with bad characters \x00, \x0a, \x0d excluded; shellcodes containing these bytes will not function.
  • ·The overflow offset for the Metasploit module is 1432 bytes for Windows XP SP3 EN; the standalone Python PoC uses a 1092-byte NOP sled suggesting a different effective offset calculation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.