cbcvebase.
CVE-2003-0558
published 2003-08-18

CVE-2003-0558: Buffer overflow in LeapFTP 2.7.3.600 allows remote FTP servers to execute arbitrary code via a long IP address response to a PASV request.

PriorityP342high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
56.46%
98.9th percentile
Buffer overflow in LeapFTP 2.7.3.600 allows remote FTP servers to execute arbitrary code via a long IP address response to a PASV request.

Affected

1 ranges
VendorProductVersion rangeFixed in
leapwareleapftp

Detection & IOCsextracted from sources · hover to see the quote

command227 Entering Passive Mode (<1053 bytes of random numeric data><SEH payload>,<n>,<n>,<n>,<n>,<n>)
command500 Illegal PORT command.
registry0x004bdd24
registry0x75022ac4
registry0x7660139c
processLeapFTP.exe
  • The exploit triggers by sending a malformed PASV reply of 1057+ bytes. Detect anomalously long FTP 227 responses (>1057 bytes in the IP address field) from an FTP server to a connecting client.
  • The exploit forces the victim client into PASV mode by responding to the initial PORT command with '500 Illegal PORT command.' — detect FTP servers that reject PORT with 500 and then send an oversized 227 PASV response.
  • The SEH overwrite uses a pop/pop/ret gadget at 0x004bdd24 in LeapFTP.exe itself (universal target). Monitor for execution redirected to this address in LeapFTP.exe process space.
  • The exploit payload uses EXITFUNC=seh, indicating Structured Exception Handler chain overwrite. Look for SEH chain corruption in LeapFTP.exe following receipt of a large PASV reply.
  • The original exploit (drG4njubas) downloads and executes a remote trojan via WinInet (InternetOpenA, InternetOpenUrlA, InternetReadFile). Monitor LeapFTP.exe for unexpected outbound HTTP connections or child process creation (WinExec).
  • ·The Metasploit module's universal target RET address (0x004bdd24, p/p/r in LeapFTP.exe) is specific to LeapFTP 2.7.3.600; the two other targets use addresses from ws2help.dll and cscdll.dll tied to specific Windows SP levels and may not apply to other environments.
  • ·The original exploit was tested only against Windows 2000 SP3 Russian edition; the Metasploit port was tested against w2k sp0, sp4, xp sp0, xp sp2 English. Behavior on other OS versions/locales is untested.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.