CVE-2003-0558
published 2003-08-18CVE-2003-0558: Buffer overflow in LeapFTP 2.7.3.600 allows remote FTP servers to execute arbitrary code via a long IP address response to a PASV request.
PriorityP342high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
56.46%
98.9th percentile
Buffer overflow in LeapFTP 2.7.3.600 allows remote FTP servers to execute arbitrary code via a long IP address response to a PASV request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| leapware | leapftp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command227 Entering Passive Mode (<1053 bytes of random numeric data><SEH payload>,<n>,<n>,<n>,<n>,<n>)↗
- →The exploit triggers by sending a malformed PASV reply of 1057+ bytes. Detect anomalously long FTP 227 responses (>1057 bytes in the IP address field) from an FTP server to a connecting client. ↗
- →The exploit forces the victim client into PASV mode by responding to the initial PORT command with '500 Illegal PORT command.' — detect FTP servers that reject PORT with 500 and then send an oversized 227 PASV response. ↗
- →The SEH overwrite uses a pop/pop/ret gadget at 0x004bdd24 in LeapFTP.exe itself (universal target). Monitor for execution redirected to this address in LeapFTP.exe process space. ↗
- →The exploit payload uses EXITFUNC=seh, indicating Structured Exception Handler chain overwrite. Look for SEH chain corruption in LeapFTP.exe following receipt of a large PASV reply. ↗
- →The original exploit (drG4njubas) downloads and executes a remote trojan via WinInet (InternetOpenA, InternetOpenUrlA, InternetReadFile). Monitor LeapFTP.exe for unexpected outbound HTTP connections or child process creation (WinExec). ↗
- ·The Metasploit module's universal target RET address (0x004bdd24, p/p/r in LeapFTP.exe) is specific to LeapFTP 2.7.3.600; the two other targets use addresses from ws2help.dll and cscdll.dll tied to specific Windows SP levels and may not apply to other environments. ↗
- ·The original exploit was tested only against Windows 2000 SP3 Russian edition; the Metasploit port was tested against w2k sp0, sp4, xp sp0, xp sp2 English. Behavior on other OS versions/locales is untested. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
LeapWare LeapFTP 2.7.3.600 - PASV Reply Client Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2003-0558 LeapWare LeapFTP 2.7.3.600 - PASV Reply Client Overflow (Metasploit)
LeapWare LeapFTP 2.7.3.600 - PASV Reply Client Overflow (Metasploit)
---
##
# $Id: leapftp_pasv_reply.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow',
'Description' => %q{
This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600
client that is triggered through an excessively long PASV reply command. This
module was ported from the original exploit by drG4njubas with minor improvements.
},
'Author' => [ 'Patrick Webster ' ],
'License' => MSF_LICENSE,
'
Exploit-DB
LeapWare LeapFTP 2.7.x - Remote Buffer Overflow
exploitdb·2003-07-12
CVE-2003-0558 LeapWare LeapFTP 2.7.x - Remote Buffer Overflow
LeapWare LeapFTP 2.7.x - Remote Buffer Overflow
---
/*
,----------------------------------------------------
; LeapFTP remote buffer overflow exploit
; by drG4njubas \\ DWC Group
`----------------------------------------------------
,----------------------------------------------------
;This exploit works against LeapFTP 2.7.3.600
;running on windows 2000 SP3 russian edition.
;Technical details: When LeapFTP requests IP
;and port by using PASV command if pasv mode
;is enabled, it causes the buffer overflow on
;the stack area if server's reply for this
;PASV request has a long IP address:
;227 (AAAAAAAAA...(1057 bytes)... ,1,1,1,1,1)
;And this buffer overflow can overwrite a
;Structured Exception Handler on the stack
;area with an arbitrary value by specifying
;the address data over 1057
Metasploit
LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow
metasploit
LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow
LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow
This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.600 client that is triggered through an excessively long PASV reply command. This module was ported from the original exploit by drG4njubas with minor improvements.
No writeups or analysis indexed.
2003-08-18
Published