cbcvebase.
CVE-2003-0831
published 2003-11-17

CVE-2003-0831: ProFTPD 1.2.7 through 1.2.9rc2 does not properly translate newline characters when transferring files in ASCII mode, which allows remote attackers to execute…

PriorityP354critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
55.12%
98.9th percentile
ProFTPD 1.2.7 through 1.2.9rc2 does not properly translate newline characters when transferring files in ASCII mode, which allows remote attackers to execute arbitrary code via a buffer overflow using certain files.

Affected

9 ranges
VendorProductVersion rangeFixed in
proftpd_projectproftpd
proftpd_projectproftpd
proftpd_projectproftpd
proftpd_projectproftpd
proftpd_projectproftpd
proftpd_projectproftpd
proftpd_projectproftpd
proftpd_projectproftpd
proftpd_projectproftpd

Detection & IOCsextracted from sources · hover to see the quote

port4660
commandTYPE A
commandSTOR kf
commandRETR kf
bytes
\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80
bytes
\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xc0\xb0\x02\xcd\x80\x89\xc3\x85\xdb\x74\x08\x31\xdb\x31\xc0\xb0\x01\xcd\x80
  • The exploit triggers the vulnerability by uploading a file filled entirely with 0x0a (newline) bytes via FTP STOR in ASCII mode, then retrieving it with RETR in ASCII mode to trigger the xlate_ascii_write() buffer overflow.
  • The overflow occurs in the _xlate_ascii_write() function (src/data.c) during ASCII-mode file transfer; monitor for large ASCII-mode FTP downloads following an upload of a file composed entirely of newline characters.
  • Exploit requires the attacker to authenticate (even as anonymous), issue TYPE A (ASCII mode), upload a malformed file via STOR, then download it via RETR — monitor for this FTP command sequence from a single session.
  • Post-exploitation, the shellcode binds a shell on port 4660 (0x1234); monitor for unexpected listening services on port 4660 on FTP servers running ProFTPD 1.2.7–1.2.9rc2.
  • The exploit upload buffer is ~65 KB (EXPLOIT_BUF_SIZE 65535 / 65558 newline bytes); an unusually large ASCII-mode FTP upload composed entirely of newline bytes is a strong indicator of exploitation.
  • ·The exploit targets specific stack addresses for RedHat 8.0 with ProFTPD 1.2.8; return addresses differ per OS/build and must be brute-forced or adjusted for other targets.
  • ·The exploit brute-forces stack addresses between STACK_START and STACK_END; the exact range is platform-dependent and the exploit loops through candidates automatically.
  • ·The connect-back shellcode IP and port are embedded at fixed offsets within the shellcode buffer (OFFSET=39 for IP/port, OFF2=70 for bind port); bytes that equal 0x0a ('\n') in the port value will cause the exploit to abort.
  • ·The vulnerability may also affect ProFTPD versions prior to 1.2.7, though this has not been confirmed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.