cbcvebase.
CVE-2004-0330
published 2004-11-23

CVE-2004-0330: Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command.

PriorityP359critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
85.47%
99.7th percentile
Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command.

Affected

9 ranges
VendorProductVersion rangeFixed in
solarwindsserv-u_file_server<= 5.0.0.0
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server

Detection & IOCsextracted from sources · hover to see the quote

commandMDTM 20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.txt
commandMDTM 20031111111111+<overflow_buffer>
commandMDTM 20041111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt
commandMDTM 20031111111111+<SEH_chain><ret><shellcode>
processServUDaemon.exe
registry0x00401877
registry0x0040164d
registry0x0040167e
bytes
\x90\x90\x90\x5E\x5F\x5B\xBE\x52\x52\x49\x41\x46\xBF\x52\x52\x31\x41\x47\x43\x39\x3B\x75\xFB\x4B\x80\x33\x99\x39\x73\xFC\x75\xF7\xFF\xD3\x90\x90
  • Detect exploit attempts by matching FTP MDTM commands containing a timestamp followed by '+' and a long timezone argument (overflow pattern). The timestamp prefix '200[34]1111111111+' followed by a large buffer is a reliable signature across all known PoC variants.
  • The Metasploit exploit uses bad-char filtering; the payload avoids bytes: \x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e — FTP traffic containing MDTM with a long timezone and shellcode lacking these bytes is highly suspicious.
  • Banner-based detection: FTP banners matching 'Serv-U FTP Server v4.1', 'Serv-U FTP Server v5.0', or 'Serv-U FTP Server v4.0' indicate potentially vulnerable versions. v5.0.0.4 and later are patched.
  • The exploit requires prior authentication (valid username and password). Monitor for authenticated FTP sessions immediately followed by anomalously long MDTM commands as a lateral-movement or post-auth exploitation indicator.
  • The Metasploit module uses an SEH-based overflow with a default SEHOffset of 47 bytes from the start of the timezone argument. The SEH overwrite return addresses 0x00401877, 0x0040164d, and 0x0040167e in ServUDaemon.exe are specific to exploitable builds.
  • The ex_servu.c exploit (DOC 6) uses a connect-back or rebind shellcode; after exploitation, watch for ServUDaemon.exe spawning outbound TCP connections or binding a new listener port (shellport), which is configurable by the attacker.
  • The exploit service crashes after shellcode execution ('single hit'). A sudden crash of ServUDaemon.exe immediately following an authenticated MDTM command with a long argument is a strong post-exploitation indicator.
  • ·The bug affects all Serv-U versions prior to 5.0.0.4. The Metasploit exploit only reliably works against versions 4.0.0.4, 4.1.0.0, 4.1.0.3, and 5.0.0.0; other sub-versions in the vulnerable range may not be exploitable with this specific module.
  • ·Version 4.0.0.4 requires \xff byte doubling in the encoded payload. The Metasploit module auto-detects this by sending a 'P@SW' command and checking for a 500 response; manual exploits must account for this transformation.
  • ·The vendor changelog for 5.0.0.4 downplayed the fix. The patched FTP server (rhinosoft.com) was itself running ProFTPD at time of disclosure, not Serv-U.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.