cbcvebase.
CVE-2004-1135
published 2005-01-10

CVE-2004-1135: Multiple buffer overflows in WS_FTP Server 5.03 2004.10.14 allow remote attackers to cause a denial of service (service crash) via long (1) SITE, (2) XMKD, (3)…

PriorityP431medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
49.64%
98.7th percentile
Multiple buffer overflows in WS_FTP Server 5.03 2004.10.14 allow remote attackers to cause a denial of service (service crash) via long (1) SITE, (2) XMKD, (3) MKD, and (4) RNFR commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
ipswitchws_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

port4444
other0x25185bb8
other0x7ffd3001
commandMKD <buf 8192 bytes with ret at offset 498/514/518/522>
commandMKD <A*presize>DEEF<B*(2000-presize-postsize-4)><C*postsize>
bytes
\x53\x9B\x2E\x7C
bytes
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xb1\xbe
  • Detect oversized MKD FTP command (>2000 bytes) sent to port 21, indicative of buffer overflow exploitation against WS_FTP Server 5.03.
  • Detect oversized SITE, XMKD, and RNFR FTP commands (>2000 bytes) on port 21 as additional attack vectors for the same vulnerability.
  • Check FTP banner for version string '5.0.3' to identify vulnerable WS_FTP Server instances; the Metasploit module flags this as Vulnerable.
  • The exploit uses libeay32.dll ROP gadget (push esp; ret) at 0x25185bb8 — presence of this return address in network traffic or memory is a strong exploit indicator.
  • Payload bad characters for this exploit are: \x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e — shellcode in MKD payloads will avoid these bytes.
  • The exploit opens a reverse shell on port 4444; monitor for unexpected outbound connections to port 4444 from FTP server processes.
  • The alignment marker 'DEEF' (0x44454546) in the MKD argument is used to locate EIP offset; presence of this pattern in FTP MKD commands indicates exploit alignment probing.
  • ·The Metasploit module targets WS-FTP Server 5.03 Universal using a single return address from libeay32.dll; the exploit requires a valid authenticated FTP session (Privileged => false) before sending the malicious MKD command.
  • ·The win2k SP4 RET address (\x53\x9B\x2E\x7C) in the C exploit is platform-specific; the Metasploit module uses a different universal address (0x25185bb8 from libeay32.dll) intended to work on both XP and 2K.
  • ·Metasploit payload space is limited to 480 bytes with a stack adjustment of -3500; payloads exceeding this space or containing bad characters will fail.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.