cbcvebase.
CVE-2004-1626
published 2004-10-22

CVE-2004-1626: Buffer overflow in Ability Server 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long STOR command.

PriorityP345medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
67.39%
99.2th percentile
Buffer overflow in Ability Server 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long STOR command.

Affected

3 ranges
VendorProductVersion rangeFixed in
code-craftersability_server
code-craftersability_server
code-craftersability_server

Detection & IOCsextracted from sources · hover to see the quote

port4444
port31337
commandSTOR <970-byte overflow buffer>
commandSTOR <968-byte overflow buffer>
otherRET 0x7C2FA0F7 (Windows 2000 Server SP4)
otherRET 0x7D17D737 (Windows XP SP2)
otherRET 0x77C8F2C7 (Windows 2000 Advanced Server SP4)
bytes
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e
bytes
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5a
  • Detect oversized FTP STOR commands (>966 bytes) sent to port 21, indicative of buffer overflow exploitation against Ability Server 2.34
  • Monitor for FTP STOR commands followed by large payloads containing repeated 0x41 bytes (NOP sled pattern) and shellcode bytes starting with \xd9\xee\xd9\x74
  • Alert on reverse shell callback connections to port 31337 originating from an Ability FTP Server process after an oversized STOR command is received
  • The vulnerability also affects the APPE command in addition to STOR; monitor both commands for oversized payloads
  • Bad characters in shellcode are 0x00, 0x0a, 0x0d; filter/alert on FTP STOR payloads that avoid these bytes while containing high-entropy binary data
  • ·The Windows XP SP2 RET address (0x7D17D737) and Windows 2000 Server SP4 RET address (0x7C2FA0F7) used in exploit 588 are version-specific; detection based on exact byte sequences at the overflow offset will vary by target OS/SP
  • ·The vulnerability has been confirmed on version 2.34 but has also been reported in versions 2.25 and 2.32; other versions may also be affected
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.