cbcvebase.
CVE-2004-2111
published 2004-12-31

CVE-2004-2111: Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename.

PriorityP260high8.5CVSS 2.0
AVNACMAuSCCICAC
EXPLOIT
EPSS
86.87%
99.7th percentile
Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename.

Affected

8 ranges
VendorProductVersion rangeFixed in
solarwindsserv-u_file_server<= 4.1.0.3
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server
solarwindsserv-u_file_server

Detection & IOCsextracted from sources · hover to see the quote

commandSITE CHMOD 777 <long_filename>
commandSITE CHMOD 0666 <long_filename>
commandSITE CHMOD 477 <long_filename>
commandSITE CHMOD 777 <long_filename>
port28876
bytes
\xeb\xc9\x41\x41
bytes
W00T
bytes
\x41\x41\xEB\x04
bytes
\xeb\x06\x90\x90\xd6\x19\x02\x75
bytes
\xeb\x06\xeb\x06
  • Detect oversized SITE CHMOD FTP commands: a SITE CHMOD command with a filename argument exceeding ~400 bytes is a strong indicator of exploitation attempts against CVE-2004-2111.
  • Match FTP banner for vulnerable versions: Serv-U FTP Server v3.x or v4.0/v4.1 indicates a vulnerable target.
  • Detect egghunter tag 'W00T' in FTP SITE CHMOD payloads as a Metasploit-specific exploit indicator.
  • Flag FTP sessions where SITE CHMOD is followed by a payload containing SEH overwrite patterns (e.g., short JMP opcodes \xeb\x06 or \xeb\xc9 followed by return addresses) within the filename argument.
  • Monitor for outbound connections to unexpected ports (e.g., 28876 or attacker-controlled ports) from the Serv-U FTP server process after a SITE CHMOD command, indicating successful shell binding.
  • Exploitation requires valid FTP credentials and a writable directory; alert on authenticated FTP sessions issuing SITE CHMOD with abnormally long filenames (>400 bytes).
  • Detect the exploit probe sequence: SITE CHMOD 477 with a filename containing \xff\xff bytes used to fingerprint the server version before the actual overflow.
  • ·Exploitation leaves the Serv-U FTP service in a non-functional (crashed) state after a successful attack, which can serve as a post-exploitation indicator.
  • ·The SEH overwrite offset differs between Serv-U versions: offset 0x193 for v3.0.0.20–v4.1.0.11 and 0x133 for v3.0.0.16–v3.0.0.19; detection rules should account for variable payload offsets (~394–400 bytes) across targets.
  • ·The Metasploit module bad characters list (\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e) defines bytes that will NOT appear in the exploit payload, which can inform byte-pattern exclusions in detection signatures.
  • ·The exploit targets Windows 2000 and Windows XP only; return addresses are DLL-specific (WS2HELP.DLL, libeay32.dll, ssleay32.dll) and vary by OS version and service pack.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.