cbcvebase.
CVE-2005-1323
published 2005-05-02

CVE-2005-1323: Buffer overflow in NetFtpd for NetTerm 5.1.1 and earlier allows remote attackers to execute arbitrary code via a long USER command.

PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
63.07%
99.1th percentile
Buffer overflow in NetFtpd for NetTerm 5.1.1 and earlier allows remote attackers to execute arbitrary code via a long USER command.

Affected

1 ranges
VendorProductVersion rangeFixed in
intersoftnetterm

Detection & IOCsextracted from sources · hover to see the quote

commandUSER <oversized_buffer>
port4444
registry0x0040df98
registry0x75022ac4
registry0x71aa32ad
registry0x77681799
registry0x4cfa1200
filenamenetftpd.exe
bytes
\x00\x0a\x20\x0d
  • Detect exploitation attempts by monitoring FTP traffic for oversized USER commands (buffer size ~1014 bytes or larger) sent to NetTerm NetFTPD.
  • Check FTP banner for 'NetTerm FTP server' string to identify vulnerable instances; the Metasploit module uses this banner check to confirm vulnerability.
  • After successful exploitation, watch for outbound TCP connections to port 4444 from the FTP server process (netftpd.exe), indicating a reverse/bind shell.
  • The exploit payload uses a stack adjustment of -3500 bytes; anomalous stack pointer manipulation in netftpd.exe may indicate exploitation.
  • ·The universal return address (0x0040df98) targets netftpd.exe directly and applies across multiple versions; other return addresses are DLL-specific to particular Windows OS versions.
  • ·The exploit payload space is limited to 1000 bytes and must avoid bad characters \x00, \x0a, \x20, \x0d; shellcode must be encoded accordingly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.