cbcvebase.
CVE-2005-1415
published 2005-05-03

CVE-2005-1415: Buffer overflow in GlobalSCAPE Secure FTP Server 3.0.2 allows remote authenticated users to execute arbitrary code via a long FTP command.

PriorityP354critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
60.46%
99.0th percentile
Buffer overflow in GlobalSCAPE Secure FTP Server 3.0.2 allows remote authenticated users to execute arbitrary code via a long FTP command.

Affected

2 ranges
VendorProductVersion rangeFixed in
globalscapesecure_ftp_server
globalscapesecure_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

port4444
otherret=0x7C4FEDBB
otherret=0x1002f01f
commandUSER muts
commandPASS muts
bytes
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff
bytes
\x41*2043 + \x7C\x4F\xED\xBB + \x90*36 + shellcode
  • Buffer overflow is triggered by sending an oversized FTP command (2043+ bytes) after authentication; detect abnormally long FTP command payloads exceeding 2043 bytes on port 21.
  • Exploit requires a valid authenticated FTP session (or anonymous access); monitor for FTP logins immediately followed by anomalously large single-command payloads.
  • The shellcode prepend encoder stub \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff appears at the start of the payload; scan FTP traffic for this byte sequence.
  • The exploit targets GlobalSCAPE Secure FTP Server versions prior to 3.0.3; fingerprint the FTP banner for versions 3.0, 3.0.1, or 3.0.2 as high-risk targets.
  • FTP banner '220 GlobalSCAPE Secure FTP Server (v. 3.0)' identifies a vulnerable unpatched instance; alert on this banner string.
  • BadChars for the payload are null bytes, spaces, and lowercase ASCII (0x61-0x7a); the payload will be entirely uppercase/numeric alphanumeric encoded — detect FTP commands containing only uppercase alphanumeric characters of unusual length.
  • ·The standalone Python exploit hardcodes the return address 0x7C4FEDBB, while the Metasploit module uses 0x1002f01f; different builds/patches of the target may require different return addresses.
  • ·The overflow offset is 2043 bytes; the payload space available in the Metasploit module is 1000 bytes after the NOP sled.
  • ·The exploit only works against Windows targets; the Metasploit module platform is restricted to 'win'.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.