CVE-2005-3081
published 2005-09-27CVE-2005-3081: wzdftpd 0.5.4 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the SITE command.
PriorityP354medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
76.60%
99.5th percentile
wzdftpd 0.5.4 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the SITE command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wzdftpd | wzdftpd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring FTP SITE commands containing shell metacharacters (pipe `|` and semicolon `;`) sent to wzdftpd servers on port 21. ↗
- →Identify vulnerable wzdftpd servers by matching the FTP banner string '220 wzd server ready' during reconnaissance or in network traffic. ↗
- →Flag authenticated FTP sessions where a SITE command is immediately followed by a pipe character (`|`) and a semicolon-terminated string, indicating shell metacharacter injection. ↗
- →Default credentials used by exploit: username 'guest', password '%' — alert on FTP logins using these credentials against wzdftpd servers. ↗
- ·Exploitation requires prior authentication to the FTP server; the vulnerability is only reachable by authenticated (including guest) users. ↗
- ·The exploit payload space is limited to 128 bytes, constraining the size of injected shell commands. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WzdFTPD 0.5.4 - 'SITE' Remote Command Execution (Metasploit)
exploitdb·2005-11-04
CVE-2005-3081 WzdFTPD 0.5.4 - 'SITE' Remote Command Execution (Metasploit)
WzdFTPD 0.5.4 - 'SITE' Remote Command Execution (Metasploit)
---
# Reference: http://www.milw0rm.com/id.php?id=1231 (https://www.exploit-db.com/exploits/1231/) (kcope) /str0ke
#
# Metasploit plugin for: Wzdftpd SITE Command Arbitrary Command Execution
# 2005 11 26 - David Maciejak
#
package Msf::Exploit::wzdftpd_site;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info = {
'Name' => 'Wzdftpd SITE Command Arbitrary Command Execution',
'Version' => '$Revision: 1.0 $',
'Authors' => [ 'David Maciejak ' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'USER' => [1, 'DATA', 'Username', 'guest'],
'PASS' => [1, 'DATA', 'Password', '%'],
'SITECMD'=> [1, 'DATA',
Exploit-DB
WzdFTPD 0.5.4 - Remote Command Execution
exploitdb·2005-09-24
CVE-2005-3081 WzdFTPD 0.5.4 - Remote Command Execution
WzdFTPD 0.5.4 - Remote Command Execution
---
######################################################
# 0day0day0day0day0day0day0day
# -------------------------------
# wzdftpd remote exploit by kcope
# nice call to popen(3) on custom
# site commands...
#
# August 2005
# confidential! keep private!
# -------------------------------
# 0day0day0day0day0day0day0day
#
# .___ _____ __ .___
#__ _ __________ __| _// ____\/ |_______ __| _/
#\ \/ \/ /\___ // __ |\ __\\ __\____ \ / __ |
# \ / / // /_/ | | | | | | |_> > /_/ |
# \/\_/ /_____ \____ | |__| |__| | __/\____ |
# \/ \/ |__| \/
#
#__ _ _______ _______ ____ ________
#\ \/ \/ /\__ \\_ __ \_/ __ \\___ /
# \ / / __ \| | \/\ ___/ / /
# \/\_/ (____ /__| \___ >_____ \
# \/ \/ \/ VER1
######################################################
use Net::
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2005-09/0646.htmlhttp://secunia.com/advisories/16936http://www.debian.org/security/2006/dsa-1006http://www.osvdb.org/19682http://www.securiteam.com/exploits/5CP0R1PGUE.htmlhttp://www.securityfocus.com/bid/14935http://archives.neohapsis.com/archives/fulldisclosure/2005-09/0646.htmlhttp://secunia.com/advisories/16936http://www.debian.org/security/2006/dsa-1006http://www.osvdb.org/19682http://www.securiteam.com/exploits/5CP0R1PGUE.htmlhttp://www.securityfocus.com/bid/14935
2005-09-27
Published