cbcvebase.
CVE-2005-3683
published 2005-11-19

CVE-2005-3683: Stack-based buffer overflow in freeFTPd before 1.0.9 with Logging enabled, allows remote attackers to cause a denial of service (application crash), and…

PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.51%
99.3th percentile
Stack-based buffer overflow in freeFTPd before 1.0.9 with Logging enabled, allows remote attackers to cause a denial of service (application crash), and possibly execute arbitrary code, via a long USER command.

Affected

9 ranges
VendorProductVersion rangeFixed in
freeftpdfreeftpd
freeftpdfreeftpd
freeftpdfreeftpd
freeftpdfreeftpd
freeftpdfreeftpd
freeftpdfreeftpd
freeftpdfreeftpd
freeftpdfreeftpd
freeftpdfreeftpd

Detection & IOCsextracted from sources · hover to see the quote

commandUSER <1816-byte overflow buffer>
commandUSER %s PASS x0ned
otherSEH overwrite offset at 1008 bytes (Metasploit) / 1011 bytes (standalone exploit)
otherReturn address 0x75022ac4 (Windows 2000 English ALL)
otherReturn address 0x71aa32ad (Windows XP Pro SP0/SP1 English)
otherReturn address 0x776a1799 (Windows NT SP5/SP6a English)
otherReturn address 0x7ffc0638 (Windows 2003 Server English)
otherSEH pop/pop/ret gadget 0x776a1082 ws2help.dll (Windows NT SP5/6)
otherSEH pop/pop/ret gadget 0x750211a9 ws2help.dll (Windows 2k Universal)
otherSEH pop/pop/ret gadget 0x71aa13d6 ws2help.dll (Windows XP SP1/2)
versionfreeFTPd 1.0
bytes
\x2b\xc9\x83\xe9\xb8\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xcf\xfd\x4a\x2d\x83\xee\xfc\xe2\xf4
bytes
\xEB\x0F\x5B\x33\xC9\x66\x83\xE9\xE0\x80\x33\x55\x43\xE2\xFA\xEB\x05\xE8\xEC\xFF\xFF\xFF
  • Detect oversized FTP USER command: a USER argument exceeding ~1000 bytes is a strong indicator of exploitation attempt against CVE-2005-3683.
  • Banner-check: exploit confirms target by matching 'freeFTPd 1.0' in the FTP banner before sending payload; alert on reconnaissance probes that read the banner and immediately send a large USER command.
  • The exploit requires Logging to be enabled in freeFTPd; the overflow occurs when the server copies the USER argument into a fixed-size log buffer. Monitor for crash/restart of freeFTPd process after large USER commands.
  • Bad characters in payload are null byte, space, LF, CR (\x00\x20\x0a\x0d); any FTP USER argument of ~1800+ bytes not containing these characters should be treated as a buffer overflow attempt.
  • The standalone exploit sends both USER and PASS in a single TCP segment formatted as 'USER <payload>\r\nPASS x0ned\r\n'; the literal string 'x0ned' in the PASS field can serve as a signature.
  • XOR key 0x2D4AFDCF is used to encode the connect-back IP in the shellcode; 0x2D4A is used to encode the port. Presence of these XOR constants in FTP traffic is a strong indicator of this specific exploit.
  • The 22-byte XOR decoder stub (key 0x55) starting with \xEB\x0F\x5B\x33\xC9\x66\x83\xE9\xE0\x80\x33\x55 is present in the shellcode and can be used as a network or memory signature.
  • ·The vulnerability is only exploitable when the Logging feature is enabled in freeFTPd, which is non-default. Deployments with logging disabled are not vulnerable to code execution (though DoS may still be possible).
  • ·The Metasploit module requires a StackAdjustment of -3500 bytes, indicating the payload space is constrained to 800 bytes; detection rules should account for payloads embedded well before the SEH overwrite offset.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.