CVE-2005-3683
published 2005-11-19CVE-2005-3683: Stack-based buffer overflow in freeFTPd before 1.0.9 with Logging enabled, allows remote attackers to cause a denial of service (application crash), and…
PriorityP352high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.51%
99.3th percentile
Stack-based buffer overflow in freeFTPd before 1.0.9 with Logging enabled, allows remote attackers to cause a denial of service (application crash), and possibly execute arbitrary code, via a long USER command.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freeftpd | freeftpd | — | — |
| freeftpd | freeftpd | — | — |
| freeftpd | freeftpd | — | — |
| freeftpd | freeftpd | — | — |
| freeftpd | freeftpd | — | — |
| freeftpd | freeftpd | — | — |
| freeftpd | freeftpd | — | — |
| freeftpd | freeftpd | — | — |
| freeftpd | freeftpd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x2b\xc9\x83\xe9\xb8\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xcf\xfd\x4a\x2d\x83\xee\xfc\xe2\xf4
bytes↗
\xEB\x0F\x5B\x33\xC9\x66\x83\xE9\xE0\x80\x33\x55\x43\xE2\xFA\xEB\x05\xE8\xEC\xFF\xFF\xFF
- →Detect oversized FTP USER command: a USER argument exceeding ~1000 bytes is a strong indicator of exploitation attempt against CVE-2005-3683. ↗
- →Banner-check: exploit confirms target by matching 'freeFTPd 1.0' in the FTP banner before sending payload; alert on reconnaissance probes that read the banner and immediately send a large USER command. ↗
- →The exploit requires Logging to be enabled in freeFTPd; the overflow occurs when the server copies the USER argument into a fixed-size log buffer. Monitor for crash/restart of freeFTPd process after large USER commands. ↗
- →Bad characters in payload are null byte, space, LF, CR (\x00\x20\x0a\x0d); any FTP USER argument of ~1800+ bytes not containing these characters should be treated as a buffer overflow attempt. ↗
- →The standalone exploit sends both USER and PASS in a single TCP segment formatted as 'USER <payload>\r\nPASS x0ned\r\n'; the literal string 'x0ned' in the PASS field can serve as a signature. ↗
- →XOR key 0x2D4AFDCF is used to encode the connect-back IP in the shellcode; 0x2D4A is used to encode the port. Presence of these XOR constants in FTP traffic is a strong indicator of this specific exploit. ↗
- →The 22-byte XOR decoder stub (key 0x55) starting with \xEB\x0F\x5B\x33\xC9\x66\x83\xE9\xE0\x80\x33\x55 is present in the shellcode and can be used as a network or memory signature. ↗
- ·The vulnerability is only exploitable when the Logging feature is enabled in freeFTPd, which is non-default. Deployments with logging disabled are not vulnerable to code execution (though DoS may still be possible). ↗
- ·The Metasploit module requires a StackAdjustment of -3500 bytes, indicating the payload space is constrained to 800 bytes; detection rules should account for payloads embedded well before the SEH overwrite offset. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
freeFTPd 1.0 - 'Username' Remote Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2005-3683 freeFTPd 1.0 - 'Username' Remote Overflow (Metasploit)
freeFTPd 1.0 - 'Username' Remote Overflow (Metasploit)
---
##
# $Id: freeftpd_user.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'freeFTPd 1.0 Username Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the freeFTPd
multi-protocol file transfer service. This flaw can only be
exploited when logging has been enabled (non-default).
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
[ 'CVE', '2005-3683'],
[ 'OSVDB', '20909'],
[ 'BI
Exploit-DB
freeFTPd 1.0.8 - 'USER' Remote Buffer Overflow
exploitdb·2005-11-17
CVE-2005-3684 freeFTPd 1.0.8 - 'USER' Remote Buffer Overflow
freeFTPd 1.0.8 - 'USER' Remote Buffer Overflow
---
/*
_______ ________ .__ _____ __
___ __\ _ \ ____ \_____ \ | |__ / | | ____ | | __
\ \/ / /_\ \ / \ _(__ __|_ \
\/ \/ \/ \/ 26\09\05 \/ |__| \/ \/
[i] Title: FreeFTPD Remote USER Buffer overflow
[i] Discovered by: barabas [mutsonline]
[i] Exploit by: Expanders
[ Why FTPD crash? ]
When logging option is enabled freeftpd copy the user and the pass supplied by the user in the memory before put it in a logfile.
----Code Snippet----
78001D5D MOV ECX,DWORD PTR SS:[ESP+4] Ftpd put in ECX SP+4 that point to the user supplied data.
If attacker's username is too big for the size of the buffer first we go to overwrite SEH handler(1011 bytes) and then the stack itself.
Beacuse stack point to our buffer this code
----Code Snippet----
78001D90
Metasploit
freeFTPd 1.0 Username Overflow
metasploit
freeFTPd 1.0 Username Overflow
freeFTPd 1.0 Username Overflow
This module exploits a stack buffer overflow in the freeFTPd multi-protocol file transfer service. This flaw can only be exploited when logging has been enabled (non-default).
No writeups or analysis indexed.
http://freeftpd.com/?ctt=changeloghttp://marc.info/?l=full-disclosure&m=113213763821294&w=2http://marc.info/?l=full-disclosure&m=113216611924774&w=2http://secunia.com/advisories/17583http://securitytracker.com/id?1015230http://www.osvdb.org/20909http://www.securityfocus.com/bid/15457http://www.vupen.com/english/advisories/2005/2458https://exchange.xforce.ibmcloud.com/vulnerabilities/23118http://freeftpd.com/?ctt=changeloghttp://marc.info/?l=full-disclosure&m=113213763821294&w=2http://marc.info/?l=full-disclosure&m=113216611924774&w=2http://secunia.com/advisories/17583http://securitytracker.com/id?1015230http://www.osvdb.org/20909http://www.securityfocus.com/bid/15457http://www.vupen.com/english/advisories/2005/2458https://exchange.xforce.ibmcloud.com/vulnerabilities/23118
2005-11-19
Published