cbcvebase.
CVE-2006-0441
published 2006-01-26

CVE-2006-0441: Stack-based buffer overflow in Sami FTP Server 2.0.1 allows remote attackers to execute arbitrary code via a long USER command, which triggers the overflow…

PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
70.42%
99.3th percentile
Stack-based buffer overflow in Sami FTP Server 2.0.1 allows remote attackers to execute arbitrary code via a long USER command, which triggers the overflow when the log is viewed.

Affected

3 ranges
VendorProductVersion rangeFixed in
karjasoftsami_ftp_server
karjasoftsami_ftp_server
karjasoftsami_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

port4444
commandUSER <596+ byte overflow payload>
commandPASS <596+ byte overflow payload>
other0x75022ac4
other0x74fd11a9
other0x74fa12bc
other0x71aa32ad
other0x10022ADE
other0x71ab7bfb
other0x77daaccf
  • The overflow is triggered when the FTP server administrator views the log GUI — the exploit is passive/deferred, not immediate. Detection should focus on oversized USER/PASS commands written to the log file rather than immediate crash.
  • Payload persists across restarts via the binary log file SamiFTP.binlog; shellcode re-executes on every server restart until the log file is manually deleted.
  • Overflow offset is at 596 bytes in the USER field; SEH overwrite occurs at 600 bytes. Alert on FTP USER or PASS commands exceeding ~596 bytes.
  • Bad characters for payload encoding are null byte, CR, LF, space, and 0xFF — any FTP USER/PASS payload avoiding these bytes but exceeding 596 bytes is suspicious.
  • Banner check: server responds with 'Sami FTP Server 2.0.2' — use this banner string to identify vulnerable instances during network scanning.
  • The SEH-based exploit uses a pop/pop/ret gadget in tmp01.dll at 0x10022ADE; presence of this module loaded in the Sami FTP process space indicates a vulnerable configuration.
  • ·Return addresses are OS/SP/locale specific; the listed ROP gadgets target ws2help.dll on Windows 2000 (EN/IT/FR) and Windows XP SP0/1 EN only — they will not work on other platforms without adjustment.
  • ·Payload space is limited to 300 bytes with a stack adjustment of -3500 in the Metasploit module; larger staged payloads may not fit without modification.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.