cbcvebase.
CVE-2006-2212
published 2006-05-05

CVE-2006-2212: Buffer overflow in KarjaSoft Sami FTP Server 2.0.2 and earlier allows remote attackers to execute arbitrary code via a long (1) USER or (2) PASS command.

PriorityP347medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EXPLOIT
EPSS
58.23%
99.0th percentile
Buffer overflow in KarjaSoft Sami FTP Server 2.0.2 and earlier allows remote attackers to execute arbitrary code via a long (1) USER or (2) PASS command.

Affected

3 ranges
VendorProductVersion rangeFixed in
karjasoftsami_ftp_server
karjasoftsami_ftp_server
karjasoftsami_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

commandUSER <596-byte alphanumeric string + SEH payload>
pathSamiFTP.binlog
other0x75022ac4
other0x74fd11a9
other0x74fa12bc
other0x71aa32ad
bytes
BadChars: \x00\x0a\x0d\x20\xff
  • Detect excessively long FTP USER commands (>596 bytes) on port 21, indicative of buffer overflow exploitation against Sami FTP Server.
  • Check FTP banner for 'Sami FTP Server 2.0.2' to identify vulnerable instances; the Metasploit module uses this string to confirm vulnerability.
  • Monitor for presence or modification of SamiFTP.binlog on the filesystem; a malicious payload persists in this log file and re-executes on application restart.
  • The exploit uses SEH-based payload delivery (EXITFUNC=seh) with a stack adjustment of -3500; look for anomalous SEH chain overwrites in FTP server process memory.
  • The exploit is passive and triggered when the administrator views FTP logs via the GUI; correlate FTP log review events with unexpected process execution.
  • ·The exploit payload space is limited to 300 bytes; only small shellcode payloads are viable.
  • ·The exploit is passive and requires administrator interaction (opening the GUI/log viewer) to trigger; immediate code execution is not guaranteed unless the GUI is already open.
  • ·The SEH return addresses (p/p/r gadgets in ws2help.dll) are locale- and OS-specific; the provided addresses target Windows 2000 (EN/IT/FR) and Windows XP SP0/1 (EN) only.
  • ·The application does not restart automatically after crash; the payload persists in SamiFTP.binlog and re-executes only if the application is manually restarted.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.