CVE-2006-2212
published 2006-05-05CVE-2006-2212: Buffer overflow in KarjaSoft Sami FTP Server 2.0.2 and earlier allows remote attackers to execute arbitrary code via a long (1) USER or (2) PASS command.
PriorityP347medium6.4CVSS 2.0
AVNACLAuNCPIPAN
EXPLOIT
EPSS
58.23%
99.0th percentile
Buffer overflow in KarjaSoft Sami FTP Server 2.0.2 and earlier allows remote attackers to execute arbitrary code via a long (1) USER or (2) PASS command.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| karjasoft | sami_ftp_server | — | — |
| karjasoft | sami_ftp_server | — | — |
| karjasoft | sami_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
BadChars: \x00\x0a\x0d\x20\xff
- →Detect excessively long FTP USER commands (>596 bytes) on port 21, indicative of buffer overflow exploitation against Sami FTP Server. ↗
- →Check FTP banner for 'Sami FTP Server 2.0.2' to identify vulnerable instances; the Metasploit module uses this string to confirm vulnerability. ↗
- →Monitor for presence or modification of SamiFTP.binlog on the filesystem; a malicious payload persists in this log file and re-executes on application restart. ↗
- →The exploit uses SEH-based payload delivery (EXITFUNC=seh) with a stack adjustment of -3500; look for anomalous SEH chain overwrites in FTP server process memory. ↗
- →The exploit is passive and triggered when the administrator views FTP logs via the GUI; correlate FTP log review events with unexpected process execution. ↗
- ·The exploit payload space is limited to 300 bytes; only small shellcode payloads are viable. ↗
- ·The exploit is passive and requires administrator interaction (opening the GUI/log viewer) to trigger; immediate code execution is not guaranteed unless the GUI is already open. ↗
- ·The SEH return addresses (p/p/r gadgets in ws2help.dll) are locale- and OS-specific; the provided addresses target Windows 2000 (EN/IT/FR) and Windows XP SP0/1 (EN) only. ↗
- ·The application does not restart automatically after crash; the payload persists in SamiFTP.binlog and re-executes only if the application is manually restarted. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x3r2-p3h2-85wm: Buffer overflow in KarjaSoft Sami FTP Server 2
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2008-5106 [HIGH] CWE-119 GHSA-x3r2-p3h2-85wm: Buffer overflow in KarjaSoft Sami FTP Server 2
Buffer overflow in KarjaSoft Sami FTP Server 2.0.x allows remote attackers to cause a denial of service (daemon crash) and possibly execute arbitrary code via a long argument to an arbitrary command, which triggers the overflow when the SamyFtp.binlog log file is viewed in the management console. NOTE: this may overlap CVE-2006-0441 and CVE-2006-2212.
GHSA
GHSA-j3v4-fpxg-4hr6: Buffer overflow in KarjaSoft Sami FTP Server 2
ghsa_unreviewed·2022-05-01
CVE-2006-2212 [MEDIUM] GHSA-j3v4-fpxg-4hr6: Buffer overflow in KarjaSoft Sami FTP Server 2
Buffer overflow in KarjaSoft Sami FTP Server 2.0.2 and earlier allows remote attackers to execute arbitrary code via a long (1) USER or (2) PASS command.
No detection rules found.
Exploit-DB
KarjaSoft Sami FTP Server 2.0.2 - USER Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-2212 KarjaSoft Sami FTP Server 2.0.2 - USER Remote Buffer Overflow (Metasploit)
KarjaSoft Sami FTP Server 2.0.2 - USER Remote Buffer Overflow (Metasploit)
---
##
# $Id: sami_ftpd_user.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'KarjaSoft Sami FTP Server v2.02 USER Overflow',
'Description' => %q{
This module exploits the KarjaSoft Sami FTP Server version 2.02
by sending an excessively long USER string. The stack is overwritten
when the administrator attempts to view the FTP logs. Therefore, this exploit
is passive and requires end-user interaction. Keep this in mind when selecti
Exploit-DB
KDPics 1.11 - 'exif.php?lib_path' Remote File Inclusion
exploitdb·2007-02-03
CVE-2006-6517 KDPics 1.11 - 'exif.php?lib_path' Remote File Inclusion
KDPics 1.11 - 'exif.php?lib_path' Remote File Inclusion
---
KDPics <= Remote File Include Vulnerability
Discovered by AsTrex "Rif Hackers Team"
URL:
http://www.phpscripts-fr.net/scripts/download.php?id=2212
V.CODE: In :KDPics/lib/exifer/exif.php
Exploit:
http://www.victime.com/[KDPics_path]/lib/exifer/exif.php?lib_path?=Evil.txt?cmd
Greeetz to : moroccan islam defenders ,ba azdin , xskull , savi7
# milw0rm.com [2007-02-03]
Metasploit
KarjaSoft Sami FTP Server v2.0.2 USER Overflow
metasploit
KarjaSoft Sami FTP Server v2.0.2 USER Overflow
KarjaSoft Sami FTP Server v2.0.2 USER Overflow
This module exploits an unauthenticated stack buffer overflow in KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long USER string during login. The payload is triggered when the administrator opens the application GUI. If the GUI window is open at the time of exploitation, the payload will be executed immediately. Keep this in mind when selecting payloads. The application will crash following execution of the payload and will not restart automatically. When the application is restarted, it will re-execute the payload unless the payload has been manually removed from the SamiFTP.binlog log file. This module has been tested successfully on Sami FTP Server versions: 2.0.2 on Windows XP SP0 (x86); 2.0.2 on Windows 7 SP1 (x86); 2.0.2
No writeups or analysis indexed.
http://securityreason.com/securityalert/842http://securitytracker.com/id?1016031http://www.osvdb.org/25670http://www.securityfocus.com/archive/1/432944/100/0/threadedhttp://www.securityfocus.com/bid/17835https://exchange.xforce.ibmcloud.com/vulnerabilities/26254http://securityreason.com/securityalert/842http://securitytracker.com/id?1016031http://www.osvdb.org/25670http://www.securityfocus.com/archive/1/432944/100/0/threadedhttp://www.securityfocus.com/bid/17835https://exchange.xforce.ibmcloud.com/vulnerabilities/26254
2006-05-05
Published