cbcvebase.
CVE-2006-2407
published 2006-05-16

CVE-2006-2407: Stack-based buffer overflow in (1) WeOnlyDo wodSSHServer ActiveX Component 1.2.7 and 1.3.3 DEMO, as used in other products including (2) FreeSSHd 1.0.9 and (3)…

PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.38%
99.3th percentile
Stack-based buffer overflow in (1) WeOnlyDo wodSSHServer ActiveX Component 1.2.7 and 1.3.3 DEMO, as used in other products including (2) FreeSSHd 1.0.9 and (3) freeFTPd 1.0.10, allows remote attackers to execute arbitrary code via a long key exchange algorithm string.

Affected

4 ranges
VendorProductVersion rangeFixed in
freeftpdfreeftpd
freesshdfreesshd
weonlydowodsshserver
weonlydowodsshserver

Detection & IOCsextracted from sources · hover to see the quote

port1977
registry0x750231e2
registry0x74f931e2
registry0x71ab1d54
registry0x71ab9372
registry0x77e56f43
registry0x77e51877
registry0x77e53877
registry0x77D718FC
registry0x77D8AF0A
registry0x77E33F4D
registry0x77E14C29
versionSSH-2.0-WeOnlyDo-wodFTPD 2.1.8.98
versionSSH-2.0-WeOnlyDo 1.2.7
bytes
SSH-2.0-OpenSSH_3.9p1\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde + 1055 bytes + ret + payload + 19000 bytes + \r\n
bytes
\x53\x53\x48\x2d\x31\x2e\x39\x39\x2d\x4f\x70\x65\x6e\x53\x53\x48\x5f\x33\x2e\x34\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde + A*1055 + eip + yyyy + \x90*4 + shellcode + B*19021 + \r\n
bytes
win32_bind shellcode: \xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24...
  • Exploit sends a fake SSH banner 'SSH-2.0-OpenSSH_3.9p1' followed by a malformed key exchange algorithm string of ~1055+ bytes on TCP port 22; detect oversized SSH_MSG_KEXINIT packets from clients claiming to be OpenSSH_3.9p1.
  • Vulnerable servers respond with SSH banner matching 'SSH-2.0-WeOnlyDo-wodFTPD 2.1.8.98' (freeFTPd) or 'SSH-2.0-WeOnlyDo 1.2.7' (freeSSHd); use these banners to fingerprint exposed vulnerable services.
  • Successful exploitation opens a bind shell on TCP port 1977 on the victim; monitor for unexpected listening services on this port following SSH connection attempts.
  • The exploit payload contains the fixed byte sequence \x00\x00\x4f\x04\x05\x14 immediately after the SSH banner newline; this can be used as a network signature within the first ~50 bytes of the client SSH handshake.
  • The overflow requires exactly 1055 bytes of padding before the return address; an SSH client sending a key exchange algorithm name field exceeding ~1055 bytes is a strong indicator of exploitation.
  • ·The Metasploit module only attempts exploitation if the server banner matches the specific vulnerable version strings; non-matching banners cause the module to abort without sending the overflow payload.
  • ·Return addresses (RET values) are hardcoded per OS/SP target; the exploit will fail or crash the service if the wrong target is selected, meaning detection based on crash events should account for failed attempts.
  • ·The standalone Python PoC (exploit-db 1787) notes that the shell may not be obtained on the first attempt and recommends retrying; detection logic should account for repeated connection attempts from the same source IP to port 22.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.