cbcvebase.
CVE-2006-2961
published 2006-06-12

CVE-2006-2961: Stack-based buffer overflow in CesarFTP 0.99g and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute…

PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
61.94%
99.1th percentile
Stack-based buffer overflow in CesarFTP 0.99g and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long MKD command. NOTE: the provenance of this information is unknown; the details are obtained from third party information.

Affected

1 ranges
VendorProductVersion rangeFixed in
aclogiccesarftp<= 0.99g

Detection & IOCsextracted from sources · hover to see the quote

commandMKD <671 newlines> + AAA + EIP + NOP sled + shellcode
commandXCWD <667 newlines> + 20 NOPs
commandMKD <671 newlines> + rand_text + ret + NOPs + payload
other0x7CA58265
other0x77e14c29
other0x775F29D0
other0x774699bf
other0x76AA679b
bytes
\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8\x22\x72\xe4
  • Detect FTP MKD commands containing a large number of newline (0x0a) characters (671+) in the argument, indicative of the CesarFTP stack overflow exploit.
  • Detect FTP XCWD commands containing 667 or more newline characters in the argument, indicative of the CesarFTP DoS exploit.
  • Banner-check for 'CesarFTP 0.99g' on FTP port 21 to identify vulnerable targets.
  • The exploit requires valid FTP credentials before triggering; monitor for authenticated FTP sessions followed by anomalously large MKD or XCWD commands.
  • NOP sled (0x90 * 40) immediately following the return address in the MKD payload can be used as a byte-pattern signature for detection.
  • Bad characters for payload encoding are null byte, space, newline, and carriage return; payloads avoiding these bytes in shellcode are characteristic of this exploit.
  • ·Return addresses (RET values) are OS/SP-specific; the exploit must be targeted to the exact platform to achieve code execution rather than just a crash.
  • ·Payload space is limited to 250 bytes and must avoid null bytes, spaces, newlines, and carriage returns.
  • ·A large negative stack adjustment (-3500) is used in the Metasploit module to avoid overwriting the payload with function call stack frames.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.