CVE-2006-3726
published 2006-07-21CVE-2006-3726: Buffer overflow in FileCOPA FTP Server before 1.01 released on 18th July 2006, allows remote authenticated attackers to execute arbitrary code via a long…
PriorityP348medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
64.00%
99.1th percentile
Buffer overflow in FileCOPA FTP Server before 1.01 released on 18th July 2006, allows remote authenticated attackers to execute arbitrary code via a long argument to the LIST command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| intervations | filecopa | <= 1.01_2006-04-06 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect oversized LIST command arguments sent to FTP port 21; the exploit sends 'LIST A <NOP sled + ret addr + shellcode>' with total buffer length well exceeding normal LIST argument sizes. ↗
- →Look for the shellcode trampoline byte sequence 0x66 0x81 0xC1 0xA0 0x01 0x51 0xC3 (ADD CX,1A0 / PUSH ECX / RETN) within FTP LIST command payloads on the wire. ↗
- →Bad characters filtered by the Metasploit payload encoder include \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c; encoded shellcode in LIST payloads will avoid these bytes, which can help tune IDS signatures. ↗
- →The return address 0x7c2e7993 (jmp esp in ADVAPI32.dll) appearing in network traffic targeting FTP port 21 is a strong indicator of this specific exploit against Windows 2000 SP4. ↗
- ·The exploit requires valid FTP credentials; it is not an unauthenticated pre-auth attack. Detection rules should account for the authenticated session before the malicious LIST command. ↗
- ·Return addresses differ between the two exploit variants (legacy Perl vs. Ruby Metasploit module) for the same OS target (Windows XP SP2 English uses 0x77df2740 in the Perl version vs. Windows XP Pro SP2 Italian using 0x77f62740 in the Ruby version); signatures based on hardcoded ret addresses must account for both. ↗
- ·Payload space is limited to 400 bytes and a stack adjustment of -3500 is applied; shellcode must fit within this constraint, which limits the complexity of second-stage payloads detectable on the wire. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
FileCOPA FTP Server (Pre 18 Jul Version) - 'LIST' Remote Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-3726 FileCOPA FTP Server (Pre 18 Jul Version) - 'LIST' Remote Buffer Overflow (Metasploit)
FileCOPA FTP Server (Pre 18 Jul Version) - 'LIST' Remote Buffer Overflow (Metasploit)
---
##
# $Id: filecopa_list_overflow.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'FileCopa FTP Server pre 18 Jul Version',
'Description' => %q{
This module exploits the buffer overflow found in the LIST command
in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch
},
'Author' => [ 'Jacopo Cervini' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2006-3726
Exploit-DB
FileCOPA FTP Server 1.01 - 'LIST' Remote Buffer Overflow (Metasploit)
exploitdb·2007-01-09
CVE-2006-3726 FileCOPA FTP Server 1.01 - 'LIST' Remote Buffer Overflow (Metasploit)
FileCOPA FTP Server 1.01 - 'LIST' Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::filecopa_list;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'FileCopa FTP Server pre 18 Jul Version',
'Version' => '$Revision: 0.1 $',
'Authors' =>
[
'Jacopo Cervini '
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' =
Metasploit
FileCopa FTP Server Pre 18 Jul Version
metasploit
FileCopa FTP Server Pre 18 Jul Version
FileCopa FTP Server Pre 18 Jul Version
This module exploits the buffer overflow found in the LIST command in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch
No writeups or analysis indexed.
http://secunia.com/advisories/21108http://www.appsec.ch/docs/2006-07-19-fileCopa.txthttp://www.osvdb.org/27389http://www.securityfocus.com/bid/19065http://www.vupen.com/english/advisories/2006/2870https://exchange.xforce.ibmcloud.com/vulnerabilities/27817http://secunia.com/advisories/21108http://www.appsec.ch/docs/2006-07-19-fileCopa.txthttp://www.osvdb.org/27389http://www.securityfocus.com/bid/19065http://www.vupen.com/english/advisories/2006/2870https://exchange.xforce.ibmcloud.com/vulnerabilities/27817
2006-07-21
Published