cbcvebase.
CVE-2006-3726
published 2006-07-21

CVE-2006-3726: Buffer overflow in FileCOPA FTP Server before 1.01 released on 18th July 2006, allows remote authenticated attackers to execute arbitrary code via a long…

PriorityP348medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
64.00%
99.1th percentile
Buffer overflow in FileCOPA FTP Server before 1.01 released on 18th July 2006, allows remote authenticated attackers to execute arbitrary code via a long argument to the LIST command.

Affected

1 ranges
VendorProductVersion rangeFixed in
intervationsfilecopa<= 1.01_2006-04-06

Detection & IOCsextracted from sources · hover to see the quote

commandLIST <overflow_buffer>
other0x7c2e7993
other0x77f62740
other0x77df2740
  • Detect oversized LIST command arguments sent to FTP port 21; the exploit sends 'LIST A <NOP sled + ret addr + shellcode>' with total buffer length well exceeding normal LIST argument sizes.
  • Look for the shellcode trampoline byte sequence 0x66 0x81 0xC1 0xA0 0x01 0x51 0xC3 (ADD CX,1A0 / PUSH ECX / RETN) within FTP LIST command payloads on the wire.
  • Bad characters filtered by the Metasploit payload encoder include \x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c; encoded shellcode in LIST payloads will avoid these bytes, which can help tune IDS signatures.
  • The return address 0x7c2e7993 (jmp esp in ADVAPI32.dll) appearing in network traffic targeting FTP port 21 is a strong indicator of this specific exploit against Windows 2000 SP4.
  • ·The exploit requires valid FTP credentials; it is not an unauthenticated pre-auth attack. Detection rules should account for the authenticated session before the malicious LIST command.
  • ·Return addresses differ between the two exploit variants (legacy Perl vs. Ruby Metasploit module) for the same OS target (Windows XP SP2 English uses 0x77df2740 in the Perl version vs. Windows XP Pro SP2 Italian using 0x77f62740 in the Ruby version); signatures based on hardcoded ret addresses must account for both.
  • ·Payload space is limited to 400 bytes and a stack adjustment of -3500 is applied; shellcode must fit within this constraint, which limits the complexity of second-stage payloads detectable on the wire.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.