cbcvebase.
CVE-2006-3952
published 2006-08-01

CVE-2006-3952: Stack-based buffer overflow in EFS Software Easy File Sharing FTP Server 2.0 allows remote attackers to execute arbitrary code via a long argument to the PASS…

PriorityP356high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
67.07%
99.2th percentile
Stack-based buffer overflow in EFS Software Easy File Sharing FTP Server 2.0 allows remote attackers to execute arbitrary code via a long argument to the PASS command. NOTE: the provenance of this information is unknown; the details are obtained from third party information.

Affected

1 ranges
VendorProductVersion rangeFixed in
efs_softwareefs_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

commandPASS <overly long password>
otherEIP = 0x77AB367B (popad pop ret, CRYPT32.DLL, XP SP2 Polish)
otherRet = 0x75022ac4 (Windows 2000 Pro English ALL)
otherRet = 0x71aa32ad (Windows XP Pro SP0/SP1 English)
otherBadChars: \x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e
otherpop/pop/ret at 0x10017F21 in SSLEAY32.DLL (EFS FTP Server 3.5)
othercall ebx from kernel32.dll SP4 at offset used in Windows 2000 SP4 exploit
bytes
\x2c followed by NOP sled (0x90 * 2571) + shellcode + EIP
bytes
\x2c + rand_text_english(2559) + \xeb\x12 + make_nops(2) + [target.ret].pack('V') + payload.encoded
bytes
\x2c + 'A'*2559 + \xeb\x19\x90\x90 + struct.pack('<I', 0x10017F21) + \x90*30 + shellcode
  • Detect exploitation attempts by monitoring FTP PASS commands with payloads exceeding ~2559 bytes, particularly those beginning with byte 0x2c.
  • FTP banner check: if the server banner contains 'Easy File Sharing FTP Server', the service is potentially vulnerable.
  • Exploit requires anonymous FTP login; monitor for USER anonymous followed by an oversized PASS command.
  • The exploit payload consistently starts with byte 0x2c as the first character of the PASS argument; this can serve as a signature byte in network detection rules.
  • Monitor for outbound connections on TCP port 4444 from the FTP server process, indicating a successful bind-shell payload execution.
  • The overflow offset is consistently ~2559 bytes before the SEH/EIP overwrite; a PASS argument of this length or greater is anomalous and should be alerted.
  • ·Return addresses are OS/SP-specific; the exploit must be tuned per target platform. Three distinct RET values are documented across exploits.
  • ·Payload bad characters must be avoided; the Metasploit module documents the full bad character set for encoder selection.
  • ·The original PoC was tested only on Windows XP SP2 Polish; reliability on other locales/service packs requires different RET addresses.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.