cbcvebase.
CVE-2006-4318
published 2006-08-24

CVE-2006-4318: Buffer overflow in WFTPD Server 3.23 allows remote attackers to execute arbitrary code via long SIZE commands.

PriorityP353medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
62.32%
99.1th percentile
Buffer overflow in WFTPD Server 3.23 allows remote attackers to execute arbitrary code via long SIZE commands.

Affected

1 ranges
VendorProductVersion rangeFixed in
texas_imperial_softwarewftpd

Detection & IOCsextracted from sources · hover to see the quote

commandSIZE /<NOP sled><shellcode><EIP>
other0x7d16887b
other0x776f2015
other0x7cb9e082
other0x7848a5f1
other0x7ca96834
other0x7c2d3028
other0x77dd1595
other0x77d498ec
bytes
\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb6\x10\x92\x98\x83\xeb\xfc\xe2\xf4
  • Alert on FTP SIZE command arguments exceeding normal filename length (e.g., >512 bytes) on port 21, indicative of buffer overflow exploitation of WFTPD 3.23
  • The exploit uses a reverse shell payload; monitor for unexpected outbound TCP connections from the WFTPD process (wftpd.exe) shortly after a SIZE command is received
  • The exploit payload bad characters are null byte, space, LF, and CR — NOP sleds and shellcode in SIZE arguments will avoid these bytes; scan FTP SIZE arguments for high-entropy non-printable byte sequences
  • The exploit offsets the return address at buffer position 531 (opt=0, path='/') or 532 (opt=1, path='//') within the SIZE argument — look for SIZE arguments with NOP sleds starting at offset 7
  • ·The Metasploit module's payload space is limited to 500 bytes and a stack adjustment of -3500 is applied; exploits with different payload sizes or stack adjustments may not match the exact buffer layout described
  • ·Return addresses (JMP ESI gadgets) are OS/SP/language-specific; the exploit targets XP SP2 Polish, 2000 SP4 Polish, XP SP2 English, 2000 SP4 English, and XP SP2 German — detection based on return address values must account for all variants
  • ·The exploit requires valid FTP credentials before sending the malicious SIZE command; unauthenticated detection at the network layer alone is insufficient — the attacker must first successfully log in
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.