cbcvebase.
CVE-2006-4847
published 2006-09-19

CVE-2006-4847: Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix 1 allow remote authenticated users to execute arbitrary code via long (1) XCRC, (2)…

PriorityP352medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
85.21%
99.7th percentile
Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix 1 allow remote authenticated users to execute arbitrary code via long (1) XCRC, (2) XSHA1, or (3) XMD5 commands.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
ipswitchws_ftp_server
ipswitchws_ftp_server
ipswitchws_ftp_server
ipswitchws_ftp_server
ipswitchws_ftp_server
ipswitchws_ftp_server
progressws_ftp_server<= 5.05
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server
progressws_ftp_server

Detection & IOCsextracted from sources · hover to see the quote

commandXMD5 <676-byte overflow buffer>
otherReturn address (Windows 2000 Pro SP4 English): 0x7c2ec663
otherReturn address (Windows XP Pro SP0 English): 0x77dc0df0
otherReturn address (Windows XP Pro SP1 English): 0x77dc5527
otherReturn address (WS-FTP Server 5.05 Universal, LIBEAY32.dll push esp/ret): 0x1002e636
bytes
BadChars: \x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e
  • Also monitor for XCRC and XSHA1 commands with oversized arguments, as all three verbs are vulnerable to the same buffer overflow class.
  • Banner-check for 'WS_FTP Server 5.0.5' on FTP port 21 to identify vulnerable hosts; the Metasploit module uses this exact string to confirm vulnerability.
  • The exploit requires prior FTP authentication (USER/PASS); alert on authenticated FTP sessions that subsequently issue XMD5/XCRC/XSHA1 with payloads exceeding normal argument length.
  • The known return addresses (0x7c2ec663, 0x77dc0df0, 0x77dc5527, 0x1002e636) can be used as byte-level signatures within oversized XMD5 FTP command payloads at offset 676.
  • ·The exploit payload space is constrained to 300–329 bytes and must avoid the listed bad characters; shellcode must be encoded accordingly.
  • ·The Metasploit module applies a StackAdjustment of -3500, which may affect shellcode reliability depending on the target stack layout.
  • ·The older exploit variant (exploit-db 3335) uses LIBEAY32.dll for its universal return address (push esp/ret at 0x1002e636); patching or updating this DLL would break this specific gadget.
  • ·The exploit requires valid FTP credentials (defaults to user 'ftp' / pass 'ftp'); anonymous or default credentials increase exposure.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.