CVE-2006-4847
published 2006-09-19CVE-2006-4847: Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix 1 allow remote authenticated users to execute arbitrary code via long (1) XCRC, (2)…
PriorityP352medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
85.21%
99.7th percentile
Multiple buffer overflows in Ipswitch WS_FTP Server 5.05 before Hotfix 1 allow remote authenticated users to execute arbitrary code via long (1) XCRC, (2) XSHA1, or (3) XMD5 commands.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipswitch | ws_ftp_server | — | — |
| ipswitch | ws_ftp_server | — | — |
| ipswitch | ws_ftp_server | — | — |
| ipswitch | ws_ftp_server | — | — |
| ipswitch | ws_ftp_server | — | — |
| ipswitch | ws_ftp_server | — | — |
| progress | ws_ftp_server | <= 5.05 | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
| progress | ws_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
BadChars: \x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e
- →Also monitor for XCRC and XSHA1 commands with oversized arguments, as all three verbs are vulnerable to the same buffer overflow class. ↗
- →Banner-check for 'WS_FTP Server 5.0.5' on FTP port 21 to identify vulnerable hosts; the Metasploit module uses this exact string to confirm vulnerability. ↗
- →The exploit requires prior FTP authentication (USER/PASS); alert on authenticated FTP sessions that subsequently issue XMD5/XCRC/XSHA1 with payloads exceeding normal argument length. ↗
- →The known return addresses (0x7c2ec663, 0x77dc0df0, 0x77dc5527, 0x1002e636) can be used as byte-level signatures within oversized XMD5 FTP command payloads at offset 676. ↗
- ·The exploit payload space is constrained to 300–329 bytes and must avoid the listed bad characters; shellcode must be encoded accordingly. ↗
- ·The Metasploit module applies a StackAdjustment of -3500, which may affect shellcode reliability depending on the target stack layout. ↗
- ·The older exploit variant (exploit-db 3335) uses LIBEAY32.dll for its universal return address (push esp/ret at 0x1002e636); patching or updating this DLL would break this specific gadget. ↗
- ·The exploit requires valid FTP credentials (defaults to user 'ftp' / pass 'ftp'); anonymous or default credentials increase exposure. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Ipswitch WS_FTP Server 5.05 - XMD5 Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2006-4847 Ipswitch WS_FTP Server 5.05 - XMD5 Overflow (Metasploit)
Ipswitch WS_FTP Server 5.05 - XMD5 Overflow (Metasploit)
---
##
# $Id: wsftp_server_505_xmd5.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Ipswitch WS_FTP Server 5.05 XMD5 Overflow',
'Description' => %q{
This module exploits a buffer overflow in the XMD5 verb in
IPSWITCH WS_FTP Server 5.05.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2006-4847' ],
[ 'OSVDB', '28939' ],
[ 'BID', '20076' ],
],
'Privileged' => false,
'Payload' =>
{
'Space' =
Exploit-DB
Ipswitch WS_FTP Server 5.05 - XMD5 Remote Buffer Overflow (Metasploit)
exploitdb·2007-02-19
CVE-2006-4847 Ipswitch WS_FTP Server 5.05 - XMD5 Remote Buffer Overflow (Metasploit)
Ipswitch WS_FTP Server 5.05 - XMD5 Remote Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::wsftp_server_505_xmd5;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'WS-FTP Server 5.05 XMD5 Overflow',
'Version' => '$Revision: 1.0 $',
'Authors' =>
[ 'Jacopo Cervini ',
],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFU
Metasploit
Ipswitch WS_FTP Server 5.05 XMD5 Overflow
metasploit
Ipswitch WS_FTP Server 5.05 XMD5 Overflow
Ipswitch WS_FTP Server 5.05 XMD5 Overflow
This module exploits a buffer overflow in the XMD5 verb in IPSWITCH WS_FTP Server 5.05.
No writeups or analysis indexed.
http://ipswitch.com/support/ws_ftp-server/releases/wr505hf1.asphttp://secunia.com/advisories/21932http://www.osvdb.org/28939http://www.securityfocus.com/bid/20076http://www.vupen.com/english/advisories/2006/3655https://exchange.xforce.ibmcloud.com/vulnerabilities/28983http://ipswitch.com/support/ws_ftp-server/releases/wr505hf1.asphttp://secunia.com/advisories/21932http://www.osvdb.org/28939http://www.securityfocus.com/bid/20076http://www.vupen.com/english/advisories/2006/3655https://exchange.xforce.ibmcloud.com/vulnerabilities/28983
2006-09-19
Published