CVE-2006-6576
published 2006-12-15CVE-2006-6576: Heap-based buffer overflow in Golden FTP Server (goldenftpd) 1.92 allows remote attackers to cause a denial of service (application crash) and possibly execute…
PriorityP354high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.81%
99.2th percentile
Heap-based buffer overflow in Golden FTP Server (goldenftpd) 1.92 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long PASS command. NOTE: it was later reported that 4.70 is also affected. NOTE: the USER vector is already covered by CVE-2005-0634.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| goldenftpserver | golden_ftp_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x2b\xc9\xb1\x56\xba\x96\x70\x11\x9e\xdb\xd0\xd9\x74\x24\xf4\x58
bytes↗
\xba\x1e\xb6\xaa\x95\xda\xc3\xd9\x74\x24\xf4\x5d\x29\xc9\xb1\x52
bytes↗
\xfd\xb8\x43\x42\x41\x40\x89\xF7\x47\x90\x83\xC7\x03\xaf\x75\xfa
- →Detect exploitation attempts by monitoring FTP PASS commands with anomalously long arguments (>524 bytes) sent to Golden FTP Server on port 21. ↗
- →The exploit requires the 'Show new connections' option to be enabled on the Golden FTP Server; this setting is off by default. Verify server configuration and alert if enabled on exposed instances. ↗
- →Fingerprint vulnerable Golden FTP Server instances by matching the FTP banner regex pattern for version 4.70. ↗
- →The exploit sends 'USER anonymous' followed immediately by an oversized 'PASS' payload; alert on anonymous FTP login attempts where the PASS argument exceeds normal length bounds. ↗
- →The egg hunter uses the 4-byte egg value 0x40414243 ('ABC@'); scan memory or network traffic for this egg tag as an indicator of egg-hunter shellcode delivery. ↗
- →Post-exploitation bind shell listens on port 4444; monitor for unexpected outbound or inbound connections to port 4444 from the FTP server host. ↗
- →Bad characters for payload encoding are null byte, newline, and carriage return; payloads in PASS commands lacking these bytes but containing encoded shellcode are suspicious. ↗
- ·The buffer overflow is only triggerable when the 'Show new connections' option is enabled in Golden FTP Server settings; this option is disabled by default, significantly limiting the attack surface. ↗
- ·The exact overflow offset varies depending on the source IP subnet of the attacker, ranging from 524 to 533 bytes; detection rules based on fixed buffer lengths may miss some variants. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)
exploitdb·2021-03-09
CVE-2006-6576 Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)
Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)
---
# Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)
# Author: 1F98D
# Original Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)
# Tested on Windows 10 (x64)
#
# A buffer overflow exists in GoldenFTP during the authentication process.
# Note that the source ip address of the user performing the authentication
# forms part of the buffer and as such must be accounted for when calculating
# the appropriate offset. It should also be noted that the exploit is
# rather unstable and if exploitation fails, GoldenFTP will be left in
# a state where it will still accept connections, but it will be unable
# to handle or process them in anyway, so be careful.
#
#!/usr/local/bin/python3
from socket import *
import sys
#
Exploit-DB
Golden FTP Server 4.70 - PASS Stack Buffer Overflow (Metasploit)
exploitdb·2011-06-02
CVE-2006-6576 Golden FTP Server 4.70 - PASS Stack Buffer Overflow (Metasploit)
Golden FTP Server 4.70 - PASS Stack Buffer Overflow (Metasploit)
---
#
# $Id: goldenftp_pass_bof.rb 12812 2011-06-02 01:10:22Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'GoldenFTP PASS Stack Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability in the Golden
FTP service. This module uses the PASS command to trigger the overflow.
},
'Author' => [ 'bannedit' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 12812 $',
'References' =>
[
[ 'BID', '45957 '],
[ 'URL', 'http://www.exploit-db.com/exploits/16
Exploit-DB
Golden FTP Server 4.70 - 'PASS' Buffer Overflow
exploitdb·2011-01-23
CVE-2006-6576 Golden FTP Server 4.70 - 'PASS' Buffer Overflow
Golden FTP Server 4.70 - 'PASS' Buffer Overflow
---
#GoldenFTP 4.70 PASS Exploit
#Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)
#Tested on XP SP3
#Vendor Contacted: 1/17/2011 (no response)
#For this exploit to work correctly, you need to know the subnet that the server
#is running on. You also need to make sure that "show new connections" is checked in the options.
#The total length of the buffer should be 4 bytes less than the offset, with EIP at the end.
#528 is the offset when server running on 192.168.236.0
#533 is the offset when server running on 10.0.1.0
#530 is the offset when server running on 192.168.1.0
#531 is the offset when server running on 172.16.1.0
require 'net/ftp'
#Metasploit bind shell port=4444 | shikata_ga_nai | 369 bytes
shellcode = ("\
Metasploit
GoldenFTP PASS Stack Buffer Overflow
metasploit
GoldenFTP PASS Stack Buffer Overflow
GoldenFTP PASS Stack Buffer Overflow
This module exploits a vulnerability in the Golden FTP service, using the PASS command to cause a buffer overflow. Please note that in order trigger the vulnerable code, the victim machine must have the "Show new connections" setting enabled. By default, this option is unchecked.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/161711/Golden-FTP-Server-4.70-Buffer-Overflow.htmlhttp://retrogod.altervista.org/golden_heap.htmlhttp://secunia.com/advisories/23323http://www.exploit-db.com/exploits/16036http://www.securityfocus.com/bid/45924http://www.securityfocus.com/bid/45957http://www.vupen.com/english/advisories/2006/4936http://packetstormsecurity.com/files/161711/Golden-FTP-Server-4.70-Buffer-Overflow.htmlhttp://retrogod.altervista.org/golden_heap.htmlhttp://secunia.com/advisories/23323http://www.exploit-db.com/exploits/16036http://www.securityfocus.com/bid/45924http://www.securityfocus.com/bid/45957http://www.vupen.com/english/advisories/2006/4936
2006-12-15
Published