cbcvebase.
CVE-2007-1567
published 2007-03-21

CVE-2007-1567: Stack-based buffer overflow in War FTP Daemon 1.65, and possibly earlier, allows remote attackers to cause a denial of service or execute arbitrary code via…

PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
50.55%
98.8th percentile
Stack-based buffer overflow in War FTP Daemon 1.65, and possibly earlier, allows remote attackers to cause a denial of service or execute arbitrary code via unspecified vectors, as demonstrated by warftp_165.tar by Immunity. NOTE: this might be the same issue as CVE-1999-0256, CVE-2000-0131, or CVE-2006-2171, but due to Immunity's lack of details, this cannot be certain.

Affected

1 ranges
VendorProductVersion rangeFixed in
war_ftp_daemonwar_ftp_daemon<= 1.65

Detection & IOCsextracted from sources · hover to see the quote

port7777
versionWAR-FTPD 1.65
commandUSER AAAAA....(485 bytes)....BBBB
bytes
\xeb\x06\x90\x90
bytes
\xa9\x11\x02\x75
  • Exploit uses SEH overwrite technique with pop/pop/ret gadget from ws2help.dll on Windows 2000 SP4; detect anomalous SEH chain overwrites in WarFTP process.
  • USER command shellcode must avoid bytes 0x40 (@), 0x0A (\n), 0x0D (\r), 0x00 (\0); alphanumeric/encoded shellcode in FTP USER field is a strong exploit indicator.
  • EIP overwrite exploit (exploit-db/3474) uses 'call ebp' gadget from user32.dll on Windows 2000 SP4; monitor for EIP control via this gadget in WarFTP crash analysis.
  • ·JMP ESP return addresses are OS/SP-specific; the exploit includes hardcoded addresses for Windows XP SP0–SP2 and Windows 2000 SP0–SP3 (English and Spanish). Detection based on return addresses must account for all variants.
  • ·The NVD notes this may be the same issue as CVE-1999-0256, CVE-2000-0131, or CVE-2006-2171; deduplication against those CVEs is required before creating separate detection rules.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.