cbcvebase.
CVE-2009-1675
published 2009-05-18

CVE-2009-1675: Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows remote FTP servers to execute arbitrary code via a long 227 reply to a PASV command.

PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
13.79%
96.0th percentile
Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows remote FTP servers to execute arbitrary code via a long 227 reply to a PASV command.

Affected

1 ranges
VendorProductVersion rangeFixed in
electrasoft32bit_ftp

Detection & IOCsextracted from sources · hover to see the quote

commandexploit/windows/ftp/32bitftp_pasv_reply
registry0x7c868667
registry0x7C82385D
  • Detect malicious FTP server sending an oversized 227 PASV reply (~966+ bytes of numeric padding followed by a return address) to exploit 32bit FTP client 09.04.24.
  • Flag FTP 227 PASV responses exceeding normal length (normal is ~30 bytes); payloads here use ~966 bytes of numeric text before the return address.
  • Payload bad characters for this exploit are null byte, newline, carriage return, and space (\x00\x0a\x0d\x20); encoder used is AlphanumMixed — look for alphanumeric shellcode in FTP 227 responses.
  • The exploit also abuses overly long filenames served by a rogue FTP LIST reply (separate but related attack vector in the same client).
  • Return address 0x7c868667 (jmp esp, kernel32.dll) on Windows XP SP3 English is a reliable indicator of this specific exploit targeting that platform.
  • ·The exploit targets only 32bit FTP client version 09.04.24; other versions are not confirmed vulnerable.
  • ·Return addresses are platform-specific: 0x7c868667 for XP SP3 English and 0x7C82385D for XP SP2 French; detections relying on these hardcoded values will not generalise to other OS versions.
  • ·The Metasploit module sets a StackAdjustment of -3500, meaning the payload stack pivot is large; this is relevant when tuning stack-pivot detection thresholds.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.