cbcvebase.
CVE-2009-3023
published 2009-08-31

CVE-2009-3023: Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code…

PriorityP275critical9CVSS 2.0
AVNACLAuSCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
90.91%
99.8th percentile
Buffer overflow in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 6.0 allows remote authenticated users to execute arbitrary code via a crafted NLST (NAME LIST) command that uses wildcards, leading to memory corruption, aka "IIS FTP Service RCE and DoS Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_information_server5.0 – 6.0

Detection & IOCsextracted from sources · hover to see the quote

port4444
commandNLST <path>*/../<path>*/
commandSITE KSEXY<shellcode>
commandMKD w00t<port>
otherT00WT00W (egg hunter tag)
otherretaddr 0x77F4B19B (JMP ESP, Windows 2000)
otherRet 0x773d24eb (jmp esp in activeds.dll, Windows 2000 SP4 English/Italian IIS 5.0)
otherRet 0x77e42ed8 (jmp esp in user32.dll, Windows 2000 SP3 English IIS 5.0)
otherRet 0x774fa593 (jmp esp, Windows 2000 SP0-SP3 Japanese IIS 5.0)
bytes
\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38\x53\x45\x58\x59\x75\xF7\x40\x40\x40\x40\xFF\xFF\xE0
bytes
\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38<egg>\x75\xF7\x40\x40\x40\x40\xFF\xE0
  • Detect exploit trigger: FTP NLST command with wildcard path traversal pattern matching '*/../' sent over an active FTP data channel after a CWD into a long directory path.
  • Detect exploit staging: multiple FTP SITE commands carrying encoded shellcode (prefixed 'KSEXY') sent to store payload on the stack before the NLST trigger.
  • Detect exploit staging: FTP MKD command creating a directory whose name begins with 'w00t' followed by a numeric port value, used to set up the long path required for the overflow.
  • Detect egg-hunter signature bytes 0xB8 0x55 0x55 0x52 0x55 0x35 0x55 0x55 0x55 0x55 0x40 0x81 0x38 in FTP command payloads (SITE or MKD arguments) on port 21.
  • Detect egg tag 'T00WT00W' in FTP PASS command or SITE command arguments, used as the egghunter marker for the secondary larger payload.
  • The exploit requires the FTP server to allow write access; alert on anonymous FTP write access combined with MKD + SITE + NLST wildcard command sequences.
  • Payload bad characters for this exploit are \x00\x09\x0c\x20\x0a\x0d\x0b; encoded shellcode in SITE/MKD arguments will avoid these bytes — use this constraint when writing YARA/Snort rules for payload detection.
  • ·The vulnerability only affects IIS FTP servers where the authenticated (or anonymous) user has write access to the filesystem; servers configured read-only are not exploitable via this vector.
  • ·IIS 6.0 is affected but has stack cookie (GS) protection, which complicates direct exploitation compared to IIS 5.0.
  • ·Return addresses in the public exploits are hardcoded for specific Windows 2000 SP levels and language versions (SP4 English/Italian, SP3 English, SP0-SP3 Japanese); detections based on these ROP gadget addresses are platform-specific.

CVSS provenance

nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.