CVE-2009-3976
published 2009-11-18CVE-2009-3976: Buffer overflow in Labtam ProFTP 2.9 allows remote FTP servers to cause a denial of service (application crash) or execute arbitrary code via a long 220 reply…
PriorityP350critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.28%
97.9th percentile
Buffer overflow in Labtam ProFTP 2.9 allows remote FTP servers to cause a denial of service (application crash) or execute arbitrary code via a long 220 reply (aka connection greeting or welcome message).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| labtam-inc | proftp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
220 <2064 numeric bytes><0x08d40968><20 NOPs><payload>\r\n
- →Detect exploit by monitoring FTP 220 banner responses exceeding 2064 bytes in length — the overflow is triggered by an excessively long FTP welcome/greeting message sent by a rogue server to the ProFTP 2.9 client. ↗
- →The exploit uses SEH-based exit function ('EXITFUNC' => 'seh'); look for SEH chain overwrites in ProFTP 2.9 process crash dumps following an FTP connection. ↗
- →The return address 0x6809d408 targets WCMDPA10.dll (shipped with ProFTP); presence of this address in network traffic or memory indicates active exploitation. ↗
- →Bad characters excluded from payload are \x00, \x0a, \x0d, \x20; any FTP 220 banner containing a large block of numeric characters without these bytes should be treated as suspicious. ↗
- →The exploit acts as a rogue FTP server on port 21; monitor for unexpected processes listening on TCP/21 that send oversized 220 banners to connecting FTP clients. ↗
- ·The exploit was tested and confirmed only against Windows XP SP3 English; the return address (0x6809d408 in WCMDPA10.dll) is specific to this platform/version and may not apply to other OS versions. ↗
- ·Payload space is limited to 1000 bytes; shellcode embedded in the 220 banner will be constrained to this size, which may affect detection rules that rely on payload length thresholds. ↗
- ·A stack adjustment of -3500 bytes is applied before payload execution; this unusual stack pivot may be used as a behavioral detection signal in memory analysis. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ProFTP 2.9 - Banner Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2009-3976 ProFTP 2.9 - Banner Remote Buffer Overflow (Metasploit)
ProFTP 2.9 - Banner Remote Buffer Overflow (Metasploit)
---
##
# $Id: proftp_banner.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'ProFTP 2.9 Banner Remote Buffer Overflow Exploit',
'Description' => %q{
This module exploits a buffer overflow in the ProFTP 2.9
client that is triggered through an excessively long welcome message.
},
'Author' => [ 'His0k4 ' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9669 $',
'References' =>
[
[ 'CVE', '2009-3976' ],
[ 'OSVDB', '57394' ],
[ 'URL', 'http://www.labtam-inc.com/index.ph
Exploit-DB
ProFTP 2.9 - Welcome Message Remote Buffer Overflow (Metasploit)
exploitdb·2009-08-25
CVE-2009-3976 ProFTP 2.9 - Welcome Message Remote Buffer Overflow (Metasploit)
ProFTP 2.9 - Welcome Message Remote Buffer Overflow (Metasploit)
---
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'ProFTP 2.9 (welcome message) Remote Buffer Overflow Exploit',
'Description' => %q{
This module exploits a buffer overflow in the ProFTP 2.9
client that is triggered through an excessively long welcome message.
},
'Author' => [ 'His0k4 ' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://www.labtam-inc.com/index.php?act=products&pid=1' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' =>
Metasploit
ProFTP 2.9 Banner Remote Buffer Overflow
metasploit
ProFTP 2.9 Banner Remote Buffer Overflow
ProFTP 2.9 Banner Remote Buffer Overflow
This module exploits a buffer overflow in the ProFTP 2.9 client that is triggered through an excessively long welcome message.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/9508http://www.securityfocus.com/bid/36128http://www.vupen.com/english/advisories/2009/2414https://exchange.xforce.ibmcloud.com/vulnerabilities/52730http://www.exploit-db.com/exploits/9508http://www.securityfocus.com/bid/36128http://www.vupen.com/english/advisories/2009/2414https://exchange.xforce.ibmcloud.com/vulnerabilities/52730
2009-11-18
Published