cbcvebase.
CVE-2009-3976
published 2009-11-18

CVE-2009-3976: Buffer overflow in Labtam ProFTP 2.9 allows remote FTP servers to cause a denial of service (application crash) or execute arbitrary code via a long 220 reply…

PriorityP350critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.28%
97.9th percentile
Buffer overflow in Labtam ProFTP 2.9 allows remote FTP servers to cause a denial of service (application crash) or execute arbitrary code via a long 220 reply (aka connection greeting or welcome message).

Affected

1 ranges
VendorProductVersion rangeFixed in
labtam-incproftp

Detection & IOCsextracted from sources · hover to see the quote

versionProFTP 2.9
other0x6809d408
bytes
220 <2064 numeric bytes><0x08d40968><20 NOPs><payload>\r\n
  • Detect exploit by monitoring FTP 220 banner responses exceeding 2064 bytes in length — the overflow is triggered by an excessively long FTP welcome/greeting message sent by a rogue server to the ProFTP 2.9 client.
  • The exploit uses SEH-based exit function ('EXITFUNC' => 'seh'); look for SEH chain overwrites in ProFTP 2.9 process crash dumps following an FTP connection.
  • The return address 0x6809d408 targets WCMDPA10.dll (shipped with ProFTP); presence of this address in network traffic or memory indicates active exploitation.
  • Bad characters excluded from payload are \x00, \x0a, \x0d, \x20; any FTP 220 banner containing a large block of numeric characters without these bytes should be treated as suspicious.
  • The exploit acts as a rogue FTP server on port 21; monitor for unexpected processes listening on TCP/21 that send oversized 220 banners to connecting FTP clients.
  • ·The exploit was tested and confirmed only against Windows XP SP3 English; the return address (0x6809d408 in WCMDPA10.dll) is specific to this platform/version and may not apply to other OS versions.
  • ·Payload space is limited to 1000 bytes; shellcode embedded in the 220 banner will be constrained to this size, which may affect detection rules that rely on payload length thresholds.
  • ·A stack adjustment of -3500 bytes is applied before payload execution; this unusual stack pivot may be used as a behavioral detection signal in memory analysis.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.