CVE-2010-1465
published 2010-04-16CVE-2010-1465: Stack-based buffer overflow in Trellian FTP client 3.01, including 3.1.3.1789, allows remote attackers to execute arbitrary code via a long PASV response.
PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.27%
98.1th percentile
Stack-based buffer overflow in Trellian FTP client 3.01, including 3.1.3.1789, allows remote attackers to execute arbitrary code via a long PASV response.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trellian | ftp | — | — |
| trellian | ftp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xfd\x21\x40
bytes↗
\x7E429353
bytes↗
\xe9\x18\xfc\xff\xff
bytes↗
\xeb\xf9\x90\x90
- →Detect excessively long FTP PASV responses (>200 bytes in the parenthesized address field) sent from server to client — this is the trigger for the stack-based buffer overflow in Trellian FTP Client 3.01. ↗
- →Monitor for FTP '227 Entering Passive Mode' responses containing non-numeric, high-entropy, or NOP-sled data inside the parentheses instead of the standard comma-delimited IP/port tuple. ↗
- →Bad characters for payload encoding are \x00\x29\x2c\x2e (null, ')', ',', '.') — encoded shellcode in a malicious PASV response will avoid these bytes. ↗
- →The exploit pads with 2171 bytes of junk before the NOP sled and payload; a PASV response body exceeding ~2171 bytes is a strong anomaly indicator for this CVE. ↗
- ·The JMP ESP gadget address (0x7E429353) used in the Perl PoC is specific to a particular Windows XP SP3 DLL load address and will not be reliable across different patch levels or OS versions. ↗
- ·The Metasploit module's p/p/r return address (0x004021fd in ftp.exe) is hardcoded for 'Windows XP Universal' and targets only Trellian FTP Client 3.01; other versions or OS targets are not covered. ↗
- ·Payload space is constrained to 900 bytes with a stack adjustment of -3500; payloads exceeding this space will not function correctly. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Trellian FTP Client 3.01 - PASV Remote Buffer Overflow (Metasploit)
exploitdb·2010-06-15
CVE-2010-1465 Trellian FTP Client 3.01 - PASV Remote Buffer Overflow (Metasploit)
Trellian FTP Client 3.01 - PASV Remote Buffer Overflow (Metasploit)
---
##
# $Id: trellian_client_pasv.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'Trellian FTP Client 3.01 PASV Remote Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered
through an excessively long PASV message.
},
'Author' =>
[
'zombiefx', # Original exploit author
'dookie' # MSF module author
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9525 $',
'References' =>
[
[ 'CVE
Exploit-DB
Trellian FTP Client - PASV Buffer Overflow
exploitdb·2010-04-11
CVE-2010-1465 Trellian FTP Client - PASV Buffer Overflow
Trellian FTP Client - PASV Buffer Overflow
---
# Exploit Title: Trellian FTP Client PASV BOF exploit
# Date: 2010-04-11
# Author: zombiefx
# Software Link: http://www.trellian.com/bin/lu/dl/TrellianFTP.exe
# Version: Trellian FTP Client v 3.01
# Tested on: Windows XP SP3
# Usage: ./ftpserver.pl
# Acts as a fake ftp server that passes the vulnerable PASV command when a clients connects.
# Code:
#!/usr/bin/perl
use warnings;
use strict;
use IO::Socket;
my $ftpsock =
new IO::Socket::INET( LocalPort => '21', Proto => 'tcp', Listen => '1' )
or die "Socket Not Created $!\n";
print"#############################################################\n"
. "# Trellian FTP Client PASV BOF exploit #\n"
. "# Author:zombiefx #\n"
. "# Greetz to: corelanc0d3r/Dino Dai Zovi #\n"
. "# http://pentest.cryptocity
Metasploit
Trellian FTP Client 3.01 PASV Remote Buffer Overflow
metasploit
Trellian FTP Client 3.01 PASV Remote Buffer Overflow
Trellian FTP Client 3.01 PASV Remote Buffer Overflow
This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered through an excessively long PASV message.
No writeups or analysis indexed.
2010-04-16
Published