cbcvebase.
CVE-2010-1465
published 2010-04-16

CVE-2010-1465: Stack-based buffer overflow in Trellian FTP client 3.01, including 3.1.3.1789, allows remote attackers to execute arbitrary code via a long PASV response.

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.27%
98.1th percentile
Stack-based buffer overflow in Trellian FTP client 3.01, including 3.1.3.1789, allows remote attackers to execute arbitrary code via a long PASV response.

Affected

2 ranges
VendorProductVersion rangeFixed in
trellianftp
trellianftp

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.trellian.com/bin/lu/dl/TrellianFTP.exe
command227 Entering Passive Mode (<payload>)
bytes
\xfd\x21\x40
bytes
\x7E429353
bytes
\xe9\x18\xfc\xff\xff
bytes
\xeb\xf9\x90\x90
  • Detect excessively long FTP PASV responses (>200 bytes in the parenthesized address field) sent from server to client — this is the trigger for the stack-based buffer overflow in Trellian FTP Client 3.01.
  • Monitor for FTP '227 Entering Passive Mode' responses containing non-numeric, high-entropy, or NOP-sled data inside the parentheses instead of the standard comma-delimited IP/port tuple.
  • Bad characters for payload encoding are \x00\x29\x2c\x2e (null, ')', ',', '.') — encoded shellcode in a malicious PASV response will avoid these bytes.
  • The exploit pads with 2171 bytes of junk before the NOP sled and payload; a PASV response body exceeding ~2171 bytes is a strong anomaly indicator for this CVE.
  • ·The JMP ESP gadget address (0x7E429353) used in the Perl PoC is specific to a particular Windows XP SP3 DLL load address and will not be reliable across different patch levels or OS versions.
  • ·The Metasploit module's p/p/r return address (0x004021fd in ftp.exe) is hardcoded for 'Windows XP Universal' and targets only Trellian FTP Client 3.01; other versions or OS targets are not covered.
  • ·Payload space is constrained to 900 bytes with a stack adjustment of -3500; payloads exceeding this space will not function correctly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.