CVE-2011-3976
published 2011-10-04CVE-2011-3976: Stack-based buffer overflow in AmmSoft ScriptFTP 3.3 allows remote FTP servers to execute arbitrary code via a long filename in a response to a LIST command…
PriorityP349medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
30.59%
98.0th percentile
Stack-based buffer overflow in AmmSoft ScriptFTP 3.3 allows remote FTP servers to execute arbitrary code via a long filename in a response to a LIST command, as demonstrated using (1) GETLIST or (2) GETFILE in a ScriptFTP script.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ammsoft | scriptftp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherMalicious FTP LIST response pattern: -rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 <1746+ byte filename>.txt↗
otherMalicious FTP LIST response pattern (POC): -rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 <crash buffer>.txt↗
bytes↗
\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35
bytes↗
\x61 (nseh) + \xd6\x41 (ret) for Windows XP SP3 / Windows Vista
bytes↗
\x45\x5B (SEH overwrite / PPR gadget in scriptftp.exe)
bytes↗
nseh = \x61\x62
- →Detect ScriptFTP client connecting to a rogue FTP server: watch for FTP LIST responses containing filenames exceeding 1746 bytes, which is the overflow offset for ScriptFTP 3.3. ↗
- →The exploit overwrites the SEH chain; look for SEH-based exception handler overwrites in ScriptFTP process memory (scriptftp.exe) with values 0x5B45 (\x45\x5B) or 0x41D6 (\xd6\x41). ↗
- →The Metasploit module uses AlphanumMixed encoding with BufferRegister=EDI or EDX; detect alphanumeric shellcode in FTP data channel traffic following an oversized LIST response. ↗
- →The attack requires social engineering: a victim double-clicks a specially crafted .ftp script file, which causes ScriptFTP to connect to the attacker's FTP server. Monitor for ScriptFTP launching and immediately connecting to external/unknown FTP servers. ↗
- →The getpc stub bytes \x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35 appear in the exploit payload before the egghunter; use this as a byte-level signature in network or memory scanning. ↗
- →The OSVDB reference 75633 and exploit-db reference 17876 can be used to correlate threat intelligence for this vulnerability in SIEM/TIP platforms. ↗
- ·The SEH overwrite offset of 1746 bytes and RET gadget addresses are specific to ScriptFTP version 3.3 (File version=Build 3/9/2009); different builds may have different offsets. ↗
- ·The exploit uses a passive FTP data connection for delivery; active-mode FTP environments or strict firewall rules on data channels may prevent exploitation. ↗
- ·Bad characters for payload encoding are \x00\xff\x0d\x5c\x2f\x0a (Metasploit module) or \x00\x01-\x09\x0a\x0d\x2F\x5c\x3c\x3e\x5e\x7e (POC); signatures based on raw shellcode bytes may miss encoded variants. ↗
- ·The vulnerability affects ScriptFTP versions 3.3 and earlier; patched or newer versions are not affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ScriptFTP 3.3 - LIST Remote Buffer Overflow (Metasploit) (2)
exploitdb·2011-10-09
CVE-2011-3976 ScriptFTP 3.3 - LIST Remote Buffer Overflow (Metasploit) (2)
ScriptFTP 3.3 - LIST Remote Buffer Overflow (Metasploit) (2)
---
##
# $Id: scriptftp_list.rb 13841 2011-10-09 05:36:42Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'ScriptFTP %q{
AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow
vulnerability that is triggered when processing a sufficiently long filename during
a FTP LIST command resulting in overwriting the exception handler. Social engineering
of executing a specially crafted ftp file by double click will result in connecting to
our malcious server and perform arbitrary code e
Exploit-DB
ScriptFTP 3.3 - Remote Buffer Overflow (Metasploit)
exploitdb·2011-09-29
CVE-2011-3976 ScriptFTP 3.3 - Remote Buffer Overflow (Metasploit)
ScriptFTP 3.3 - Remote Buffer Overflow (Metasploit)
---
#Exploit Title: ScriptFTP 3.3 Remote Buffer Overflow (MSF)
#Date: Sept 20 2011
#Author: otoy
#Version: 3.3
#Tested on: Windows XP SP3
#CVE : -
#EDB-ID: 17876
#Thanks: cyb3r.anbu, spentera-team, dE-team, offsec, exploit-db, corelanc0d3r
class Metasploit3 'ScriptFTP 3.3 Remote Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in ScriptFTP 3.3 ftp client. The overflow is
triggered when the client connects to a FTP server which sends an overly long directory
and filename in response to a GETLIST command.
This will cause an access violation, and will eventually overwrite the saved extended
instruction pointer.
},
'Author' =>
[
'modpr0be', # Original bug
'Cyberheb', # porting from poc to msf
'Otoy', #
Exploit-DB
ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (1)
exploitdb·2011-09-20
CVE-2011-3976 ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (1)
ScriptFTP 3.3 - Remote Buffer Overflow (LIST) (1)
---
# Exploit Title: ScriptFTP
#
# Yes, this poc is using PASSIVE connection and it will
# take some time to establish. I love the way we wait for a shell ;)
#!/usr/bin/python
import socket
import os
import sys
import time
class ftp_server:
def __init__(self):
self.host = '0.0.0.0'
self.passive_port = 7214
self.log("""
[*] ScriptFTP <=3.3 Remote Buffer Overflow POC
[*] by modpr0be[at]digital-echidna[dot]org
[*] thanks a lot to cyb3r.anbu | otoy :)
[*] Evil FTP Server Ready""")
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.bind(('', 21))
self.sock.listen(1)
a = self.passive_port/256
b = self.passive_port%256
self.tuple_port = (a, b)
self.host_join = ','.join(self.host.split('.'))
self.passive = False
self.lo
Metasploit
ScriptFTP LIST Remote Buffer Overflow
metasploit
ScriptFTP LIST Remote Buffer Overflow
ScriptFTP LIST Remote Buffer Overflow
AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow vulnerability that is triggered when processing a sufficiently long filename during a FTP LIST command resulting in overwriting the exception handler. Social engineering of executing a specially crafted ftp file by double click will result in connecting to our malicious server and perform arbitrary code execution which allows the attacker to gain the same rights as the user running ScriptFTP. This vulnerability affects versions 3.3 and earlier.
No writeups or analysis indexed.
http://secunia.com/advisories/46099http://www.digital-echidna.org/2011/09/scriptftp-3-3-remote-buffer-overflow-exploit-0day/http://www.exploit-db.com/exploits/17876http://www.kb.cert.org/vuls/id/440219http://www.securityfocus.com/bid/49707https://exchange.xforce.ibmcloud.com/vulnerabilities/69962http://secunia.com/advisories/46099http://www.digital-echidna.org/2011/09/scriptftp-3-3-remote-buffer-overflow-exploit-0day/http://www.exploit-db.com/exploits/17876http://www.kb.cert.org/vuls/id/440219http://www.securityfocus.com/bid/49707https://exchange.xforce.ibmcloud.com/vulnerabilities/69962
2011-10-04
Published