cbcvebase.
CVE-2011-3976
published 2011-10-04

CVE-2011-3976: Stack-based buffer overflow in AmmSoft ScriptFTP 3.3 allows remote FTP servers to execute arbitrary code via a long filename in a response to a LIST command…

PriorityP349medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
30.59%
98.0th percentile
Stack-based buffer overflow in AmmSoft ScriptFTP 3.3 allows remote FTP servers to execute arbitrary code via a long filename in a response to a LIST command, as demonstrated using (1) GETLIST or (2) GETFILE in a ScriptFTP script.

Affected

1 ranges
VendorProductVersion rangeFixed in
ammsoftscriptftp

Detection & IOCsextracted from sources · hover to see the quote

commandLIST (FTP command triggering overflow via long filename in response)
otherEgghunter tag: 0t0t / cure
otherEgghunter tag: cure (Metasploit module)
otherMalicious FTP LIST response pattern: -rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 <1746+ byte filename>.txt
otherMalicious FTP LIST response pattern (POC): -rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 <crash buffer>.txt
bytes
\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35
bytes
\x61 (nseh) + \xd6\x41 (ret) for Windows XP SP3 / Windows Vista
bytes
\x45\x5B (SEH overwrite / PPR gadget in scriptftp.exe)
bytes
nseh = \x61\x62
  • Detect ScriptFTP client connecting to a rogue FTP server: watch for FTP LIST responses containing filenames exceeding 1746 bytes, which is the overflow offset for ScriptFTP 3.3.
  • The exploit overwrites the SEH chain; look for SEH-based exception handler overwrites in ScriptFTP process memory (scriptftp.exe) with values 0x5B45 (\x45\x5B) or 0x41D6 (\xd6\x41).
  • The Metasploit module uses AlphanumMixed encoding with BufferRegister=EDI or EDX; detect alphanumeric shellcode in FTP data channel traffic following an oversized LIST response.
  • The attack requires social engineering: a victim double-clicks a specially crafted .ftp script file, which causes ScriptFTP to connect to the attacker's FTP server. Monitor for ScriptFTP launching and immediately connecting to external/unknown FTP servers.
  • The getpc stub bytes \x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35 appear in the exploit payload before the egghunter; use this as a byte-level signature in network or memory scanning.
  • The OSVDB reference 75633 and exploit-db reference 17876 can be used to correlate threat intelligence for this vulnerability in SIEM/TIP platforms.
  • ·The SEH overwrite offset of 1746 bytes and RET gadget addresses are specific to ScriptFTP version 3.3 (File version=Build 3/9/2009); different builds may have different offsets.
  • ·The exploit uses a passive FTP data connection for delivery; active-mode FTP environments or strict firewall rules on data channels may prevent exploitation.
  • ·Bad characters for payload encoding are \x00\xff\x0d\x5c\x2f\x0a (Metasploit module) or \x00\x01-\x09\x0a\x0d\x2F\x5c\x3c\x3e\x5e\x7e (POC); signatures based on raw shellcode bytes may miss encoded variants.
  • ·The vulnerability affects ScriptFTP versions 3.3 and earlier; patched or newer versions are not affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.